From 52059055688ddd4d697ef9f59eea9c388ef7a1d0 Mon Sep 17 00:00:00 2001
From: Jaekyun Seok <jaekyun@google.com>
Date: Tue, 30 Jan 2018 11:18:47 +0900
Subject: [PATCH] Add neverallow rules to restrict reading radio_prop

This CL will allow only specific components to read radio_prop.

Bug: 72459527
Test: tested with walleye
Change-Id: I6b6c90870987de976187ff675005c5d964b48cda
---
 public/property.te | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/public/property.te b/public/property.te
index f5ca4d863..5c3426411 100644
--- a/public/property.te
+++ b/public/property.te
@@ -183,10 +183,19 @@ compatible_property_only(`
     exported3_default_prop
     exported3_system_prop
     -debug_prop
-    -fingerprint_prop
     -logd_prop
     -nfc_prop
     -powerctl_prop
     -radio_prop
   }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -rild
+    -vendor_init
+  } {
+    radio_prop
+  }:file no_rw_file_perms;
 ')
-- 
GitLab