commit 55e5c9b5131e9754d9cd14f44a2078ada053fb5f
author Inseob Kim <inseob@google.com> Wed Mar 04 17:20:35 2020 +0900
committer Inseob Kim <inseob@google.com> Wed Mar 18 16:46:04 2020 +0000
tree 2ecdb93e38a561e0e303b2a1367512ec0cf8195b
parent c58ad4b82c1701c416e069ecb5eb889c471cd78b

Move system property rules to private

public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)

private/adbd.te

diff --git a/private/adbd.te b/private/adbd.te
index 89fa1f9..f7504df 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -90,6 +90,9 @@
 # Set service.adb.tls.port, persist.adb.wifi. properties
 set_prop(adbd, adbd_prop)
 
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
+
 # Access device logging gating property
 get_prop(adbd, device_logging_prop)
 

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index 9e702dd..c03790c 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -155,3 +155,7 @@
 
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
+
+# only apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+neverallow { domain -apexd -init } apexd_prop:property_service set;

private/asan_extract.te

diff --git a/private/asan_extract.te b/private/asan_extract.te
index 1c20d78..69bcd50 100644
--- a/private/asan_extract.te
+++ b/private/asan_extract.te
@@ -3,6 +3,9 @@
 # Technically not a daemon but we do want the transition from init domain to
 # asan_extract to occur.
 with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
+  typeattribute asan_extract coredomain;
+  init_daemon_domain(asan_extract)
+
+  # We need to signal a reboot when done.
+  set_prop(asan_extract, powerctl_prop)
 ')

private/bootanim.te

diff --git a/private/bootanim.te b/private/bootanim.te
index 20ff193..fd95e41 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -4,3 +4,6 @@
 
 # b/68864350
 dontaudit bootanim unlabeled:dir search;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)

private/bootstat.te

diff --git a/private/bootstat.te b/private/bootstat.te
index 806144c..da3179b 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,33 @@
 typeattribute bootstat coredomain;
 
 init_daemon_domain(bootstat)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+neverallow {
+  domain
+  -bootanim
+  -bootstat
+  -dumpstate
+  -init
+  -recovery
+  -shell
+  -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+  domain
+  -bootstat
+  -init
+  -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;

private/charger.te

diff --git a/private/charger.te b/private/charger.te
index 65109de..13d1b14 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -1 +1,10 @@
 typeattribute charger coredomain;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
+
+get_prop(charger, charger_prop)

private/dhcp.te

diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7..8ec9111 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -2,3 +2,6 @@
 
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 3f5bbaa..adb0218 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -369,3 +369,10 @@
 # This property is being removed. Remove remaining access.
 neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
 neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 72e508e..0eff540 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -50,6 +50,17 @@
 # For comminucating with the system process to do confirmation ui.
 binder_call(dumpstate, incidentcompanion_service)
 
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
 # For dumping dynamic partition information.
 set_prop(dumpstate, lpdumpd_prop)
 binder_call(dumpstate, lpdumpd)

private/fastbootd.te

diff --git a/private/fastbootd.te b/private/fastbootd.te
index 29a9157..49994b7 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -1 +1,25 @@
 typeattribute fastbootd coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+  # Reboot the device
+  set_prop(fastbootd, powerctl_prop)
+
+  # Read serial number of the device from system properties
+  get_prop(fastbootd, serialno_prop)
+
+  # Set sys.usb.ffs.ready.
+  set_prop(fastbootd, ffs_prop)
+  set_prop(fastbootd, exported_ffs_prop)
+
+  userdebug_or_eng(`
+    get_prop(fastbootd, persistent_properties_ready_prop)
+  ')
+
+  set_prop(fastbootd, gsid_prop)
+
+  # Determine allocation scheme (whether B partitions needs to be
+  # at the second half of super.
+  get_prop(fastbootd, virtual_ab_prop)
+')

private/flags_health_check.te

diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index fb41aff..18dde09 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -1,3 +1,27 @@
 typeattribute flags_health_check coredomain;
 
 init_daemon_domain(flags_health_check)
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;

private/gatekeeperd.te

diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index 5e4d0a2..2fb88a3 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,6 @@
 typeattribute gatekeeperd coredomain;
 
 init_daemon_domain(gatekeeperd)
+
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)

private/healthd.te

diff --git a/private/healthd.te b/private/healthd.te
index 20d0791..921d33f 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -4,3 +4,10 @@
 
