Enforce sysprop owner Every property should have an appropriate owner attribute, which can be one of: system_property_type, product_property_type, or vendor_property_type. This will be enforced for devices launching with S or later. Devices launching with R or eariler can relax this by setting following under BoardConfig.mk: BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true Bug: 131162102 Test: system/sepolicy/tools/build_policies.sh Change-Id: I7914ef1b7463c9ec00812b9720094531fd63f0c7

commit: afc09932f6fa07c5f6beffbcdc2bb4691e527321 [log] [tgz]
author: Inseob Kim <inseob@google.com> Mon Sep 28 13:32:43 2020 +0900
committer: Inseob Kim <inseob@google.com> Mon Oct 19 05:07:05 2020 +0000
tree: 6d78c24d48ee68aa797c401051fdbc1178987f81
parent: dd5c5d796041bbf191777dca907d25c5fb2c4206 [diff] [blame]
diff --git a/private/property.te b/private/property.te
index bc1934d..09e93e9 100644
--- a/private/property.te
+++ b/private/property.te

@@ -24,13 +24,14 @@
 
 treble_sysprop_neverallow(`
 
-# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow domain {
-#   property_type
-#   -system_property_type
-#   -product_property_type
-#   -vendor_property_type
-# }:file no_rw_file_perms;
+enforce_sysprop_owner(`
+  neverallow domain {
+    property_type
+    -system_property_type
+    -product_property_type
+    -vendor_property_type
+  }:file no_rw_file_perms;
+')
 
 neverallow { domain -coredomain } {
   system_property_type
commit	afc09932f6fa07c5f6beffbcdc2bb4691e527321	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Mon Sep 28 13:32:43 2020 +0900
committer	Inseob Kim <inseob@google.com>	Mon Oct 19 05:07:05 2020 +0000
tree	6d78c24d48ee68aa797c401051fdbc1178987f81
parent	dd5c5d796041bbf191777dca907d25c5fb2c4206 [diff] [blame]