aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJaekyun Seok2018-04-05 13:32:58 -0500
committerJaekyun Seok2018-04-16 01:18:24 -0500
commit4de238e9b999f91a86d130638a8b70d306363bf9 (patch)
tree47bf16d2c81db7736b74743a009b90f67f65497a
parentba890071786e90500a67711fc4379f7afc02addb (diff)
downloadsystem-sepolicy-4de238e9b999f91a86d130638a8b70d306363bf9.tar.gz
system-sepolicy-4de238e9b999f91a86d130638a8b70d306363bf9.tar.xz
system-sepolicy-4de238e9b999f91a86d130638a8b70d306363bf9.zip
Allow dumpstate to read property_type
dumpstate needs to read all the system properties for debugging. Bug: 77277669 Test: succeeded building and tested with taimen Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
-rw-r--r--public/domain.te2
-rw-r--r--public/dumpstate.te12
-rw-r--r--public/netd.te2
3 files changed, 4 insertions, 12 deletions
diff --git a/public/domain.te b/public/domain.te
index 31345be8..41e09033 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -560,7 +560,7 @@ neverallow {
560} serialno_prop:file r_file_perms; 560} serialno_prop:file r_file_perms;
561 561
562# Do not allow reading the last boot timestamp from system properties 562# Do not allow reading the last boot timestamp from system properties
563neverallow { domain -init -system_server } firstboot_prop:file r_file_perms; 563neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
564 564
565neverallow { 565neverallow {
566 domain 566 domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0fad5e10..88071577 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -232,16 +232,8 @@ set_prop(dumpstate, exported_dumpstate_prop)
232# dumpstate_options_prop is used to pass extra command-line args. 232# dumpstate_options_prop is used to pass extra command-line args.
233set_prop(dumpstate, dumpstate_options_prop) 233set_prop(dumpstate, dumpstate_options_prop)
234 234
235# Read device's serial number from system properties 235# Read any system properties
236get_prop(dumpstate, serialno_prop) 236get_prop(dumpstate, property_type)
237
238# Read state of logging-related properties
239get_prop(dumpstate, device_logging_prop)
240
241# Read state of boot reason properties
242get_prop(dumpstate, bootloader_boot_reason_prop)
243get_prop(dumpstate, last_boot_reason_prop)
244get_prop(dumpstate, system_boot_reason_prop)
245 237
246# Access to /data/media. 238# Access to /data/media.
247# This should be removed if sdcardfs is modified to alter the secontext for its 239# This should be removed if sdcardfs is modified to alter the secontext for its
diff --git a/public/netd.te b/public/netd.te
index 545ad7c1..72620723 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,7 @@ neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
141 141
142# persist.netd.stable_secret contains RFC 7217 secret key which should never be 142# persist.netd.stable_secret contains RFC 7217 secret key which should never be
143# leaked to other processes. Make sure it never leaks. 143# leaked to other processes. Make sure it never leaks.
144neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms; 144neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
145 145
146# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, 146# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
147# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. 147# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.