Merge "Do not allow new additions to core_property_type"
diff --git a/public/property.te b/public/property.te
index e4b8d6e..e64ebcd 100644
--- a/public/property.te
+++ b/public/property.te
@@ -43,3 +43,42 @@
type wifi_prop, property_type;
allow property_type tmpfs:filesystem associate;
+
+###
+### Neverallow rules
+###
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -bluetooth_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;