From 4432c6355af55118e94f9260962089f345cba21c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 25 Mar 2016 13:59:55 -0700
Subject: [PATCH] Make sure neverallow rules also cover other property types

(cherrypicked from commit 45737b9f583c0805ea11ed1702e118b4fa720cdb)

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403
---
 domain.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index b0d018e3a..dfc555886 100644
--- a/domain.te
+++ b/domain.te
@@ -271,9 +271,12 @@ neverallow {
 
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
-# Only the init property service should write to /data/property.
+# Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;
+neverallow { domain -init } property_type:file no_w_file_perms;
+neverallow { domain -init } properties_device:file no_w_file_perms;
+neverallow { domain -init } properties_serial:file no_w_file_perms;
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
-- 
GitLab