Use attributes for exclusive property owners tests/sepolicy_tests.py has been checking whether the property owner attributes are mutually exclusive. This is because current policy language can't express the following snippet: neverallow domain { system_property_type && vendor_property_type }:file no_rw_file_perms; neverallow domain { system_property_type && vendor_property_type }:property_service set; This uses technical_debt.cil to workaround this. Bug: 171437654 Test: Try to compile a type having both system_property_type and vendor_property_type Change-Id: Ic65f2d00aa0f2fb7f5d78331b0a26e733fcd128e

commit: 4c110ff19b751c237819ac5fed3471277a74c07d [log] [tgz]
author: Inseob Kim <inseob@google.com> Thu Nov 26 21:50:23 2020 +0900
committer: Inseob Kim <inseob@google.com> Mon Nov 30 18:34:30 2020 +0900
tree: 52727b117e8c8a6f8f8a49be93d40a6851575ac7
parent: aff923a4697b2109b8a887d5db1fc3be7c5c3c5d [diff] [blame]
diff --git a/private/property.te b/private/property.te
index 480d3e3..1163a3c 100644
--- a/private/property.te
+++ b/private/property.te

@@ -537,3 +537,7 @@
   -coredomain
   -appdomain
 } sqlite_log_prop:file no_rw_file_perms;
+
+# Only one of system_property_type and vendor_property_type can be assigned.
+# Property types having both attributes won't be accessible from anywhere.
+neverallow domain system_and_vendor_property_type:{file property_service} *;
commit	4c110ff19b751c237819ac5fed3471277a74c07d	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Thu Nov 26 21:50:23 2020 +0900
committer	Inseob Kim <inseob@google.com>	Mon Nov 30 18:34:30 2020 +0900
tree	52727b117e8c8a6f8f8a49be93d40a6851575ac7
parent	aff923a4697b2109b8a887d5db1fc3be7c5c3c5d [diff] [blame]