commit 080c579d47d27243a1779a9b9c8f28ee15943b60
author Sandro <sandrom@google.com> Thu Nov 03 14:44:35 2022 +0000
committer Sandro <sandrom@google.com> Fri Nov 04 09:34:22 2022 +0000
tree 1d00ca07b740073a80ab85eca171005574204c4a
parent 8a909eb966df701235fc03f40e180ff5831dbd87

Move get_prop rules from public/app.te to private/app.te

This way we can prevent private types (e.g., sdk_sandbox) from accessing
those properties.

Bug: 210811873
Test: m -j, boot device
Change-Id: I55e3a4b76cabb6f47cee0972e6bad30565f0db7a

private/app.te

diff --git a/private/app.te b/private/app.te
index 005a078..ae8b206 100644
--- a/private/app.te
+++ b/private/app.te
@@ -52,6 +52,12 @@
 get_prop(appdomain, device_config_runtime_native_prop)
 get_prop(appdomain, device_config_runtime_native_boot_prop)
 
+# Allow to read ro.vendor.camera.extensions.enabled
+get_prop(appdomain, camera2_extensions_prop)
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
+
 userdebug_or_eng(`perfetto_producer({ appdomain })')
 
 # Prevent apps from causing presubmit failures.

public/app.te

diff --git a/public/app.te b/public/app.te
index de3d0ca..9ce0255 100644
--- a/public/app.te
+++ b/public/app.te
@@ -233,9 +233,3 @@
     { open read write append execute execute_no_trans map };
 neverallow appdomain system_bootstrap_lib_file:dir
     { open read getattr search };
-
-# Allow to read ro.vendor.camera.extensions.enabled
-get_prop(appdomain, camera2_extensions_prop)
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)