From 59c23d78c894198f39d9af563f17c05fb266ec3e Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Tue, 29 Sep 2015 17:01:03 -0700
Subject: [PATCH] neverallow: non-property types property_service set

To prevent assigning non property types to properties, introduce
a neverallow to prevent non property_type types from being  set.

Change-Id: Iba9b5988fe0b6fca4a79ca1d467ec50539479fd5
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/domain.te b/domain.te
index 34aa48f55..7324738e9 100644
--- a/domain.te
+++ b/domain.te
@@ -534,3 +534,6 @@ neverallow domain ~service_manager_type:service_manager { add find };
 
 # logpersist is only allowed on userdebug/eng builds
 neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms;
+
+# Prevent assigning non property types to properties
+neverallow domain ~property_type:property_service set;
-- 
GitLab