From 0e79107309a9ceb5a4096acea87cca404730950c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 10 Oct 2018 09:02:12 -0700
Subject: [PATCH] property files: remove ioctl and lock

They are unneeded.

Test: device boots and no obvious problems.
Change-Id: Ib788a89645c893c8c36acbe7fb34ce93bf6a57d7
---
 public/init.te     | 2 +-
 public/property.te | 6 ++++++
 public/te_macros   | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/public/init.te b/public/init.te
index 215246ba9..02a0dfe7c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -20,7 +20,7 @@ userdebug_or_eng(`
 # /dev/__properties__
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
 # /dev/__properties__/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
diff --git a/public/property.te b/public/property.te
index eb1fef85f..0457300e0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -101,6 +101,12 @@ allow property_type tmpfs:filesystem associate;
 ### Neverallow rules
 ###
 
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
 # core_property_type should not be used for new properties or
 # device specific properties. Properties with this attribute
 # are readable to everyone, which is overly broad and should
diff --git a/public/te_macros b/public/te_macros
index def7b4679..e756f3668 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -323,7 +323,7 @@ get_prop($1, $2)
 # targetproperty.
 #
 define(`get_prop', `
-allow $1 $2:file r_file_perms;
+allow $1 $2:file { getattr open read map };
 ')
 
 #####################################
-- 
GitLab