From dce86b3cc64d5bfd145b51436a46560a9fe86d79 Mon Sep 17 00:00:00 2001
From: Jaekyun Seok <jaekyun@google.com>
Date: Wed, 18 Apr 2018 11:24:15 +0900
Subject: [PATCH] Neverallow unexpected domains to access bluetooth_prop and
 wifi_prop

And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae
Merged-In: I468b8fd907c6408f51419cfb58eb2b8da29118ae
(cherry picked from commit 41e42d63fecf9c237337acea7e21a5da0683debe)
---
 public/property.te | 69 +++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 65 insertions(+), 4 deletions(-)

diff --git a/public/property.te b/public/property.te
index f757936d7..0e2980988 100644
--- a/public/property.te
+++ b/public/property.te
@@ -154,7 +154,6 @@ compatible_property_only(`
     -coredomain
     -appdomain
     -hal_nfc_server
-    -vendor_init
   } {
     nfc_prop
   }:property_service set;
@@ -167,11 +166,57 @@ compatible_property_only(`
     -vendor_init
   } {
     exported_radio_prop
-    exported2_radio_prop
     exported3_radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+  } {
+    exported2_radio_prop
     radio_prop
   }:property_service set;
 
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth
+  } {
+    bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth
+    -vendor_init
+  } {
+    exported_bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi
+    -wificond
+  } {
+    wifi_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi
+    -wificond
+    -vendor_init
+  } {
+    exported_wifi_prop
+  }:property_service set;
+
 # Prevent properties from being read
   neverallow {
     domain
@@ -200,7 +245,6 @@ compatible_property_only(`
     -coredomain
     -appdomain
     -hal_nfc_server
-    -vendor_init
   } {
     nfc_prop
   }:file no_rw_file_perms;
@@ -210,8 +254,25 @@ compatible_property_only(`
     -coredomain
     -appdomain
     -hal_telephony_server
-    -vendor_init
   } {
     radio_prop
   }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth
+  } {
+    bluetooth_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi
+    -wificond
+  } {
+    wifi_prop
+  }:file no_rw_file_perms;
 ')
-- 
GitLab