From 06cef4ff15f58f56d909c618da55fb236b76117a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 4 Oct 2017 13:12:25 -0700
Subject: [PATCH] Neverallow write access to /sys files for untrusted apps

Test: build aosp_sailfish
Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2
---
 private/app_neverallows.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7638d368f..53638f7df 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -57,6 +57,9 @@ neverallow all_untrusted_apps file_type:file link;
 # Do not allow untrusted apps to access network MAC address file
 neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
 
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+
 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-- 
GitLab