commit 7b8be35ddfc1d53f20b857d39be04b15b9971181
author Tom Cherry <tomcherry@google.com> Thu May 03 17:00:16 2018 -0700
committer Tom Cherry <tomcherry@google.com> Tue May 22 13:47:16 2018 -0700
tree cc7a9f33b051dc8ea695ecfe16ec18a9f1459a26
parent 98f83b67cc58730c95a70e83ada68e29ecd8ef89

Finer grained permissions for ctl. properties

Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e9e6264553fcc8a58b86f4f21a092468c)

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 1b27432..32be0b3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -104,6 +104,16 @@
 ctl.console             u:object_r:ctl_console_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
 
+# Don't allow blind access to all services
+ctl.sigstop_on$         u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$        u:object_r:ctl_sigstop_prop:s0
+ctl.start$              u:object_r:ctl_start_prop:s0
+ctl.stop$               u:object_r:ctl_stop_prop:s0
+ctl.restart$            u:object_r:ctl_restart_prop:s0
+ctl.interface_start$    u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0