Merge "Neverallow unexpected domains to access bluetooth_prop and wifi_prop" into pi-dev

2018-04-20 05:07:56 +00:00 · 2018-04-20 05:07:56 +00:00 · 5faa0c2af7
commit 5faa0c2af7
parent ad3529a855 dce86b3cc6
1 changed files with 65 additions and 4 deletions
--- a/public/property.te
+++ b/public/property.te
@ -154,7 +154,6 @@ compatible_property_only(`
    -coredomain
    -appdomain
    -hal_nfc_server
-    -vendor_init
  } {
    nfc_prop
  }:property_service set;
@ -167,11 +166,57 @@ compatible_property_only(`
    -vendor_init
  } {
    exported_radio_prop
-    exported2_radio_prop
    exported3_radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+  } {
+    exported2_radio_prop
    radio_prop
  }:property_service set;

+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth
+  } {
+    bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth
+    -vendor_init
+  } {
+    exported_bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi
+    -wificond
+  } {
+    wifi_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi
+    -wificond
+    -vendor_init
+  } {
+    exported_wifi_prop
+  }:property_service set;
+
 # Prevent properties from being read
  neverallow {
    domain
@ -200,7 +245,6 @@ compatible_property_only(`
    -coredomain
    -appdomain
    -hal_nfc_server
-    -vendor_init
  } {
    nfc_prop
  }:file no_rw_file_perms;
@ -210,8 +254,25 @@ compatible_property_only(`
    -coredomain
    -appdomain
    -hal_telephony_server
-    -vendor_init
  } {
    radio_prop
  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth
+  } {
+    bluetooth_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi
+    -wificond
+  } {
+    wifi_prop
+  }:file no_rw_file_perms;
 ')