Prevent non-system apps from read ro.usb.uvc.enabled

ro.us.uvc.enabled should not be readable from apps that can't or shouldn't act on UVC support. This means all non-system apps. This CL adds an explicit neverallow rule to prevent all appdomains (except system_app and device_as_webcam). Bug: 242344221 Bug: 242344229 Test: Build passes, manually confirmed that non-system apps cannot access the property Change-Id: I1a40c3c3cb10cebfc9ddb791a06f26fcc9342ed9
2023-02-01 15:56:40 -08:00 · 2023-02-01 15:56:40 -08:00 · e2cb0f2813
commit e2cb0f2813
parent e0929241a1
1 changed files with 7 additions and 0 deletions
--- a/private/property.te
+++ b/private/property.te
@ -687,3 +687,10 @@ neverallow {
  -init
  -vendor_init
 } usb_uvc_enabled_prop:property_service set;
+
+# Disallow non system apps from reading ro.usb.uvc.enabled
+neverallow {
+  appdomain
+  -system_app
+  -device_as_webcam
+} usb_uvc_enabled_prop:file no_rw_file_perms;