Add sepolicy for microdroid_config_prop sysprops Bug: 260361248 Bug: 260005615 Test: m Change-Id: I50f7c0040ce6d315a3dc910c4f0b412d244a7449

commit: 1cf4d77af891f128c65559c742ec264197368bad [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Sun Nov 27 01:11:39 2022 +0000
committer: Nikita Ioffe <ioffe@google.com> Mon Nov 28 13:43:42 2022 +0000
tree: a8d6077d775e7bb4661cefe122a68b4ace476bed
parent: cbb11911487862a45afdb5306beb85bf136e79ba [diff] [blame]
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index a02a7f2..733bb33 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te

@@ -39,3 +39,16 @@
   domain
   -init
 } apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} microdroid_config_prop:property_service set;
+
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} microdroid_config_prop:file no_rw_file_perms;
commit	1cf4d77af891f128c65559c742ec264197368bad	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Sun Nov 27 01:11:39 2022 +0000
committer	Nikita Ioffe <ioffe@google.com>	Mon Nov 28 13:43:42 2022 +0000
tree	a8d6077d775e7bb4661cefe122a68b4ace476bed
parent	cbb11911487862a45afdb5306beb85bf136e79ba [diff] [blame]