Minimize microdroid public policy
Like core sepolicy.
Bug: 232023812
Test: atest MicrodroidHostTests MicrodroidTests
Change-Id: I704f8da4656d3bacf327792a2445d15aba8ecf2a
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 98c483a..daf6185 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -18,6 +18,11 @@
ctl_fuse_prop
}:property_service set;
+allow property_type tmpfs:filesystem associate;
+
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
+
###
### Neverallow rules
###
@@ -67,3 +72,7 @@
domain
-init
} non_existing_prop:property_service set;
+
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;