From 99d86c7a77d402a106a1b3fe57af06dbb231c750 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 9 Jul 2014 18:58:04 -0700
Subject: [PATCH] ensure that untrusted_app can't set properties

Bug: 10243159
Change-Id: I9409fe8898c446a33515f1bee2990f36a2e11535
---
 untrusted_app.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/untrusted_app.te b/untrusted_app.te
index 35b32487e..720e8f27b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -76,3 +76,9 @@ neverallow untrusted_app debugfs:file read;
 # Only trusted components of Android should be registering
 # services.
 neverallow untrusted_app service_manager_type:service_manager add;
+
+# Don't allow untrusted_apps to connect to the property service
+# or set properties. b/10243159
+neverallow untrusted_app property_socket:sock_file write;
+neverallow untrusted_app init:unix_stream_socket connectto;
+neverallow untrusted_app property_type:property_service set;
-- 
GitLab