Add tests for compatible property (1/2)

The feature of compatible property has its own neverallow rules and it is enforced on devices launchig with Android P. This CL changes hal_nfc to hal_nfc_server in neverallow rules because sepolicy-analyze doesn't recognize it. Additionally one more neverallow rule is added to restrict reading nfc_prop. Bug: 72013705 Bug: 72678352 Test: 'run cts -m CtsSecurityHostTestCases' on walleye with ro.product.first_api_level=28 Change-Id: I753cc81f7ca0e4ad6a2434b2a047052678f57671

Add tests for compatible property (1/2)
64ade65d · Jaekyun Seok · 4c19b3d1 · 64ade65d · 64ade65d
Commit 64ade65d authored 7 years ago by Jaekyun Seok
--- a/Android.mk
+++ b/Android.mk
@@ -701,6 +701,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
 $(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
 $(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
 $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 	$(transform-policy-to-conf)

--- a/public/property.te
+++ b/public/property.te
@@ -148,7 +148,7 @@ compatible_property_only(`
    domain
    -coredomain
    -appdomain
-    -hal_nfc
+    -hal_nfc_server
    -vendor_init
  } {
    nfc_prop
@@ -189,6 +189,16 @@ compatible_property_only(`
    -radio_prop
  }:file no_rw_file_perms;

+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_nfc_server
+    -vendor_init
+  } {
+    nfc_prop
+  }:file no_rw_file_perms;
+
  neverallow {
    domain
    -coredomain