From 32c4a27cf5d7f83b035a66f7da49867bba5efa81 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 6 Jan 2017 10:28:54 -0800
Subject: [PATCH] Refine rules for accessing /dev/__properties__

Don't allow processes to list out the contents of the directory
/dev/__properties__. This is an implementation specific detail that
shouldn't be visible to processes.

Test: Device boots and no problems reading individual properties.
Test: ls -la /dev/__properties__ fails
Change-Id: I4df6a829b0d22e30fb2c38030c690fc4a356f6a3
---
 public/domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index af4d03e35..fdfcf94c9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -77,7 +77,7 @@ allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:dir r_dir_perms;
+allow domain properties_device:dir { search getattr };
 allow domain properties_serial:file r_file_perms;
 
 # For now, everyone can access core property files
-- 
GitLab