commit 64f0be204b3c7e6fb77b034edd800124f4b1bf84
author Ken Chen <cken@google.com> Mon Feb 10 17:43:15 2020 +0800
committer Ken Chen <cken@google.com> Tue Feb 11 20:55:02 2020 +0800
tree db99030079aeb4d248ac7acdf6e02b7ec19dab0e
parent 036eb2518d5ee4ce8d2e200b3c46901f8bf0e6a3

Define sepolicy for redirect-socket-calls feature

Define two property_context.

1. vendor_socket_hook_prop - for ro.vendor.redirect_socket_calls. The
property set once in vendor_init context. It's evaluated at process
start time and is cannot change at runtime on a given device. The set
permission is restricted to vendor_init. The read permission is
unrestricted.

2. socket_hook_prop - for net.redirect_socket_calls.hooked. The
property can be changed by System Server at runtime. It's evaluated when
shimmed socket functions is called. The set permission is restricted to
System Server. The read permission is unrestricted.

Bug: Bug: 141611769
Test: System Server can set net.redirect_socket_calls.hooked
      libnetd_client can read both properties
      libnetd_client can't set both properties

Change-Id: Ic42269539923e6930cc0ee3df8ba032797212395

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 51e7b5c..acca2b1 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -146,6 +146,7 @@
     simpleperf_app_runner
     simpleperf_app_runner_exec
     slice_service
+    socket_hook_prop
     staging_data_file
     stats
     stats_data_file
@@ -199,6 +200,7 @@
     vendor_apex_file
     vendor_init
     vendor_shell
+    vendor_socket_hook_prop
     vndk_prop
     vold_metadata_file
     vold_prepare_subdirs

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a8d64bd..80eb3dd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -133,6 +133,7 @@
     simpleperf_app_runner
     simpleperf_app_runner_exec
     slice_service
+    socket_hook_prop
     stats
     stats_data_file
     stats_exec
@@ -177,6 +178,7 @@
     vendor_init
     vendor_security_patch_level_prop
     vendor_shell
+    vendor_socket_hook_prop
     vndk_prop
     vold_metadata_file
     vold_prepare_subdirs

private/compat/28.0/28.0.ignore.cil

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index de62740..6eb84bb 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -123,6 +123,7 @@
     server_configurable_flags_data_file
     simpleperf_app_runner
     simpleperf_app_runner_exec
+    socket_hook_prop
     su_tmpfs
     super_block_device
     sysfs_fs_f2fs
@@ -150,6 +151,7 @@
     vendor_keylayout_file
     vendor_misc_writer
     vendor_misc_writer_exec
+    vendor_socket_hook_prop
     vendor_task_profiles_file
     vndk_prop
     vrflinger_vsync_service

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index feb098b..718f02b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -70,6 +70,7 @@
     service_manager_service
     simpleperf
     snapshotctl_log_data_file
+    socket_hook_prop
     soundtrigger_middleware_service
     sysfs_dm_verity
     system_config_service
@@ -92,4 +93,5 @@
     vendor_incremental_module
     vendor_install_recovery
     vendor_install_recovery_exec
+    vendor_socket_hook_prop
     virtual_ab_prop))

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 4e74fee..de2a064 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -604,6 +604,7 @@
 set_prop(system_server, exported_overlay_prop)
 set_prop(system_server, pm_prop)
 set_prop(system_server, exported_pm_prop)
+set_prop(system_server, socket_hook_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 
 # ctl interface
@@ -1135,3 +1136,6 @@
 # system_server cannot use this access to read perf event data like process stacks.
 allow system_server self:perf_event { open write cpu kernel };
 neverallow system_server self:perf_event ~{ open write cpu kernel };
+
+# Do not allow any domain other than init or system server to set the property
+neverallow { domain -init -system_server } socket_hook_prop:property_service set;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index f2af7b1..551e24e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -105,6 +105,8 @@
 get_prop(domain, exported_vold_prop)
 get_prop(domain, exported2_default_prop)
 get_prop(domain, logd_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, vendor_socket_hook_prop)
 get_prop(domain, vndk_prop)
 
 # Binder cache properties are world-readable

public/property.te

diff --git a/public/property.te b/public/property.te
index e987906..26ccdf0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -68,6 +68,7 @@
 system_restricted_prop(module_sdkextensions_prop)
 system_restricted_prop(nnapi_ext_deny_product_prop)
 system_restricted_prop(restorecon_prop)
+system_restricted_prop(socket_hook_prop)
 system_restricted_prop(system_boot_reason_prop)
 system_restricted_prop(system_jvmti_agent_prop)
 system_restricted_prop(userspace_reboot_exported_prop)
@@ -113,6 +114,7 @@
 system_vendor_config_prop(userspace_reboot_config_prop)
 system_vendor_config_prop(vehicle_hal_prop)
 system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vendor_socket_hook_prop)
 system_vendor_config_prop(vndk_prop)
 system_vendor_config_prop(virtual_ab_prop)
 

public/property_contexts

diff --git a/public/property_contexts b/public/property_contexts
index 621c2dd..6349ad9 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -218,6 +218,7 @@
 libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
 libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
 libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
 persist.sys.locale u:object_r:exported_system_prop:s0 exact string
 persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
 persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
@@ -274,6 +275,7 @@
 ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
 ro.revision u:object_r:exported2_default_prop:s0 exact string
 ro.secure u:object_r:exported_secure_prop:s0 exact int
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
 service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
 sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
 sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool