Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
diff --git a/private/adbd.te b/private/adbd.te
index 89fa1f9..f7504df 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -90,6 +90,9 @@
# Set service.adb.tls.port, persist.adb.wifi. properties
set_prop(adbd, adbd_prop)
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
+
# Access device logging gating property
get_prop(adbd, device_logging_prop)
diff --git a/private/apexd.te b/private/apexd.te
index 9e702dd..c03790c 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -155,3 +155,7 @@
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
+
+# only apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/private/asan_extract.te b/private/asan_extract.te
index 1c20d78..69bcd50 100644
--- a/private/asan_extract.te
+++ b/private/asan_extract.te
@@ -3,6 +3,9 @@
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
+ typeattribute asan_extract coredomain;
+ init_daemon_domain(asan_extract)
+
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
')
diff --git a/private/bootanim.te b/private/bootanim.te
index 20ff193..fd95e41 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -4,3 +4,6 @@
# b/68864350
dontaudit bootanim unlabeled:dir search;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
diff --git a/private/bootstat.te b/private/bootstat.te
index 806144c..da3179b 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,33 @@
typeattribute bootstat coredomain;
init_daemon_domain(bootstat)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/private/charger.te b/private/charger.te
index 65109de..13d1b14 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -1 +1,10 @@
typeattribute charger coredomain;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
+
+get_prop(charger, charger_prop)
diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7..8ec9111 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -2,3 +2,6 @@
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
diff --git a/private/domain.te b/private/domain.te
index 3f5bbaa..adb0218 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -369,3 +369,10 @@
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 72e508e..0eff540 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -50,6 +50,17 @@
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
# For dumping dynamic partition information.
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 29a9157..49994b7 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -1 +1,25 @@
typeattribute fastbootd coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # Reboot the device
+ set_prop(fastbootd, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(fastbootd, serialno_prop)
+
+ # Set sys.usb.ffs.ready.
+ set_prop(fastbootd, ffs_prop)
+ set_prop(fastbootd, exported_ffs_prop)
+
+ userdebug_or_eng(`
+ get_prop(fastbootd, persistent_properties_ready_prop)
+ ')
+
+ set_prop(fastbootd, gsid_prop)
+
+ # Determine allocation scheme (whether B partitions needs to be
+ # at the second half of super.
+ get_prop(fastbootd, virtual_ab_prop)
+')
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index fb41aff..18dde09 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -1,3 +1,27 @@
typeattribute flags_health_check coredomain;
init_daemon_domain(flags_health_check)
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index 5e4d0a2..2fb88a3 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,6 @@
typeattribute gatekeeperd coredomain;
init_daemon_domain(gatekeeperd)
+
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
diff --git a/private/healthd.te b/private/healthd.te
index 20d0791..921d33f 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -4,3 +4,10 @@
# Allow healthd to serve health HAL
hal_server_domain(healthd, hal_health)
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 0705cc7..e1fde43 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -6,3 +6,4 @@
add_hwservice(hwservicemanager, hidl_token_hwservice)
set_prop(hwservicemanager, ctl_interface_start_prop)
+set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/private/lmkd.te b/private/lmkd.te
index a07ce87..7246051 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,3 +1,6 @@
typeattribute lmkd coredomain;
init_daemon_domain(lmkd)
+
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)
diff --git a/private/logd.te b/private/logd.te
index ca92e20..7112c4f 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -2,6 +2,9 @@
init_daemon_domain(logd)
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
neverallow logd {
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 2e654d6..7f626c4 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -5,3 +5,5 @@
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
allow mediaextractor system_server_tmpfs:file { getattr map read write };
+
+get_prop(mediaextractor, device_config_media_native_prop)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index c55e54a..32dfc00 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -12,3 +12,5 @@
hal_client_domain(mediaserver, hal_codec2)
allow mediaserver mediatranscoding_service:service_manager find;
+
+set_prop(mediaserver, audio_prop)
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index 50f5698..cef802d 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -2,3 +2,4 @@
init_daemon_domain(mediaswcodec)
+get_prop(mediaswcodec, device_config_media_native_prop)
diff --git a/private/netd.te b/private/netd.te
index 41473b7..27663d3 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -17,7 +17,12 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
get_prop(netd, bpf_progs_loaded_prop)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)
@@ -28,3 +33,11 @@
# Allow netd to send dump info to dumpstate
allow netd dumpstate:fd use;
allow netd dumpstate:fifo_file { getattr write };
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/private/property.te b/private/property.te
new file mode 100644
index 0000000..be865f1
--- /dev/null
+++ b/private/property.te
@@ -0,0 +1,321 @@
+###
+### Neverallow rules
+###
+
+treble_sysprop_neverallow(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow domain {
+# property_type
+# -system_property_type
+# -product_property_type
+# -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ system_internal_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
+ vendor_property_type
+ vendor_internal_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { coredomain -init } {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+')
+
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -ota_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+# Prevent properties from being set
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_dalvik_prop
+ exported_ffs_prop
+ exported_system_radio_prop
+ exported2_config_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -debug_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
+')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -system_property_type
+ -extended_core_property_type
+ }:property_service set;
+')
+
+neverallow {
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and system_server to set system_adbd_prop
+ -init
+ -system_server
+} {
+ system_adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and adbd to set adbd_prop
+ -init
+ -adbd
+} {
+ adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and shell to set userspace_reboot_test_prop
+ -init
+ -shell
+} {
+ userspace_reboot_test_prop
+}:property_service set;
diff --git a/private/radio.te b/private/radio.te
index 17a4fdd..9b2e9db 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -4,6 +4,16 @@
read_runtime_log_tags(radio)
+# Property service
+set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
+set_prop(radio, net_radio_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7..eee1698 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,24 @@
typeattribute recovery coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Reboot the device
+ set_prop(recovery, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+ set_prop(recovery, exported_ffs_prop)
+
+ # Set sys.usb.config when switching into fastboot.
+ set_prop(recovery, system_radio_prop)
+ set_prop(recovery, exported_system_radio_prop)
+
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
+ set_prop(recovery, gsid_prop)
+')
diff --git a/private/shell.te b/private/shell.te
index 76ff073..63757eb 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,3 +1,4 @@
+
typeattribute shell coredomain;
# allow shell input injection
@@ -90,3 +91,52 @@
# not the whole system.
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
+# property.
+set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
+userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 94841df..b7e58ba 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -20,3 +20,8 @@
unix_socket_connect(traceur_app, traced_consumer, traced)
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
+
+# Allow Traceur to enable traced if necessary.
+set_prop(traceur_app, traced_enabled_prop)
+
+set_prop(traceur_app, debug_prop)
diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd6773..8bcdbf9 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,7 @@
typeattribute ueventd coredomain;
tmpfs_domain(ueventd)
+
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224..1a94cd1 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,6 @@
typeattribute uncrypt coredomain;
init_daemon_domain(uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
diff --git a/private/update_engine.te b/private/update_engine.te
index e4e7009..a76ab49 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -5,3 +5,9 @@
# Allow to talk to gsid.
allow update_engine gsi_service:service_manager find;
binder_call(update_engine, gsid)
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
diff --git a/private/update_verifier.te b/private/update_verifier.te
index 1b934d9..5e1b27b 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,9 @@
typeattribute update_verifier coredomain;
init_daemon_domain(update_verifier)
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
diff --git a/private/usbd.te b/private/usbd.te
index 13a0ad7..42f2324 100644
--- a/private/usbd.te
+++ b/private/usbd.te
@@ -10,3 +10,6 @@
# start adbd during boot if adb is enabled
set_prop(usbd, ctl_default_prop)
+
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)
diff --git a/private/vold.te b/private/vold.te
index dea24a5..19d74b1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -17,3 +17,13 @@
