blob: 77e1a7d26d0b19ca08c4925ed3e00420879478ea [file] [log] [blame]
# Properties used only in /system
system_internal_prop(adbd_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(keystore_crash_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
###
### Neverallow rules
###
treble_sysprop_neverallow(`
enforce_sysprop_owner(`
neverallow domain {
property_type
-system_property_type
-product_property_type
-vendor_property_type
}:file no_rw_file_perms;
')
neverallow { domain -coredomain } {
system_property_type
system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
neverallow { domain -coredomain } {
system_property_type
-system_public_property_type
}:property_service set;
# init is in coredomain, but should be able to read/write all props.
# dumpstate is also in coredomain, but should be able to read all props.
neverallow { coredomain -init -dumpstate } {
vendor_property_type
vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
')
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
# the get_prop() macro.
neverallow domain property_type:file { ioctl lock };
neverallow * {
core_property_type
-audio_prop
-config_prop
-cppreopt_prop
-dalvik_prop
-debuggerd_prop
-debug_prop
-dhcp_prop
-dumpstate_prop
-fingerprint_prop
-logd_prop
-net_radio_prop
-nfc_prop
-ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
-radio_prop
-restorecon_prop
-shell_prop
-system_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
# sigstop property is only used for debugging; should only be set by su which is permissive
# for userdebug/eng
neverallow {
domain
-init
-vendor_init
} ctl_sigstop_prop:property_service set;
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
ctl_bootanim_prop
ctl_bugreport_prop
ctl_console_prop
ctl_default_prop
ctl_dumpstate_prop
ctl_fuse_prop
ctl_mdnsd_prop
ctl_rildaemon_prop
}:property_service set;
neverallow {
domain
-init
} init_svc_debug_prop:property_service set;
neverallow {
domain
-init
-dumpstate
userdebug_or_eng(`-su')
} init_svc_debug_prop:file no_rw_file_perms;
compatible_property_only(`
# Prevent properties from being set
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} {
core_property_type
extended_core_property_type
exported_config_prop
exported_default_prop
exported_dumpstate_prop
exported_system_prop
exported3_system_prop
usb_control_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_nfc_server
} {
nfc_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
-vendor_init
} {
radio_control_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
} {
radio_prop
}:property_service set;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
} {
bluetooth_prop
}:property_service set;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
-vendor_init
} {
exported_bluetooth_prop
}:property_service set;
neverallow {
domain
-coredomain
-hal_camera_server
-cameraserver
-vendor_init
} {
exported_camera_prop
}:property_service set;
neverallow {
domain
-coredomain
-hal_wifi_server
-wificond
} {
wifi_prop
}:property_service set;
neverallow {
domain
-init
-dumpstate
-hal_wifi_server
-wificond
-vendor_init
} {
wifi_hal_prop
}:property_service set;
# Prevent properties from being read
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} {
core_property_type
dalvik_config_prop
extended_core_property_type
exported3_system_prop
systemsound_config_prop
-debug_prop
-logd_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-appdomain
-hal_nfc_server
} {
nfc_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
} {
radio_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
} {
bluetooth_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-hal_wifi_server
-wificond
} {
wifi_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-vendor_init
} {
suspend_prop
}:property_service set;
')
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
coredomain
-init
-system_writes_vendor_properties_violators
} {
property_type
-system_property_type
-extended_core_property_type
}:property_service set;
')
neverallow {
domain
-coredomain
-vendor_init
} {
ffs_config_prop
ffs_control_prop
}:file no_rw_file_perms;
neverallow {
domain
-init
-system_server
} {
userspace_reboot_log_prop
}:property_service set;
neverallow {
# Only allow init and system_server to set system_adbd_prop
domain
-init
-system_server
} {
system_adbd_prop
}:property_service set;
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
domain
-init
-vendor_init
-adbd
-system_server
} {
adbd_config_prop
}:property_service set;
neverallow {
# Only allow init and adbd to set adbd_prop
domain
-init
-adbd
} {
adbd_prop
}:property_service set;
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
-shell
} {
userspace_reboot_test_prop
}:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} {
surfaceflinger_color_prop
}:property_service set;
neverallow {
domain
-init
} {
libc_debug_prop
}:property_service set;
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
# Allow system apps to set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
-system_app
} {
arm64_memtag_prop
}:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
domain
-coredomain
-vendor_init
} {
usb_config_prop
usb_control_prop
}:property_service set;
neverallow {
domain
-init
-system_server
} {
provisioned_prop
retaildemo_prop
}:property_service set;
neverallow {
domain
-coredomain
-vendor_init
} {
provisioned_prop
retaildemo_prop
}:file no_rw_file_perms;
neverallow {
domain
-init
} {
init_service_status_private_prop
init_service_status_prop
}:property_service set;
neverallow {
domain
-init
-radio
-appdomain
-hal_telephony_server
not_compatible_property(`-vendor_init')
} telephony_status_prop:property_service set;
neverallow {
domain
-init
-vendor_init
} {
graphics_config_prop
}:property_service set;
neverallow {
domain
-init
-surfaceflinger
} {
surfaceflinger_display_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
domain
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
} {
localization_prop
}:property_service set;
neverallow {
domain
-init
-vendor_init
-dumpstate
-system_app
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
domain
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
-vendor_init
-dumpstate
-appdomain
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
-vendor_init
-dumpstate
-appdomain
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
domain
-init
-dumpstate
-hal_dumpstate_server
not_compatible_property(`-vendor_init')
} hal_dumpstate_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
lower_kptr_restrict_prop
}:property_service set;
neverallow {
domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
domain
-init
} verity_status_prop:property_service set;
neverallow {
domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
domain
-init
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
domain
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
neverallow {
domain
-init
} default_prop:property_service set;
# Only one of system_property_type and vendor_property_type can be assigned.
# Property types having both attributes won't be accessible from anywhere.
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
-shell
} rollback_test_prop:property_service set;
neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
domain
-init
-dumpstate
-profcollectd
} profcollectd_node_id_prop:file r_file_perms;