Align SELinux property policy with init property_perms.

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

11 files changed, 37 insertions, 18 deletions

diff --git a/dhcp.te b/dhcp.te
index 2e5b3d4..32a6ccc 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,7 @@ allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_prop:property_service set;
 allow dhcp pan_result_prop:property_service set;
 unix_socket_connect(dhcp, property, init)
 
diff --git a/init.te b/init.te
index c781849..191c570 100644
--- a/init.te
+++ b/init.te
@@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate };
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;
 
+# Set any property.
+allow init property_type:property_service set;
+
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 
diff --git a/netd.te b/netd.te
index 6fe1ad3..b7c30eb 100644
--- a/netd.te
+++ b/netd.te
@@ -31,7 +31,9 @@ allow netd sysfs:file write;
 
 # Set dhcp lease for PAN connection
 unix_socket_connect(netd, property, init)
+allow netd dhcp_prop:property_service set;
 allow netd system_prop:property_service set;
+auditallow netd system_prop:property_service set;
 
 # Connect to PAN
 domain_auto_trans(netd, dhcp_exec, dhcp)
diff --git a/property.te b/property.te
index aa1c9a8..9d6f106 100644
--- a/property.te
+++ b/property.te
@@ -2,10 +2,12 @@ type default_prop, property_type;
 type shell_prop, property_type;
 type debug_prop, property_type;
 type debuggerd_prop, property_type;
+type dhcp_prop, property_type;
 type radio_prop, property_type;
+type net_radio_prop, property_type;
+type system_radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
-type rild_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dhcp_pan_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 76dcbc4..48f7fae 100644
--- a/property_contexts
+++ b/property_contexts
@@ -2,19 +2,17 @@
 # property service keys
 #
 #
-net.rmnet               u:object_r:radio_prop:s0
-net.gprs                u:object_r:radio_prop:s0
-net.ppp                 u:object_r:radio_prop:s0
-net.qmi                 u:object_r:radio_prop:s0
-net.lte                 u:object_r:radio_prop:s0
-net.cdma                u:object_r:radio_prop:s0
+net.rmnet               u:object_r:net_radio_prop:s0
+net.gprs                u:object_r:net_radio_prop:s0
+net.ppp                 u:object_r:net_radio_prop:s0
+net.qmi                 u:object_r:net_radio_prop:s0
+net.lte                 u:object_r:net_radio_prop:s0
+net.cdma                u:object_r:net_radio_prop:s0
+net.dns                 u:object_r:net_radio_prop:s0
+sys.usb.config          u:object_r:system_radio_prop:s0
+ril.                    u:object_r:radio_prop:s0
 gsm.                    u:object_r:radio_prop:s0
 persist.radio           u:object_r:radio_prop:s0
-net.dns                 u:object_r:radio_prop:s0
-sys.usb.config          u:object_r:radio_prop:s0
-
-ril.                    u:object_r:rild_prop:s0
-ril.cdma                u:object_r:radio_prop:s0
 
 net.                    u:object_r:system_prop:s0
 dev.                    u:object_r:system_prop:s0
@@ -24,7 +22,7 @@ sys.                    u:object_r:system_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
 service.                u:object_r:system_prop:s0
 wlan.                   u:object_r:system_prop:s0
-dhcp.                   u:object_r:system_prop:s0
+dhcp.                   u:object_r:dhcp_prop:s0
 dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0
 
diff --git a/radio.te b/radio.te
index 4f1df1f..d0018ea 100644
--- a/radio.te
+++ b/radio.te
@@ -19,6 +19,10 @@ allow radio alarm_device:chr_file rw_file_perms;
 
 # Property service
 allow radio radio_prop:property_service set;
+allow radio net_radio_prop:property_service set;
+allow radio system_radio_prop:property_service set;
+auditallow radio net_radio_prop:property_service set;
+auditallow radio system_radio_prop:property_service set;
 
 # ctl interface
 allow radio ctl_rildaemon_prop:property_service set;
diff --git a/recovery.te b/recovery.te
index 13c21c2..9ee3a04 100644
--- a/recovery.te
+++ b/recovery.te
@@ -77,6 +77,9 @@ recovery_only(`
   allow recovery powerctl_prop:property_service set;
   unix_socket_connect(recovery, property, init)
 
+  # Start/stop adbd via ctl.start adbd
+  allow recovery ctl_default_prop:property_service set;
+
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
 
diff --git a/rild.te b/rild.te
index f272862..d8e48d5 100644
--- a/rild.te
+++ b/rild.te
@@ -26,8 +26,11 @@ allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 
 # property service
-allow rild rild_prop:property_service set;
 allow rild radio_prop:property_service set;
+allow rild net_radio_prop:property_service set;
+allow rild system_radio_prop:property_service set;
+auditallow rild net_radio_prop:property_service set;
+auditallow rild system_radio_prop:property_service set;
 
 # Read/Write to uart driver (for GPS)
 allow rild gps_device:chr_file rw_file_perms;
diff --git a/system_app.te b/system_app.te
index 5b9f8a0..eb5fa9f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -30,7 +30,10 @@ allow system_app dalvikcache_data_file:file { write setattr };
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
+allow system_app net_radio_prop:property_service set;
+allow system_app system_radio_prop:property_service set;
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
 allow system_app system_prop:property_service set;
 allow system_app ctl_bugreport_prop:property_service set;
 allow system_app logd_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 236f4c4..619e5f9 100644
--- a/system_server.te
+++ b/system_server.te
@@ -271,7 +271,9 @@ allow system_server anr_data_file:dir relabelto;
 
 # Property Service write
 allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
+allow system_server dhcp_prop:property_service set;
+allow system_server net_radio_prop:property_service set;
+allow system_server system_radio_prop:property_service set;
 allow system_server debug_prop:property_service set;
 allow system_server powerctl_prop:property_service set;
 
diff --git a/unconfined.te b/unconfined.te
index b3e374d..6b64fb9 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -109,4 +109,3 @@ allow unconfineddomain node_type:node *;
 allow unconfineddomain netif_type:netif *;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain { property_type -security_prop }:property_service set;