[ALPS05025406] SEPolicy: Modify prop context with naming conventions

[Detail] In AOSP/948386 and AOSP/1161048, there are new naming conventions for property context. The MTK sepolicies of properties need some modification for them. [Solution] 1.Modify property context in non_plat/ with new naming conventions. 2.Modify property context end with suffix _prop. 3.Remove unused property sepolicy. 4.Sort context in property.te . Change-Id: Ic300b217c1457d46fdcdec9034eb9ba8ac602c69 CR-Id: ALPS05025406 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
author: Shanshan Gio <shanshan.guo@mediatek.com> 2020-04-02 18:47:03 +0800
committer: Shanshan Gio <shanshan.guo@mediatek.com> 2020-04-08 20:49:25 +0800
commit: 941d09bdf1a039159618a297ef48b5a412070fb6 (patch)
tree: 879073abb0f60d5e9e153e901bbdc7f8d69934b6 /plat_private
parent: 0a4e6642b91c02755e95d6b894a8a54cc44e5253 (diff)
download: wembley-sepolicy-941d09bdf1a039159618a297ef48b5a412070fb6.tar.gz
11 files changed, 19 insertions, 34 deletions
diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te
index 62aa7f3..2370498 100644
--- a/plat_private/boot_logo_updater.te
+++ b/plat_private/boot_logo_updater.te
@@ -14,13 +14,10 @@ init_daemon_domain(boot_logo_updater)
 # Date : WK14.32
 # Operation : Migration
 # Puration : set boot reason
-allow boot_logo_updater system_prop:property_service set;
+set_prop(boot_logo_updater, system_prop)
 
 allow boot_logo_updater graphics_device:chr_file rw_file_perms;
 
-# For IPC communication
-allow boot_logo_updater init:unix_stream_socket connectto;
-allow boot_logo_updater property_socket:sock_file write;
 # To access directory /dev/block/mmcblk0 or /dev/block/sdc
 allow boot_logo_updater block_device:dir search;
 allow boot_logo_updater graphics_device:dir search;
diff --git a/plat_private/bootanim.te b/plat_private/bootanim.te
index 46fe429..76b93b0 100644
--- a/plat_private/bootanim.te
+++ b/plat_private/bootanim.te
@@ -15,9 +15,7 @@ allow bootanim audioserver_service:service_manager find;
 # Date : WK14.37
 # Operation : Migration
 # Purpose : for opetator
-allow bootanim property_socket:sock_file write;
-allow bootanim init:unix_stream_socket connectto;
-allow bootanim debug_prop:property_service set;
+set_prop(bootanim, debug_prop)
 
 # Date : WK14.46
 # Operation : Migration
diff --git a/plat_private/cmddumper.te b/plat_private/cmddumper.te
index 01b5dc5..2c5b4d2 100644
--- a/plat_private/cmddumper.te
+++ b/plat_private/cmddumper.te
@@ -14,8 +14,6 @@ allow cmddumper sdcard_type:dir create_dir_perms;
 allow cmddumper sdcard_type:file create_file_perms;
 
 # modem logger socket access
-allow cmddumper init:unix_stream_socket connectto;
-allow cmddumper property_socket:sock_file { write read };
 allow cmddumper platform_app:unix_stream_socket connectto;
 allow cmddumper shell_exec:file { rx_file_perms };
 allow cmddumper system_file:file x_file_perms;
diff --git a/plat_private/emdlogger.te b/plat_private/emdlogger.te
index 47a3d9c..4ab40f3 100644
--- a/plat_private/emdlogger.te
+++ b/plat_private/emdlogger.te
@@ -17,8 +17,6 @@ allow emdlogger sdcard_type:file { create_file_perms };
 
 
 # modem logger socket access
-#allow emdlogger property_socket:sock_file write;
-#allow emdlogger init:unix_stream_socket connectto;
 allow emdlogger platform_app:unix_stream_socket connectto;
 allow emdlogger shell_exec:file { rx_file_perms };
 allow emdlogger system_file:file execute_no_trans;
@@ -72,7 +70,7 @@ allow emdlogger sysfs_dt_firmware_android:dir { read open search };
 allow emdlogger tmpfs:dir write;
 allow emdlogger sysfs_dt_firmware_android:file { read open getattr };
 allow emdlogger system_file:dir open;
-allow emdlogger vendor_default_prop:file { read getattr open };
+get_prop(emdlogger, vendor_default_prop)
 
 ## Android Q migration
 ## purpose:  read modem db and filter folder and file
diff --git a/plat_private/lbs_dbg.te b/plat_private/lbs_dbg.te
index ec17037..78a1e19 100644
--- a/plat_private/lbs_dbg.te
+++ b/plat_private/lbs_dbg.te
@@ -36,7 +36,7 @@ allow lbs_dbg self:netlink_route_socket { bind create getattr write nlmsg_read r
 allow lbs_dbg self:tcp_socket create_stream_socket_perms;
 allow lbs_dbg self:udp_socket create_socket_perms;
 
-allow lbs_dbg hwservicemanager_prop:file read;
+get_prop(lbs_dbg, hwservicemanager_prop)
 hal_client_domain(lbs_dbg, mtk_hal_lbs)
 
 
diff --git a/plat_private/mdlogger.te b/plat_private/mdlogger.te
index afa04ea..40d82f8 100644
--- a/plat_private/mdlogger.te
+++ b/plat_private/mdlogger.te
@@ -13,8 +13,6 @@ binder_use(mdlogger)
 binder_service(mdlogger)
 
