Fix vendor defining macros and neverallows

init and dumpstate should be able to access all properties, but they are
in coredomain, so neverallow rules for vendor properties should be
changed in order to avoid conflicts.

Bug: 145339613
Test: add vendor_internal_prop manually and build.
Change-Id: If582870f855e4444f8ac0d091696c0c7fd833791

public/property.te

@@ -234,6 +234,7 @@ treble_sysprop_neverallow(`
 
 neverallow { domain -coredomain } {
   system_property_type
+  system_internal_property_type
   -system_restricted_property_type
   -system_public_property_type
 }:file no_rw_file_perms;
@@ -243,25 +244,20 @@ neverallow { domain -coredomain } {
   -system_public_property_type
 }:property_service set;
 
-neverallow { domain -coredomain } {
-  system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
   vendor_property_type
+  vendor_internal_property_type
   -vendor_restricted_property_type
   -vendor_public_property_type
 }:file no_rw_file_perms;
 
-neverallow coredomain {
+neverallow { coredomain -init } {
   vendor_property_type
   -vendor_public_property_type
 }:property_service set;
 
-neverallow coredomain {
-  vendor_internal_property_type
-}:file no_rw_file_perms;
-
 ')
 
 # There is no need to perform ioctl or advisory locking operations on

public/te_macros

@@ -772,7 +772,7 @@ define(`define_prop', `
 define(`system_internal_prop', `
   define_prop($1, system, internal)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:file no_rw_file_perms;
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
   ')
 ')
 
@@ -785,7 +785,7 @@ define(`system_internal_prop', `
 define(`system_restricted_prop', `
   define_prop($1, system, restricted)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:property_service set;
+    neverallow { domain -coredomain } $1:property_service set;
   ')
 ')
 
@@ -804,7 +804,7 @@ define(`system_public_prop', `define_prop($1, system, public)')
 define(`product_internal_prop', `
   define_prop($1, product, internal)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:file no_rw_file_perms;
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
   ')
 ')
 
@@ -817,7 +817,7 @@ define(`product_internal_prop', `
 define(`product_restricted_prop', `
   define_prop($1, product, restricted)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:property_service set;
+    neverallow { domain -coredomain } $1:property_service set;
   ')
 ')
 
@@ -836,7 +836,8 @@ define(`product_public_prop', `define_prop($1, product, public)')
 define(`vendor_internal_prop', `
   define_prop($1, vendor, internal)
   treble_sysprop_neverallow(`
-    neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+    neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
   ')
 ')
 
@@ -849,7 +850,8 @@ define(`vendor_internal_prop', `
 define(`vendor_restricted_prop', `
   define_prop($1, vendor, restricted)
   treble_sysprop_neverallow(`
-    neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+    neverallow { coredomain -init } $1:property_service set;
   ')
 ')