# from accidentally writing when the mount point isn't present.
type_transition vold storage_file:dir storage_stub_file;
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
+
+# Property Service
+set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)
diff --git a/private/wificond.te b/private/wificond.te
index cc76447..7bffaba 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,4 +1,10 @@
typeattribute wificond coredomain;
+set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+get_prop(wificond, hwservicemanager_prop)
+
init_daemon_domain(wificond)
hal_client_domain(wificond, hal_wifi_offload)
diff --git a/public/adbd.te b/public/adbd.te
index 4a1f633..68a176c 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -6,6 +6,3 @@
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
diff --git a/public/apexd.te b/public/apexd.te
index 93c257f..429791f 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -4,12 +4,8 @@
binder_use(apexd)
add_service(apexd, apex_service)
-set_prop(apexd, apexd_prop)
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
-
-# only apexd can set apexd sysprop
-neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/asan_extract.te b/public/asan_extract.te
index 15c5a09..22da8c1 100644
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@@ -30,7 +30,4 @@
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
allow asan_extract system_data_file:file execute;
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
')
diff --git a/public/bootanim.te b/public/bootanim.te
index e8cb98b..eb3eba5 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -36,7 +36,3 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-
diff --git a/public/bootstat.te b/public/bootstat.te
index 6143a7d..5079c28 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,13 +8,6 @@
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
allow bootstat metadata_file:dir search;
allow bootstat metadata_bootstat_file:dir rw_dir_perms;
allow bootstat metadata_bootstat_file:file create_file_perms;
@@ -32,30 +25,6 @@
# Allow bootstat write to statsd.
unix_socket_send(bootstat, statsdw, statsd)
-# ToDo: end
-
-neverallow {
- domain
- -bootanim
- -bootstat
- -dumpstate
- -init
- -recovery
- -shell
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
- domain
- -bootstat
- -init
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
-
neverallow {
domain
-bootstat
diff --git a/public/charger.te b/public/charger.te
index 4b341ea..f57853a 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -36,13 +36,4 @@
allow charger tty_device:chr_file rw_file_perms;
allow charger proc_sysrq:file rw_file_perms;
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported2_system_prop)
-set_prop(charger, exported3_system_prop)
-
-get_prop(charger, charger_prop)
-
hal_client_domain(charger, hal_health)
diff --git a/public/dhcp.te b/public/dhcp.te
index 4f2369d..67fd038 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -17,9 +17,6 @@
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net_type:file write;
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 1b7d4fb..03f1d28 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -533,10 +533,6 @@
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
')
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
compatible_property_only(`
neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
@@ -562,9 +558,6 @@
-vendor_init
} serialno_prop:file r_file_perms;
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
neverallow {
domain
-init
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 1e895e4..5f27d32 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -258,13 +258,6 @@
allow dumpstate devpts:chr_file rw_file_perms;
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
# Read any system properties
get_prop(dumpstate, property_type)
@@ -329,9 +322,6 @@
allow hal_rebootescrow_server dumpstate:fifo_file write;
allow hal_rebootescrow_server dumpstate:fd use;
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
-
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index a0152d4..bb18637 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -23,22 +23,12 @@
allow fastbootd device:dir r_dir_perms;
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
# For dev/block/by-name dir
allow fastbootd block_device:dir r_dir_perms;
# Needed for DM_DEV_CREATE ioctl call
allow fastbootd self:capability sys_admin;
- # Set sys.usb.ffs.ready.
- set_prop(fastbootd, ffs_prop)
- set_prop(fastbootd, exported_ffs_prop)
-
unix_socket_connect(fastbootd, recovery, recovery)
# Required for flashing
@@ -106,18 +96,12 @@
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
allow fastbootd labeledfs:filesystem { mount unmount };
- get_prop(fastbootd, persistent_properties_ready_prop)
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- set_prop(fastbootd, gsid_prop)
allow fastbootd gsi_metadata_file:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
-
- # Determine allocation scheme (whether B partitions needs to be
- # at the second half of super.
