Hide ro.debuggable and ro.secure from ephemeral and isolated applications
Bug: 193912100
Test: N/A
Change-Id: I916c9795d96e4a4a453f9aed5e380f11981804e9
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c2e0b10..6231623 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -261,5 +261,7 @@
# due to the specific logging use cases.
# Context: b/193912100
neverallow {
- untrusted_app_all
+ all_untrusted_apps
+ -mediaprovider
+ -mediaprovider_app
} { userdebug_or_eng_prop }:file read;
diff --git a/private/domain.te b/private/domain.te
index 65e2029..9de23ba 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -132,7 +132,7 @@
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, timezone_prop)
-get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
+get_prop({domain -untrusted_app_all -isolated_app -ephemeral_app }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)