From 09fddac1d7e8b24ed5e3d17a66cc7d76016486f9 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Wed, 20 Dec 2017 16:27:53 -0800
Subject: [PATCH] Disallow sysfs_leds to coredomains.

Bug: 70846424
Test: neverallow not tripped
Change-Id: I9e351ee906162a594930b5ab300facb5fe807f13
---
 private/coredomain.te | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/private/coredomain.te b/private/coredomain.te
index 244c83cb8..c8f2b1dc5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,2 +1,17 @@
 get_prop(coredomain, pm_prop)
 get_prop(coredomain, exported_pm_prop)
+
+full_treble_only(`
+neverallow {
+    coredomain
+    -init
+    -vendor_init
+
+    # generic access to sysfs_type
+    -ueventd
+    -vold
+    -priv_app
+    -storaged
+    -system_app
+} sysfs_leds:file *;
+')
-- 
GitLab