- get_prop(fastbootd, virtual_ab_prop)
')
###
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index 6315d44..25a7768 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -2,33 +2,9 @@
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
-
# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index dc46d07..e1739c2 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -35,7 +35,4 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
-
r_dir_file(gatekeeperd, cgroup)
diff --git a/public/healthd.te b/public/healthd.te
index 7ea23e1..8673846 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -47,10 +47,3 @@
allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
allow healthd proc_sysrq:file rw_file_perms;
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported2_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 7f03815..7ec1872 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -10,8 +10,6 @@
# to do this is granted in the hwbinder_use macro.
allow hwservicemanager self:binder set_context_mgr;
-set_prop(hwservicemanager, hwservicemanager_prop)
-
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
diff --git a/public/lmkd.te b/public/lmkd.te
index b852f44..7c1e741 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -36,9 +36,6 @@
allow lmkd proc_zoneinfo:file r_file_perms;
allow lmkd proc_vmstat:file r_file_perms;
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
# live lock watchdog process allowed to look through /proc/
allow lmkd domain:dir { search open read };
allow lmkd domain:file { open read };
diff --git a/public/logd.te b/public/logd.te
index 57e29d9..f8dd164 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -23,9 +23,6 @@
')
allow logd runtime_event_log_tags_file:file rw_file_perms;
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
r_dir_file(logd, domain)
allow logd kernel:system syslog_mod;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 4bedb0f..4bee4f8 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,8 +37,6 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
-get_prop(mediaextractor, device_config_media_native_prop)
-
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 02a0eb0..832eaa3 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -34,8 +34,6 @@
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
-set_prop(mediaserver, audio_prop)
-
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 2acdeea..992baab 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -11,8 +11,6 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
-get_prop(mediaswcodec, device_config_media_native_prop)
-
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
diff --git a/public/netd.te b/public/netd.te
index 8005406..a020a57 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -81,9 +81,6 @@
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
add_service(netd, netd_service)
@@ -113,8 +110,6 @@
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
###
### Neverallow rules
@@ -157,14 +152,6 @@
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
-
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/public/property.te b/public/property.te
index 67a1fbe..afc5c1e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,4 +1,8 @@
# Properties used only in /system
+#
+# DO NOT ADD system_internal_prop here.
+# Instead, add to private/property.te.
+# TODO(b/150331497): move these to private/property.te
system_internal_prop(apexd_prop)
system_internal_prop(bootloader_boot_reason_prop)
system_internal_prop(device_config_activity_manager_native_boot_prop)
@@ -243,54 +247,6 @@
allow property_type tmpfs:filesystem associate;
-###
-### Neverallow rules
-###
-
-treble_sysprop_neverallow(`
-
-# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow domain {
-# property_type
-# -system_property_type
-# -product_property_type
-# -vendor_property_type
-# }:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- system_internal_property_type
- -system_restricted_property_type
- -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
- vendor_property_type
- vendor_internal_property_type
- -vendor_restricted_property_type
- -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
- vendor_property_type
- -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
# core_property_type should not be used for new properties or
# device specific properties. Properties with this attribute
# are readable to everyone, which is overly broad and should
@@ -322,277 +278,3 @@
typeattribute system_prop core_property_type;
typeattribute system_radio_prop core_property_type;
typeattribute vold_prop core_property_type;
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -default_prop
- -dhcp_prop
- -dumpstate_prop
- -ffs_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -ota_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -system_radio_prop
- -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
-neverallow {
- domain
- -init
- -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_bootanim_prop
- ctl_bugreport_prop
- ctl_console_prop
- ctl_default_prop
- ctl_dumpstate_prop
- ctl_fuse_prop
- ctl_mdnsd_prop
- ctl_rildaemon_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
- domain
- -init
- -dumpstate
- userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported2_config_prop
