Add attributes for exported properties
This introduces some attributes that can be used to restrict access to
exported properties so that one can easily check from which the
properties can be accessed, and that OEMs can extend their own exported
properties.
Bug: 71814576
Bug: 131162102
Test: boot aosp_cf_x86_phone-userdebug
Test: logcat | grep "avc: "
Change-Id: I6f988ec1cb94fa64563ca6cb91b7702da5d604e3
diff --git a/public/attributes b/public/attributes
index afd303f..da4cd3f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -86,6 +86,41 @@
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_type', `system_internal_property_type')
+define(`product_restricted_type', `system_restricted_property_type')
+define(`product_public_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/public/property.te b/public/property.te
index 4f4adec..10be0ba 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,137 +1,187 @@
-type apexd_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type boottime_prop, property_type;
-type bluetooth_a2dp_offload_prop, property_type;
-type bluetooth_audio_hal_prop, property_type;
-type bluetooth_prop, property_type;
-type bpf_progs_loaded_prop, property_type;
-type bootloader_boot_reason_prop, property_type;
-type charger_prop, property_type;
-type cold_boot_done_prop, property_type;
-type config_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
-type cpu_variant_prop, property_type;
-type ctl_adbd_prop, property_type;
-type ctl_apexd_prop, property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_gsid_prop, property_type;
-type ctl_interface_restart_prop, property_type;
-type ctl_interface_start_prop, property_type;
-type ctl_interface_stop_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_restart_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type ctl_sigstop_prop, property_type;
-type ctl_start_prop, property_type;
-type ctl_stop_prop, property_type;
-type dalvik_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type default_prop, property_type, core_property_type;
-type device_config_activity_manager_native_boot_prop, property_type;
-type device_config_boot_count_prop, property_type;
-type device_config_reset_performed_prop, property_type;
-type device_config_input_native_boot_prop, property_type;
-type device_config_netd_native_prop, property_type;
-type device_config_runtime_native_boot_prop, property_type;
-type device_config_runtime_native_prop, property_type;
-type device_config_media_native_prop, property_type;
-type device_config_sys_traced_prop, property_type;
-type device_logging_prop, property_type;
-type dhcp_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type dumpstate_prop, property_type, core_property_type;
-type dynamic_system_prop, property_type;
-type exported_secure_prop, property_type;
-type ffs_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type firstboot_prop, property_type;
-type gsid_prop, property_type;
-type heapprofd_enabled_prop, property_type;
-type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
-type init_svc_debug_prop, property_type;
-type last_boot_reason_prop, property_type;
-type system_lmk_prop, property_type;
-type linker_prop, property_type;
-type llkd_prop, property_type;
-type logd_prop, property_type, core_property_type;
-type logpersistd_logging_prop, property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
-type lowpan_prop, property_type;
-type lpdumpd_prop, property_type;
-type mmc_prop, property_type;
-type net_dns_prop, property_type;
-type net_radio_prop, property_type, core_property_type;
-type netd_stable_secret_prop, property_type;
-type nfc_prop, property_type, core_property_type;
-type nnapi_ext_deny_product_prop, property_type;
-type overlay_prop, property_type;
-type pan_result_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type persistent_properties_ready_prop, property_type;
-type pm_prop, property_type;
-type powerctl_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type restorecon_prop, property_type, core_property_type;
-type safemode_prop, property_type;
-type serialno_prop, property_type;
-type shell_prop, property_type, core_property_type;
-type system_boot_reason_prop, property_type;
-type system_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type system_trace_prop, property_type;
-type test_boot_reason_prop, property_type;
-type test_harness_prop, property_type;
-type theme_prop, property_type;
-type time_prop, property_type;
-type traced_enabled_prop, property_type;
-type traced_lazy_prop, property_type;
-type use_memfd_prop, property_type;
-type virtual_ab_prop, property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
