aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJaekyun Seok2018-04-17 21:24:15 -0500
committerJaekyun Seok2018-04-18 18:22:26 -0500
commit41e42d63fecf9c237337acea7e21a5da0683debe (patch)
tree0f5ce57163ecf66b81e49a0138ef05c94c69fe90
parent09ade7fce41115ce1bfbfa503229b8640b4dfdcc (diff)
downloadsystem-sepolicy-41e42d63fecf9c237337acea7e21a5da0683debe.tar.gz
system-sepolicy-41e42d63fecf9c237337acea7e21a5da0683debe.tar.xz
system-sepolicy-41e42d63fecf9c237337acea7e21a5da0683debe.zip
Neverallow unexpected domains to access bluetooth_prop and wifi_prop
And this CL will remove unnecessary vendor-init exceptions for nfc_prop and radio_prop as well. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae
-rw-r--r--public/property.te69
1 files changed, 65 insertions, 4 deletions
diff --git a/public/property.te b/public/property.te
index 80453683..e5720d5e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -155,7 +155,6 @@ compatible_property_only(`
155 -coredomain 155 -coredomain
156 -appdomain 156 -appdomain
157 -hal_nfc_server 157 -hal_nfc_server
158 -vendor_init
159 } { 158 } {
160 nfc_prop 159 nfc_prop
161 }:property_service set; 160 }:property_service set;
@@ -168,11 +167,57 @@ compatible_property_only(`
168 -vendor_init 167 -vendor_init
169 } { 168 } {
170 exported_radio_prop 169 exported_radio_prop
171 exported2_radio_prop
172 exported3_radio_prop 170 exported3_radio_prop
171 }:property_service set;
172
173 neverallow {
174 domain
175 -coredomain
176 -appdomain
177 -hal_telephony_server
178 } {
179 exported2_radio_prop
173 radio_prop 180 radio_prop
174 }:property_service set; 181 }:property_service set;
175 182
183 neverallow {
184 domain
185 -coredomain
186 -bluetooth
187 -hal_bluetooth
188 } {
189 bluetooth_prop
190 }:property_service set;
191
192 neverallow {
193 domain
194 -coredomain
195 -bluetooth
196 -hal_bluetooth
197 -vendor_init
198 } {
199 exported_bluetooth_prop
200 }:property_service set;
201
202 neverallow {
203 domain
204 -coredomain
205 -hal_wifi
206 -wificond
207 } {
208 wifi_prop
209 }:property_service set;
210
211 neverallow {
212 domain
213 -coredomain
214 -hal_wifi
215 -wificond
216 -vendor_init
217 } {
218 exported_wifi_prop
219 }:property_service set;
220
176# Prevent properties from being read 221# Prevent properties from being read
177 neverallow { 222 neverallow {
178 domain 223 domain
@@ -201,7 +246,6 @@ compatible_property_only(`
201 -coredomain 246 -coredomain
202 -appdomain 247 -appdomain
203 -hal_nfc_server 248 -hal_nfc_server
204 -vendor_init
205 } { 249 } {
206 nfc_prop 250 nfc_prop
207 }:file no_rw_file_perms; 251 }:file no_rw_file_perms;
@@ -211,8 +255,25 @@ compatible_property_only(`
211 -coredomain 255 -coredomain
212 -appdomain 256 -appdomain
213 -hal_telephony_server 257 -hal_telephony_server
214 -vendor_init
215 } { 258 } {
216 radio_prop 259 radio_prop
217 }:file no_rw_file_perms; 260 }:file no_rw_file_perms;
261
262 neverallow {
263 domain
264 -coredomain
265 -bluetooth
266 -hal_bluetooth
267 } {
268 bluetooth_prop
269 }:file no_rw_file_perms;
270
271 neverallow {
272 domain
273 -coredomain
274 -hal_wifi
275 -wificond
276 } {
277 wifi_prop
278 }:file no_rw_file_perms;
218') 279')