Fix compatible property neverallows

The current neverallow rules for compatible properties restrict domains from write file permissions to the various property files. This however is the wrong restriction, since only init actually writes to these property files. The correct restriction is to restrict 'set' for 'property_service' as this change does. Note there is already a restriction preventing {domain -init} from writing to these files in domain.te. Test: build Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09

Fix compatible property neverallows
eed2e84a · Tom Cherry · 24e8eff3 · eed2e84a
Commit eed2e84a authored 7 years ago by Tom Cherry
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@ neverallow * {
 }:file no_rw_file_perms;

 compatible_property_only(`
+# Prevent properties from being set
  neverallow {
    domain
    -coredomain
@@ -129,19 +130,43 @@ compatible_property_only(`
    exported_dumpstate_prop
    exported_ffs_prop
    exported_fingerprint_prop
-    exported_radio_prop
    exported_system_prop
    exported_system_radio_prop
    exported_vold_prop
    exported2_config_prop
    exported2_default_prop
-    exported2_radio_prop
    exported2_system_prop
    exported2_vold_prop
    exported3_default_prop
    exported3_system_prop
-  }:file no_w_file_perms;
+    -nfc_prop
+    -powerctl_prop
+    -radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_nfc
+    -vendor_init
+  } {
+    nfc_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -rild
+    -vendor_init
+  } {
+    exported_radio_prop
+    exported2_radio_prop
+    radio_prop
+  }:property_service set;

+# Prevent properties from being read
  neverallow {
    domain
    -coredomain