From 3ee4e77674ecce82dadfcf5c64d87ce6d65a88b0 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Tue, 15 May 2018 12:06:48 +0900
Subject: [PATCH] Temporarily whitelisting system domains writing vendor props

system properties must not be used as a communication channel in between
system and vendor processes. However, there has been no enforcement on
this: system process could write system properties that are owned and
read by vendor processes and vice versa. Such communication should be
done over hwbinder and should be formally specified in HIDL.

Until we finish migrating the existing use cases of sysprops to HIDL,
whitelisting them in system_writes_vendor_properties_violators so that
the violators are clearly tracked.

These violators are allowed only for P, but not for Q.

Bug: 78598545
Test: m -j selinux_policy
Change-Id: I60b12f1232c77ad997c8c87e6d91baa14c626e94
---
 sepolicy/private/ramoops.te       | 1 +
 sepolicy/vendor/bluetooth.te      | 1 +
 sepolicy/vendor/cameraserver.te   | 1 +
 sepolicy/vendor/charger.te        | 1 +
 sepolicy/vendor/gatekeeperd.te    | 1 +
 sepolicy/vendor/healthd.te        | 1 +
 sepolicy/vendor/radio.te          | 1 +
 sepolicy/vendor/surfaceflinger.te | 1 +
 sepolicy/vendor/system_app.te     | 1 +
 sepolicy/vendor/system_server.te  | 1 +
 10 files changed, 10 insertions(+)

diff --git a/sepolicy/private/ramoops.te b/sepolicy/private/ramoops.te
index c7cea81d..534fa656 100644
--- a/sepolicy/private/ramoops.te
+++ b/sepolicy/private/ramoops.te
@@ -11,6 +11,7 @@ allow ramoops shell_exec:file rx_file_perms;
 allow ramoops toolbox_exec:file rx_file_perms;
 
 # Set the sys.ramoops.decrypted property
+typeattribute ramoops system_writes_vendor_properties_violators;
 set_prop(ramoops, ramoops_prop);
 
 allow ramoops sysfs_pstore:file rw_file_perms;
diff --git a/sepolicy/vendor/bluetooth.te b/sepolicy/vendor/bluetooth.te
index 6d70fab6..a71c1450 100644
--- a/sepolicy/vendor/bluetooth.te
+++ b/sepolicy/vendor/bluetooth.te
@@ -1,3 +1,4 @@
+typeattribute bluetooth system_writes_vendor_properties_violators;
 set_prop(bluetooth, vendor_bluetooth_prop)
 set_prop(bluetooth, wc_prop)
 
diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te
index d29d473d..594f22a9 100644
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -1,5 +1,6 @@
 allow cameraserver gpu_device:chr_file rw_file_perms;
 
+typeattribute cameraserver system_writes_vendor_properties_violators;
 set_prop(cameraserver, camera_prop)
 
 allow cameraserver sysfs_camera:file r_file_perms;
diff --git a/sepolicy/vendor/charger.te b/sepolicy/vendor/charger.te
index 3f30f35d..e8472810 100644
--- a/sepolicy/vendor/charger.te
+++ b/sepolicy/vendor/charger.te
@@ -1 +1,2 @@
+typeattribute charger system_writes_vendor_properties_violators;
 set_prop(charger, public_vendor_system_prop)
diff --git a/sepolicy/vendor/gatekeeperd.te b/sepolicy/vendor/gatekeeperd.te
index 647ede2a..e4bef11b 100644
--- a/sepolicy/vendor/gatekeeperd.te
+++ b/sepolicy/vendor/gatekeeperd.te
@@ -1 +1,2 @@
+typeattribute gatekeeperd system_writes_vendor_properties_violators;
 set_prop(gatekeeperd, keymaster_prop)
diff --git a/sepolicy/vendor/healthd.te b/sepolicy/vendor/healthd.te
index 5032bba8..6b22ced3 100644
--- a/sepolicy/vendor/healthd.te
+++ b/sepolicy/vendor/healthd.te
@@ -1 +1,2 @@
+typeattribute healthd system_writes_vendor_properties_violators;
 set_prop(healthd, public_vendor_system_prop)
diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
index 0868a3d9..b287bbbb 100644
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -1,4 +1,5 @@
 get_prop(radio, ims_prop)
+typeattribute radio system_writes_vendor_properties_violators;
 userdebug_or_eng(`set_prop(radio, tel_mon_prop)')
 
 allow radio qmuxd_socket:dir search;
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
index 349151b6..636d98b4 100644
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -3,4 +3,5 @@ dontaudit surfaceflinger vendor_file:file read;
 dontaudit surfaceflinger kernel:system module_request;
 allow surfaceflinger debugfs_ion:dir search;
 
+typeattribute surfaceflinger system_writes_vendor_properties_violators;
 set_prop(surfaceflinger, public_vendor_system_prop)
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index ac4ef9b6..c1ede120 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -3,6 +3,7 @@
 userdebug_or_eng(`set_prop(system_app, tel_mon_prop)')
 
 # Needed by Settings app's CameraHalHdrplusPreferenceController
+typeattribute system_app system_writes_vendor_properties_violators;
 set_prop(system_app, camera_prop)
 
 # read regulatory info
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index 8e38725d..bcba87c3 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -23,6 +23,7 @@ dontaudit system_server untrusted_app:file write;
 dontaudit system_server hal_audio_default:file write;
 dontaudit system_server appdomain:file write;
 
+typeattribute system_server system_writes_vendor_properties_violators;
 set_prop(system_server, public_vendor_system_prop)
 
 dontaudit system_server self:capability sys_module;