diff --git a/app.te b/app.te index 9a86d1c1e..7de624b7a 100644 --- a/app.te +++ b/app.te @@ -278,8 +278,6 @@ neverallow appdomain socket_device:sock_file write; # Unix domain sockets. neverallow appdomain adbd_socket:sock_file write; neverallow appdomain installd_socket:sock_file write; -neverallow { appdomain -bluetooth -radio -shell -system_app -nfc } - property_socket:sock_file write; neverallow { appdomain -radio } rild_socket:sock_file write; neverallow appdomain vold_socket:sock_file write; neverallow appdomain zygote_socket:sock_file write; @@ -385,10 +383,6 @@ neverallow { appdomain -system_app -shell } # i.e. no mount(2), unmount(2), etc. neverallow appdomain fs_type:filesystem ~getattr; -# Ability to set system properties. -neverallow { appdomain -system_app -radio -shell -bluetooth -nfc } - property_type:property_service set; - # prevent creation/manipulation of globally readable symlinks neverallow appdomain { apk_data_file diff --git a/isolated_app.te b/isolated_app.te index 2cf557895..9bcb018ca 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -29,6 +29,10 @@ allow isolated_app self:process ptrace; ##### Neverallow ##### +# Do not allow isolated_app to set system properties. +neverallow isolated_app property_socket:sock_file write; +neverallow isolated_app property_type:property_service set; + # Isolated apps should not directly open app data files themselves. neverallow isolated_app app_data_file:file open; diff --git a/untrusted_app.te b/untrusted_app.te index 5d48970aa..055844341 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -142,3 +142,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; # Do not allow untrusted_app access to /cache neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; + +# Do not allow untrusted_app to set system properties. +neverallow untrusted_app property_socket:sock_file write; +neverallow untrusted_app property_type:property_service set;