microdroid: Narrow property permissions microdroid's domains have been able to read/write any properties. That's just for convenience while bringing up microdroid. This cleans up such global permission and grants minimal access. Bug: 194447534 Test: atest MicrodroidHostTestCases ComposHostTestCases Test: run microdroid demo app Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505

commit: 5ee61a7628f070cb75f41c00f9088198ccfa166a [log] [tgz]
author: Inseob Kim <inseob@google.com> Fri Sep 17 19:31:45 2021 +0900
committer: Inseob Kim <inseob@google.com> Thu Sep 23 17:23:28 2021 +0900
tree: 83e863093d7e4c6724b7498114c31bcb5a84e738
parent: 876ded0bf866bb3908716375ef29001f93d14ca2 [diff] [blame]
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 58942b6..799ac3c 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te

@@ -1,3 +1,11 @@
+# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+  ctl_console_prop
+  ctl_default_prop
+  ctl_fuse_prop
+}:property_service set;
+
 ###
 ### Neverallow rules
 ###
commit	5ee61a7628f070cb75f41c00f9088198ccfa166a	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Fri Sep 17 19:31:45 2021 +0900
committer	Inseob Kim <inseob@google.com>	Thu Sep 23 17:23:28 2021 +0900
tree	83e863093d7e4c6724b7498114c31bcb5a84e738
parent	876ded0bf866bb3908716375ef29001f93d14ca2 [diff] [blame]