From 45737b9f583c0805ea11ed1702e118b4fa720cdb Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 25 Mar 2016 13:59:55 -0700
Subject: [PATCH] Make sure neverallow rules also cover other property types

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403
---
 domain.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 34faafda8..eea677ef1 100644
--- a/domain.te
+++ b/domain.te
@@ -288,9 +288,12 @@ neverallow {
 
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
 
-# Only the init property service should write to /data/property.
+# Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
 neverallow { domain -init } property_data_file:file no_w_file_perms;
+neverallow { domain -init } property_type:file no_w_file_perms;
+neverallow { domain -init } properties_device:file no_w_file_perms;
+neverallow { domain -init } properties_serial:file no_w_file_perms;
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set