From 5b09c30fde023b937a16995696cce448fb3dd819 Mon Sep 17 00:00:00 2001
From: Michael Bestas <mkbestas@lineageos.org>
Date: Mon, 10 Feb 2025 17:29:26 +0200
Subject: [PATCH] Restrict access to custom properties

Change-Id: I2e8b74701ec3f3ac9f41c0bdb79646d65b90ff6a
---
 common/private/property.te       | 6 ++++++
 common/private/property_contexts | 9 +++++++++
 common/private/recovery.te       | 3 +++
 common/private/shell.te          | 1 +
 common/private/system_app.te     | 6 ++++++
 common/private/updater_app.te    | 1 +
 6 files changed, 26 insertions(+)
 create mode 100644 common/private/shell.te

diff --git a/common/private/property.te b/common/private/property.te
index 4965d4d..12ec366 100644
--- a/common/private/property.te
+++ b/common/private/property.te
@@ -1,2 +1,8 @@
+# Custom legal URL
+system_internal_prop(legal_url_prop)
+
+# Custom version
+system_internal_prop(custom_version_prop)
+
 # Recovery update
 system_internal_prop(recovery_update_prop)
diff --git a/common/private/property_contexts b/common/private/property_contexts
index af7e1b4..0ff9b62 100644
--- a/common/private/property_contexts
+++ b/common/private/property_contexts
@@ -5,6 +5,15 @@ vendor.camera.aux.packagelist          u:object_r:vendor_persist_camera_prop:s0
 # Bluetooth
 bluetooth.hci.disabled_commands        u:object_r:bluetooth_config_prop:s0
 
+# Custom legal URL
+ro.lineagelegal.url                    u:object_r:legal_url_prop:s0
+
+# Custom version
+ro.lineage.version                     u:object_r:custom_version_prop:s0
+ro.lineage.display.version             u:object_r:custom_version_prop:s0
+ro.lineage.build.version               u:object_r:custom_version_prop:s0
+ro.lineage.releasetype                 u:object_r:custom_version_prop:s0
+
 # Radio
 ro.telephony.use_old_mnc_mcc_format    u:object_r:telephony_config_prop:s0
 
diff --git a/common/private/recovery.te b/common/private/recovery.te
index cd1649a..7d9fae9 100644
--- a/common/private/recovery.te
+++ b/common/private/recovery.te
@@ -3,6 +3,9 @@ userdebug_or_eng(`
 permissive recovery;
 ')
 
+# Custom version
+get_prop(recovery, custom_version_prop)
+
 # Volume manager
 r_dir_file(recovery, sdcard_type)
 allow recovery block_device:dir create_dir_perms;
diff --git a/common/private/shell.te b/common/private/shell.te
new file mode 100644
index 0000000..680ff78
--- /dev/null
+++ b/common/private/shell.te
@@ -0,0 +1 @@
+get_prop(shell, custom_version_prop)
diff --git a/common/private/system_app.te b/common/private/system_app.te
index c4fe514..3c0dd7b 100644
--- a/common/private/system_app.te
+++ b/common/private/system_app.te
@@ -1,3 +1,9 @@
+# Allow Settings to read custom legal URL
+get_prop(system_app, legal_url_prop)
+
+# Allow Settings/LineageParts to read custom version
+get_prop(system_app, custom_version_prop)
+
 # Allow Settings to read ro.vendor.build.security_patch
 get_prop(system_app, vendor_security_patch_level_prop)
 
diff --git a/common/private/updater_app.te b/common/private/updater_app.te
index 373c97a..d1c50e0 100644
--- a/common/private/updater_app.te
+++ b/common/private/updater_app.te
@@ -23,6 +23,7 @@ allow updater_app cache_recovery_file:file create_file_perms;
 allow updater_app ota_package_file:dir create_dir_perms;
 allow updater_app ota_package_file:file create_file_perms;
 
+get_prop(updater_app, custom_version_prop)
 get_prop(updater_app, default_prop)
 get_prop(updater_app, build_prop)
 
-- 
GitLab