-type vendor_security_patch_level_prop, property_type;
+# Properties used only in /system
+system_internal_prop(apexd_prop)
+system_internal_prop(bootloader_boot_reason_prop)
+system_internal_prop(boottime_prop)
+system_internal_prop(bpf_progs_loaded_prop)
+system_internal_prop(charger_prop)
+system_internal_prop(cold_boot_done_prop)
+system_internal_prop(ctl_adbd_prop)
+system_internal_prop(ctl_apexd_prop)
+system_internal_prop(ctl_bootanim_prop)
+system_internal_prop(ctl_bugreport_prop)
+system_internal_prop(ctl_console_prop)
+system_internal_prop(ctl_dumpstate_prop)
+system_internal_prop(ctl_fuse_prop)
+system_internal_prop(ctl_gsid_prop)
+system_internal_prop(ctl_interface_restart_prop)
+system_internal_prop(ctl_interface_stop_prop)
+system_internal_prop(ctl_mdnsd_prop)
+system_internal_prop(ctl_restart_prop)
+system_internal_prop(ctl_rildaemon_prop)
+system_internal_prop(ctl_sigstop_prop)
+system_internal_prop(device_config_activity_manager_native_boot_prop)
+system_internal_prop(device_config_boot_count_prop)
+system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
+system_internal_prop(device_config_netd_native_prop)
+system_internal_prop(device_config_reset_performed_prop)
+system_internal_prop(device_config_runtime_native_boot_prop)
+system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(dynamic_system_prop)
+system_internal_prop(firstboot_prop)
+system_internal_prop(gsid_prop)
+system_internal_prop(heapprofd_enabled_prop)
+system_internal_prop(init_svc_debug_prop)
+system_internal_prop(last_boot_reason_prop)
+system_internal_prop(llkd_prop)
+system_internal_prop(lpdumpd_prop)
+system_internal_prop(mmc_prop)
+system_internal_prop(net_dns_prop)
+system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(overlay_prop)
+system_internal_prop(persistent_properties_ready_prop)
+system_internal_prop(pm_prop)
+system_internal_prop(safemode_prop)
+system_internal_prop(system_lmk_prop)
+system_internal_prop(system_trace_prop)
+system_internal_prop(test_boot_reason_prop)
+system_internal_prop(time_prop)
+system_internal_prop(traced_enabled_prop)
+system_internal_prop(traced_lazy_prop)
+system_internal_prop(virtual_ab_prop)
-# Properties for whitelisting
-type exported_audio_prop, property_type;
-type exported_bluetooth_prop, property_type;
-type exported_config_prop, property_type;
-type exported_dalvik_prop, property_type;
-type exported_default_prop, property_type;
-type exported_dumpstate_prop, property_type;
-type exported_ffs_prop, property_type;
-type exported_fingerprint_prop, property_type;
-type exported_overlay_prop, property_type;
-type exported_pm_prop, property_type;
-type exported_radio_prop, property_type;
-type exported_system_prop, property_type;
-type exported_system_radio_prop, property_type;
-type exported_vold_prop, property_type;
-type exported_wifi_prop, property_type;
-type exported2_config_prop, property_type;
-type exported2_default_prop, property_type;
-type exported2_radio_prop, property_type;
-type exported2_system_prop, property_type;
-type exported2_vold_prop, property_type;
-type exported3_default_prop, property_type;
-type exported3_radio_prop, property_type;
-type exported3_system_prop, property_type;
+# Properties which can't be written outside system
+system_restricted_prop(config_prop)
+system_restricted_prop(cppreopt_prop)
+system_restricted_prop(dalvik_prop)
+system_restricted_prop(debuggerd_prop)
+system_restricted_prop(default_prop)
+system_restricted_prop(device_logging_prop)
+system_restricted_prop(dhcp_prop)
+system_restricted_prop(dumpstate_prop)
+system_restricted_prop(exported2_default_prop)
+system_restricted_prop(exported3_system_prop)
+system_restricted_prop(exported_dumpstate_prop)
+system_restricted_prop(exported_fingerprint_prop)
+system_restricted_prop(exported_secure_prop)
+system_restricted_prop(exported_vold_prop)
+system_restricted_prop(ffs_prop)
+system_restricted_prop(fingerprint_prop)
+system_restricted_prop(heapprofd_prop)
+system_restricted_prop(linker_prop)
+system_restricted_prop(net_radio_prop)
+system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(pan_result_prop)
+system_restricted_prop(persist_debug_prop)
+system_restricted_prop(restorecon_prop)
+system_restricted_prop(shell_prop)
+system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_radio_prop)
+system_restricted_prop(test_harness_prop)
+system_restricted_prop(theme_prop)
+system_restricted_prop(use_memfd_prop)
+system_restricted_prop(vold_prop)
+
+# Properties with no restrictions
+system_public_prop(audio_prop)
+system_public_prop(bluetooth_a2dp_offload_prop)
