Add tests for compatible property (1/2)
The feature of compatible property has its own neverallow rules and it
is enforced on devices launchig with Android P.
This CL changes hal_nfc to hal_nfc_server in neverallow rules because
sepolicy-analyze doesn't recognize it. Additionally one more neverallow
rule is added to restrict reading nfc_prop.
Bug: 72013705
Bug: 72678352
Test: 'run cts -m CtsSecurityHostTestCases' on walleye with
ro.product.first_api_level=28
Change-Id: I753cc81f7ca0e4ad6a2434b2a047052678f57671
diff --git a/Android.mk b/Android.mk
index 759efe1..aa6e07c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -701,6 +701,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
diff --git a/public/property.te b/public/property.te
index 5c34264..e400332 100644
--- a/public/property.te
+++ b/public/property.te
@@ -148,7 +148,7 @@
domain
-coredomain
-appdomain
- -hal_nfc
+ -hal_nfc_server
-vendor_init
} {
nfc_prop
@@ -193,6 +193,16 @@
domain
-coredomain
-appdomain
+ -hal_nfc_server
+ -vendor_init
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
-rild
-vendor_init
} {