- exported2_default_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_system_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- -vendor_init
- } {
- exported_radio_prop
- exported3_radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- exported2_radio_prop
- radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- -vendor_init
- } {
- exported_bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_camera_server
- -cameraserver
- -vendor_init
- } {
- exported_camera_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- -vendor_init
- } {
- exported_wifi_prop
- }:property_service set;
-
-# Prevent properties from being read
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_dalvik_prop
- exported_ffs_prop
- exported_system_radio_prop
- exported2_config_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_system_prop
- -debug_prop
- -logd_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:file no_rw_file_perms;
-')
-
-compatible_property_only(`
- # Neverallow coredomain to set vendor properties
- neverallow {
- coredomain
- -init
- -system_writes_vendor_properties_violators
- } {
- property_type
- -system_property_type
- -extended_core_property_type
- }:property_service set;
-')
-
-neverallow {
- -init
- -system_server
-} {
- userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and system_server to set system_adbd_prop
- -init
- -system_server
-} {
- system_adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and adbd to set adbd_prop
- -init
- -adbd
-} {
- adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and shell to set userspace_reboot_test_prop
- -init
- -shell
-} {
- userspace_reboot_test_prop
-}:property_service set;
diff --git a/public/radio.te b/public/radio.te
index 34eaf83..6ec0086 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -16,16 +16,6 @@
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, exported_radio_prop)
-set_prop(radio, exported2_radio_prop)
-set_prop(radio, exported3_radio_prop)
-set_prop(radio, net_radio_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
add_service(radio, radio_service)
allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
diff --git a/public/recovery.te b/public/recovery.te
index 3bac03d..aceba01 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -108,23 +108,6 @@
# Read files on /oem.
r_dir_file(recovery, oemfs);
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- set_prop(recovery, ffs_prop)
- set_prop(recovery, exported_ffs_prop)
-
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, system_radio_prop)
- set_prop(recovery, exported_system_radio_prop)
-
- # Read ro.boot.bootreason
- get_prop(recovery, bootloader_boot_reason_prop)
-
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
@@ -144,7 +127,6 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- set_prop(recovery, gsid_prop)
allow recovery gsi_metadata_file:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 79d5c89..712307f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -58,60 +58,12 @@
r_dir_file(shell, apk_data_file)
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
- set_prop(shell, persist_debug_prop)
')
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 7e2cc84..ce9b844 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -3,11 +3,6 @@
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
-# Allow Traceur to enable traced if necessary.
-set_prop(traceur_app, traced_enabled_prop)
-
-set_prop(traceur_app, debug_prop)
-
allow traceur_app {
service_manager_type
-apex_service
diff --git a/public/ueventd.te b/public/ueventd.te
index fc503b8..1d75080 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -59,10 +59,6 @@
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
-
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 28dc3f2..75765f3 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -22,9 +22,6 @@
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
# Raw writes to block device
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index 078e494..ba2f3cf 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -63,12 +63,6 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking
diff --git a/public/update_verifier.te b/public/update_verifier.te
index f881aeb..68b43f0 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -24,12 +24,6 @@
# Write to kernel message.
allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
-
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/usbd.te b/public/usbd.te
index 991e7be..6f34954 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,5 +1,2 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)
diff --git a/public/vold.te b/public/vold.te
index e17113d..1f274fa 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -196,16 +196,6 @@
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, exported_vold_prop)
-set_prop(vold, exported2_vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
diff --git a/public/wificond.te b/public/wificond.te
index af29511..a36afb1 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -8,10 +8,6 @@
add_service(wificond, wificond_service)
-set_prop(wificond, exported_wifi_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
@@ -33,7 +29,6 @@
#### Offer the Wifi Keystore HwBinder service ###
hwbinder_use(wificond)
-get_prop(wificond, hwservicemanager_prop)
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)