Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: ad0d0fc722d04e465ce2b0bfd2f8e04714c75391 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Thu May 29 09:22:16 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Thu May 29 13:43:37 2014 +0000
tree: 320949e7d0aa474c1b80cf6c0336df5e824472af
parent: c8859c2d152e42b8084fa1cd08c875afc1bf2451 [diff] [blame]
diff --git a/init.te b/init.te
index 028c461..f0c6ac6 100644
--- a/init.te
+++ b/init.te

@@ -34,3 +34,7 @@
 # setfscreate is for labeling directories and socket files.
 # setsockcreate is for labeling local/unix domain sockets.
 allow init self:process { setexec setfscreate setsockcreate };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
commit	ad0d0fc722d04e465ce2b0bfd2f8e04714c75391	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Thu May 29 09:22:16 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Thu May 29 13:43:37 2014 +0000
tree	320949e7d0aa474c1b80cf6c0336df5e824472af
parent	c8859c2d152e42b8084fa1cd08c875afc1bf2451 [diff] [blame]