commit 54072d9a73b488de138511d24b941add48e48237
author Treehugger Robot <treehugger-gerrit@google.com> Wed Dec 04 01:12:15 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Dec 04 01:12:15 2019 +0000
tree dd3e049ad550e9b6aa3f36027a5a3fbf4d40b68c
parent 4c1e76adcb88e3f2755a8edf5aac011e87290e6b
parent b4baf734773f1fc9593447cacb825945c2c6892d

Merge "Fix vendor defining macros and neverallows"

public/property.te

diff --git a/public/property.te b/public/property.te
index 33e2ed4..8abd404 100644
--- a/public/property.te
+++ b/public/property.te
@@ -234,6 +234,7 @@
 
 neverallow { domain -coredomain } {
   system_property_type
+  system_internal_property_type
   -system_restricted_property_type
   -system_public_property_type
 }:file no_rw_file_perms;
@@ -243,25 +244,20 @@
   -system_public_property_type
 }:property_service set;
 
-neverallow { domain -coredomain } {
-  system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
   vendor_property_type
+  vendor_internal_property_type
   -vendor_restricted_property_type
   -vendor_public_property_type
 }:file no_rw_file_perms;
 
-neverallow coredomain {
+neverallow { coredomain -init } {
   vendor_property_type
   -vendor_public_property_type
 }:property_service set;
 
-neverallow coredomain {
-  vendor_internal_property_type
-}:file no_rw_file_perms;
-
 ')
 
 # There is no need to perform ioctl or advisory locking operations on

public/te_macros

diff --git a/public/te_macros b/public/te_macros
index 88e71d8..9672227 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -772,7 +772,7 @@
 define(`system_internal_prop', `
   define_prop($1, system, internal)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:file no_rw_file_perms;
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
   ')
 ')
 
@@ -785,7 +785,7 @@
 define(`system_restricted_prop', `
   define_prop($1, system, restricted)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:property_service set;
+    neverallow { domain -coredomain } $1:property_service set;
   ')
 ')
 
@@ -804,7 +804,7 @@
 define(`product_internal_prop', `
   define_prop($1, product, internal)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:file no_rw_file_perms;
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
   ')
 ')
 
@@ -817,7 +817,7 @@
 define(`product_restricted_prop', `
   define_prop($1, product, restricted)
   treble_sysprop_neverallow(`
-    neverallow {domain -coredomain} $1:property_service set;
+    neverallow { domain -coredomain } $1:property_service set;
   ')
 ')
 
@@ -836,7 +836,8 @@
 define(`vendor_internal_prop', `
   define_prop($1, vendor, internal)
   treble_sysprop_neverallow(`
-    neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+    neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
   ')
 ')
 
@@ -849,7 +850,8 @@
 define(`vendor_restricted_prop', `
   define_prop($1, vendor, restricted)
   treble_sysprop_neverallow(`
-    neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+    neverallow { coredomain -init } $1:property_service set;
   ')
 ')