 # modem logger socket access
-#allow mdlogger init:unix_stream_socket connectto;
-#allow mdlogger property_socket:sock_file write;
 allow mdlogger platform_app:unix_stream_socket connectto;
 allow mdlogger shell_exec:file { rx_file_perms };
 allow mdlogger system_file:file x_file_perms;
diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te
index 1aaf99b..526bcb5 100644
--- a/plat_private/mobile_log_d.te
+++ b/plat_private/mobile_log_d.te
@@ -63,9 +63,9 @@ allow mobile_log_d toolbox_exec:file rx_file_perms;
 allow mobile_log_d rootfs:file r_file_perms;
 
 #dev/__properties__ access
-allow mobile_log_d device_logging_prop:file { getattr open };
-allow mobile_log_d mmc_prop:file { getattr open };
-allow mobile_log_d safemode_prop:file { getattr open };
+get_prop(mobile_log_d, device_logging_prop)
+get_prop(mobile_log_d, mmc_prop)
+get_prop(mobile_log_d, safemode_prop)
 
 # purpose: allow MobileLog to access storage in N version
 allow mobile_log_d media_rw_data_file:file  create_file_perms;
@@ -97,5 +97,5 @@ userdebug_or_eng(`
   allow mobile_log_d netd:unix_stream_socket connectto;
   allow mobile_log_d self:tcp_socket getopt;
   allow mobile_log_d fwmarkd_socket:sock_file write;
-  set_prop(mobile_log_d, mobile_log_post_prop)
+  set_prop(mobile_log_d, system_mtk_mobile_log_post_prop)
 ')
diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te
index 857b86d..425c166 100644
--- a/plat_private/mtkbootanimation.te
+++ b/plat_private/mtkbootanimation.te
@@ -59,9 +59,7 @@ allow mtkbootanimation audioserver_service:service_manager find;
 # Date : WK14.37
 # Operation : Migration
 # Purpose : for opetator
-allow mtkbootanimation property_socket:sock_file write;
-allow mtkbootanimation init:unix_stream_socket connectto;
-allow mtkbootanimation debug_prop:property_service set;
+set_prop(mtkbootanimation, debug_prop)
 
 # Date : WK14.46
 # Operation : Migration
diff --git a/plat_private/netdiag.te b/plat_private/netdiag.te
index ec128a9..95a79b2 100644
--- a/plat_private/netdiag.te
+++ b/plat_private/netdiag.te
@@ -58,10 +58,10 @@ allow netdiag network_management_service:service_manager find;
 allow netdiag settings_service:service_manager find;
 
 # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
-allow netdiag device_logging_prop:file { getattr open };
-allow netdiag mmc_prop:file { getattr open };
+get_prop(netdiag, device_logging_prop)
+get_prop(netdiag, mmc_prop)
 allow netdiag proc_net:dir { read open };
-allow netdiag safemode_prop:file { getattr open };
+get_prop(netdiag, safemode_prop)
 allow netdiag toolbox_exec:file rx_file_perms;
 
 # purpose: allow netdiag to access storage in new version
@@ -86,12 +86,11 @@ allow netdiag self:rawip_socket { getopt create };
 allow netdiag self:udp_socket { ioctl create };
 
 ## Android P migration
-#avc: denied { open } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0"
-#avc: denied { getattr } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0"
-#avc: denied { open } for path="/dev/__properties__/u:object_r:atm_mdmode_prop:s0"
+#avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_mtk_atm_ipaddr_prop:s0"
+#avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_mtk_atm_ipaddr_prop:s0"
+#avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_mtk_atm_mdmode_prop:s0"
 allow netdiag proc_qtaguid_stat:dir { read open search };
 allow netdiag proc_qtaguid_stat:file { read getattr open };
-#allow netdiag vendor_default_prop:file  { read getattr open map };
 get_prop(netdiag, vendor_default_prop)
 allow netdiag proc_net_tcp_udp:file getattr;
 allow netdiag netd:binder call;
diff --git a/plat_private/platform_app.te b/plat_private/platform_app.te
index fbf84a9..80b9c4b 100644
--- a/plat_private/platform_app.te
+++ b/plat_private/platform_app.te
@@ -1,11 +1,10 @@
 # ==============================================
-# MTK Policy Rule 
+# MTK Policy Rule
 # ==============================================
 
 # SEPolicy Split
 
 allow platform_app system_app_service:service_manager find;
-allow platform_app init:unix_stream_socket connectto;
 
 # Date : WK17.29
 # Stage: O Migration, SQC
diff --git a/plat_private/property_contexts b/plat_private/property_contexts
index c56ca1b..0933495 100644
--- a/plat_private/property_contexts
+++ b/plat_private/property_contexts
@@ -11,6 +11,6 @@ persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int
 #============system fingerprint property===========
 ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
 
-vendor.MB.logpost u:object_r:mobile_log_post_prop:s0
-vendor.MB.logpost. u:object_r:mobile_log_post_prop:s0
-persist.vendor.MB.logpost  u:object_r:mobile_log_post_prop:s0
+vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0
+vendor.MB.logpost. u:object_r:system_mtk_mobile_log_post_prop:s0
+persist.vendor.MB.logpost  u:object_r:system_mtk_mobile_log_post_prop:s0
author	Shanshan Gio <shanshan.guo@mediatek.com>	2020-04-02 18:47:03 +0800
committer	Shanshan Gio <shanshan.guo@mediatek.com>	2020-04-08 20:49:25 +0800
commit	941d09bdf1a039159618a297ef48b5a412070fb6 (patch)
tree	879073abb0f60d5e9e153e901bbdc7f8d69934b6 /plat_private
parent	0a4e6642b91c02755e95d6b894a8a54cc44e5253 (diff)
download	wembley-sepolicy-941d09bdf1a039159618a297ef48b5a412070fb6.tar.gz