From 796ec5f0cb3a395cfba28f79f31af1dde0bd11a0 Mon Sep 17 00:00:00 2001
From: Jaewan Kim <jaewan@google.com>
Date: Fri, 1 Sep 2023 06:00:45 +0000
Subject: [PATCH] Set neverallow for hypervisor test properties

Bug: 298306391
Change-Id: I754af47d063bb26549cd1793951b09262cadd95a
Test: TH
---
 private/virtualizationmanager.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 095a27d38..68dc8bc39 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -68,10 +68,12 @@ get_prop(virtualizationmanager, hypervisor_restricted_prop)
 # Allow virtualizationmanager to be read custom pvmfw.img configuration
 userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
 dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
 
 # Allow virtualizationmanager to be read custom virtualizationmanager configuration
 userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
 dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
 
 # Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
 unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)