+system_public_prop(bluetooth_audio_hal_prop)
+system_public_prop(bluetooth_prop)
+system_public_prop(cpu_variant_prop)
+system_public_prop(ctl_default_prop)
+system_public_prop(ctl_interface_start_prop)
+system_public_prop(ctl_start_prop)
+system_public_prop(ctl_stop_prop)
+system_public_prop(debug_prop)
+system_public_prop(dumpstate_options_prop)
+system_public_prop(exported_system_prop)
+system_public_prop(exported2_config_prop)
+system_public_prop(exported2_radio_prop)
+system_public_prop(exported2_system_prop)
+system_public_prop(exported2_vold_prop)
+system_public_prop(exported3_default_prop)
+system_public_prop(exported3_radio_prop)
+system_public_prop(exported_audio_prop)
+system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_config_prop)
+system_public_prop(exported_dalvik_prop)
+system_public_prop(exported_default_prop)
+system_public_prop(exported_ffs_prop)
+system_public_prop(exported_overlay_prop)
+system_public_prop(exported_pm_prop)
+system_public_prop(exported_radio_prop)
+system_public_prop(exported_system_radio_prop)
+system_public_prop(exported_wifi_prop)
+system_public_prop(hwservicemanager_prop)
+system_public_prop(logd_prop)
+system_public_prop(logpersistd_logging_prop)
+system_public_prop(log_prop)
+system_public_prop(log_tag_prop)
+system_public_prop(lowpan_prop)
+system_public_prop(nfc_prop)
+system_public_prop(powerctl_prop)
+system_public_prop(radio_prop)
+system_public_prop(serialno_prop)
+system_public_prop(system_prop)
+system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(wifi_log_prop)
+system_public_prop(wifi_prop)
+
type vendor_default_prop, property_type;
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
allow property_type tmpfs:filesystem associate;
###
### Neverallow rules
###
+compatible_property_only(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow * {
+# property_type
+# -system_property_type
+# -product_property_type
+# -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+neverallow { domain -coredomain } {
+ system_internal_property_type
+}:file no_rw_file_perms;
+
+neverallow coredomain {
+ vendor_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow coredomain {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+neverallow coredomain {
+ vendor_internal_property_type
+}:file no_rw_file_perms;
+
+')
+
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
@@ -145,6 +195,30 @@
# New properties should have appropriate read / write access
# control rules written.
+typeattribute audio_prop core_property_type;
+typeattribute config_prop core_property_type;
+typeattribute cppreopt_prop core_property_type;
+typeattribute dalvik_prop core_property_type;
+typeattribute debuggerd_prop core_property_type;
+typeattribute debug_prop core_property_type;
+typeattribute default_prop core_property_type;
+typeattribute dhcp_prop core_property_type;
+typeattribute dumpstate_prop core_property_type;
+typeattribute ffs_prop core_property_type;
+typeattribute fingerprint_prop core_property_type;
+typeattribute logd_prop core_property_type;
+typeattribute net_radio_prop core_property_type;
+typeattribute nfc_prop core_property_type;
+typeattribute pan_result_prop core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop core_property_type;
+typeattribute radio_prop core_property_type;
+typeattribute restorecon_prop core_property_type;
+typeattribute shell_prop core_property_type;
+typeattribute system_prop core_property_type;
+typeattribute system_radio_prop core_property_type;
+typeattribute vold_prop core_property_type;
+
neverallow * {
core_property_type
-audio_prop
diff --git a/public/te_macros b/public/te_macros
index 1187320..cb0ebd1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -723,3 +723,65 @@
allow $1_server dumpstate:fifo_file write;
allow $1_server dumpstate:fd use;
')
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+#
+define(`system_internal_prop', `define_prop($1, system, internal)')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+#
+define(`system_restricted_prop', `define_prop($1, system, restricted)')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+#
+define(`product_internal_prop', `define_prop($1, product, internal)')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+#
+define(`product_restricted_prop', `define_prop($1, product, restricted)')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+#
+define(`vendor_internal_prop', `define_prop($1, vendor, internal)')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+#
+define(`vendor_restricted_prop', `define_prop($1, vendor, restricted)')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')