androidandroid-sourceselinux

How to allow system_app set vendor_default_prop, or mtk_hal_camera (in vnd partition) get system_prop?


I tried to set a persist prop from a system_app, and get it from the mtk_hal_camera process. I tried 2 ways, neither worked:

  1. system_app set system_prop OK, but mtk_hal_camera get system_prop FAILED:

09-30 15:04:09.248 7781 7781 W HwBinder:7781_2: type=1400 audit(0.0:520169): avc: denied { read } for name="u:object_r:system_prop:s0" dev="tmpfs" ino=385 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:system_prop:s0 tclass=file permissive=0

the system_prop is like: persist.sys.foo;

I tried to add allow mtk_hal_camera system_prop:file { read };, in file:

device/mediatek/sepolicy/custom/module/camera/non_plat/mtk_hal_camera.te

yet resulted in compile error:

2023-10-16 11:16:29 neverallow check failed at out_vnd_hal/target/product/mgvi_64_nfc_armv82/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:22518 from system/sepolicy/private/property.te:150 2023-10-16 11:16:29 (neverallow base_typeattr_733 base_typeattr_743 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open watch watch_mount watch_sb watch_with_perm watch_reads))) 2023-10-16 11:16:29 2023-10-16 11:16:29 allow at out_vnd_hal/target/product/mgvi_64_nfc_armv82/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_sepolicy.cil:12983 2023-10-16 11:16:29 (allow mtk_hal_camera system_prop_31_0 (file (read)))

  1. mtk_hal_camera get vendor_default_prop OK, but system_app set vendor_default_prop FAILED:

2023-10-01 19:45:35.156 1-1/? W//system/bin/init: type=1107 audit(0.0:6250): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.camera.foo pid=13714 uid=1000 gid=1000 scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0'

the vendor_default_prop is like: persist.vendor.camera.foo;

I tried to add allow system_app vendor_default_prop:file { write }; in file:

device/mediatek/sepolicy/custom/module/camera/non_plat/system_app.te

again, resulted in compile error:

2023-10-14 22:31:31 libsepol.report_failure: neverallow on line 507 of system/sepolicy/public/domain.te (or line 12716 of policy.conf) violated by allow system_app vendor_default_prop:file { write }; 2023-10-14 22:31:32 libsepol.check_assertions: 1 neverallow failures occurred


Solution

  • You should use the macro system_public_prop or system_restricted_prop to define a new prop type. It will not break the neverallow rule.

    # define a new prop type in property.te 
    system_public_prop(mtk_camera_prop)
    
    # label the prop in property_contexts
    persist.vendor.camera.foo  u:object_r:mtk_camera_prop:s0 exact int
    
    # allow system_app to set
    set_prop(system_app, mtk_camera_prop)
    
    # allow vendor to read
    get_prop(mtk_hal_camera, mtk_camera_prop)