Prevent non-system apps from read ro.usb.uvc.enabled ro.us.uvc.enabled should not be readable from apps that can't or shouldn't act on UVC support. This means all non-system apps. This CL adds an explicit neverallow rule to prevent all appdomains (except system_app and device_as_webcam). Bug: 242344221 Bug: 242344229 Test: Build passes, manually confirmed that non-system apps cannot access the property Change-Id: I1a40c3c3cb10cebfc9ddb791a06f26fcc9342ed9

commit: e2cb0f28138ec639ca10ff82722c1a7793f721ce [log] [tgz]
author: Avichal Rakesh <arakesh@google.com> Wed Feb 01 15:56:40 2023 -0800
committer: Avichal Rakesh <arakesh@google.com> Thu Feb 02 12:26:33 2023 -0800
tree: 46b450b8826a66c67e12ba6ed9c74b5ec8b04c9d
parent: e0929241a134f77ac400232aaa352135677883d9 [diff] [blame]
diff --git a/private/property.te b/private/property.te
index 5383300..4f806d4 100644
--- a/private/property.te
+++ b/private/property.te

@@ -687,3 +687,10 @@
   -init
   -vendor_init
 } usb_uvc_enabled_prop:property_service set;
+
+# Disallow non system apps from reading ro.usb.uvc.enabled
+neverallow {
+  appdomain
+  -system_app
+  -device_as_webcam
+} usb_uvc_enabled_prop:file no_rw_file_perms;
commit	e2cb0f28138ec639ca10ff82722c1a7793f721ce	[log] [tgz]
author	Avichal Rakesh <arakesh@google.com>	Wed Feb 01 15:56:40 2023 -0800
committer	Avichal Rakesh <arakesh@google.com>	Thu Feb 02 12:26:33 2023 -0800
tree	46b450b8826a66c67e12ba6ed9c74b5ec8b04c9d
parent	e0929241a134f77ac400232aaa352135677883d9 [diff] [blame]