From 32c4a27cf5d7f83b035a66f7da49867bba5efa81 Mon Sep 17 00:00:00 2001 From: Nick Kralevich <nnk@google.com> Date: Fri, 6 Jan 2017 10:28:54 -0800 Subject: [PATCH] Refine rules for accessing /dev/__properties__ Don't allow processes to list out the contents of the directory /dev/__properties__. This is an implementation specific detail that shouldn't be visible to processes. Test: Device boots and no problems reading individual properties. Test: ls -la /dev/__properties__ fails Change-Id: I4df6a829b0d22e30fb2c38030c690fc4a356f6a3 --- public/domain.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/domain.te b/public/domain.te index af4d03e35..fdfcf94c9 100644 --- a/public/domain.te +++ b/public/domain.te @@ -77,7 +77,7 @@ allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms; allow domain ptmx_device:chr_file rw_file_perms; allow domain alarm_device:chr_file r_file_perms; allow domain random_device:chr_file rw_file_perms; -allow domain properties_device:dir r_dir_perms; +allow domain properties_device:dir { search getattr }; allow domain properties_serial:file r_file_perms; # For now, everyone can access core property files -- GitLab