property files: remove ioctl and lock

They are unneeded. Test: device boots and no obvious problems. Change-Id: Ib788a89645c893c8c36acbe7fb34ce93bf6a57d7

property files: remove ioctl and lock
They are unneeded. Test: device boots and no obvious problems. Change-Id: Ib788a89645c893c8c36acbe7fb34ce93bf6a57d7
0e791073 · Nick Kralevich · ae079b88 · 0e791073 · 0e791073 · 0e791073
Commit 0e791073 authored 6 years ago by Nick Kralevich
--- a/public/init.te
+++ b/public/init.te
@@ -20,7 +20,7 @@ userdebug_or_eng(`
 # /dev/__properties__
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
 # /dev/__properties__/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;

--- a/public/property.te
+++ b/public/property.te
@@ -101,6 +101,12 @@ allow property_type tmpfs:filesystem associate;
 ### Neverallow rules
 ###
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
 # core_property_type should not be used for new properties or
 # device specific properties. Properties with this attribute
 # are readable to everyone, which is overly broad and should

--- a/public/te_macros
+++ b/public/te_macros
@@ -323,7 +323,7 @@ get_prop($1, $2)
 # targetproperty.
 #
 define(`get_prop', `
-allow $1 $2:file r_file_perms;
+allow $1 $2:file { getattr open read map };
 ')
 #####################################