Neverallow isolated and untrusted apps to write system properties

and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7

app.te

@@ -278,8 +278,6 @@ neverallow appdomain socket_device:sock_file write;
 # Unix domain sockets.
 neverallow appdomain adbd_socket:sock_file write;
 neverallow appdomain installd_socket:sock_file write;
-neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
-    property_socket:sock_file write;
 neverallow { appdomain -radio } rild_socket:sock_file write;
 neverallow appdomain vold_socket:sock_file write;
 neverallow appdomain zygote_socket:sock_file write;
@@ -385,10 +383,6 @@ neverallow { appdomain -system_app -shell }
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;
 
-# Ability to set system properties.
-neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
-    property_type:property_service set;
-
 # prevent creation/manipulation of globally readable symlinks
 neverallow appdomain {
   apk_data_file

isolated_app.te

@@ -29,6 +29,10 @@ allow isolated_app self:process ptrace;
 ##### Neverallow
 #####
 
+# Do not allow isolated_app to set system properties.
+neverallow isolated_app property_socket:sock_file write;
+neverallow isolated_app property_type:property_service set;
+
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
 

untrusted_app.te

@@ -142,3 +142,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
 neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted_app to set system properties.
+neverallow untrusted_app property_socket:sock_file write;
+neverallow untrusted_app property_type:property_service set;