Add apexd_config_prop type
This type is used for properties that provides per-device configuration
for apexd behaviour (so far - timeouts for creating/deleting dm device).
Test: builds
Bug: 182296338
Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
diff --git a/private/property.te b/private/property.te
index e435628..9ec2a1a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -601,3 +601,15 @@
-init
-shell
} rollback_test_prop:property_service set;
+
+# Only init and vendor_init are allowed to set apexd_config_prop
+neverallow { domain -init -vendor_init } apexd_config_prop:property_service set;
+
+# apexd_config properties should only be read by apexd, and dumpstate (to appear in bugreports).
+neverallow {
+ domain
+ -apexd
+ -init
+ -dumpstate
+ -vendor_init
+} apexd_config_prop:file no_rw_file_perms;