 # Allow healthd to serve health HAL
 hal_server_domain(healthd, hal_health)
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)

private/hwservicemanager.te

diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 0705cc7..e1fde43 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -6,3 +6,4 @@
 add_hwservice(hwservicemanager, hidl_token_hwservice)
 
 set_prop(hwservicemanager, ctl_interface_start_prop)
+set_prop(hwservicemanager, hwservicemanager_prop)

private/lmkd.te

diff --git a/private/lmkd.te b/private/lmkd.te
index a07ce87..7246051 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,3 +1,6 @@
 typeattribute lmkd coredomain;
 
 init_daemon_domain(lmkd)
+
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)

private/logd.te

diff --git a/private/logd.te b/private/logd.te
index ca92e20..7112c4f 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -2,6 +2,9 @@
 
 init_daemon_domain(logd)
 
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
 # logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
 neverallow logd {

private/mediaextractor.te

diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 2e654d6..7f626c4 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -5,3 +5,5 @@
 allow mediaextractor appdomain_tmpfs:file { getattr map read write };
 allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
 allow mediaextractor system_server_tmpfs:file { getattr map read write };
+
+get_prop(mediaextractor, device_config_media_native_prop)

private/mediaserver.te

diff --git a/private/mediaserver.te b/private/mediaserver.te
index c55e54a..32dfc00 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -12,3 +12,5 @@
 hal_client_domain(mediaserver, hal_codec2)
 
 allow mediaserver mediatranscoding_service:service_manager find;
+
+set_prop(mediaserver, audio_prop)

private/mediaswcodec.te

diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index 50f5698..cef802d 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -2,3 +2,4 @@
 
 init_daemon_domain(mediaswcodec)
 
+get_prop(mediaswcodec, device_config_media_native_prop)

private/netd.te

diff --git a/private/netd.te b/private/netd.te
index 41473b7..27663d3 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -17,7 +17,12 @@
 # TODO: Remove this permission when 4.9 kernel is deprecated.
 allow netd self:key_socket create;
 
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
 get_prop(netd, bpf_progs_loaded_prop)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
 
 # Allow netd to write to statsd.
 unix_socket_send(netd, statsdw, statsd)
@@ -28,3 +33,11 @@
 # Allow netd to send dump info to dumpstate
 allow netd dumpstate:fd use;
 allow netd dumpstate:fifo_file { getattr write };
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;

private/property.te

diff --git a/private/property.te b/private/property.te
new file mode 100644
index 0000000..be865f1
--- /dev/null
+++ b/private/property.te
@@ -0,0 +1,321 @@
+###
+### Neverallow rules
+###
+
+treble_sysprop_neverallow(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow domain {
+#   property_type
+#   -system_property_type
+#   -product_property_type
+#   -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+  system_property_type
+  system_internal_property_type
+  -system_restricted_property_type
+  -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+  system_property_type
+  -system_public_property_type
+}:property_service set;
+
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
+  vendor_property_type
+  vendor_internal_property_type
+  -vendor_restricted_property_type
+  -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { coredomain -init } {
+  vendor_property_type
+  -vendor_public_property_type
+}:property_service set;
+
+')
+
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
+neverallow * {
+  core_property_type
+  -audio_prop
+  -config_prop
+  -cppreopt_prop
+  -dalvik_prop
+  -debuggerd_prop
+  -debug_prop
+  -default_prop
+  -dhcp_prop
+  -dumpstate_prop
+  -ffs_prop
+  -fingerprint_prop
+  -logd_prop
+  -net_radio_prop
+  -nfc_prop
+  -ota_prop
+  -pan_result_prop
+  -persist_debug_prop
+  -powerctl_prop
+  -radio_prop
+  -restorecon_prop
+  -shell_prop
+  -system_prop
+  -system_radio_prop
+  -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+  domain
+  -init
+  -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+  ctl_bootanim_prop
+  ctl_bugreport_prop
+  ctl_console_prop
+  ctl_default_prop
+  ctl_dumpstate_prop
+  ctl_fuse_prop
+  ctl_mdnsd_prop
+  ctl_rildaemon_prop
+}:property_service set;
+
+neverallow {
+  domain
+  -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -dumpstate
+  userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+# Prevent properties from being set
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -vendor_init
+  } {
+    core_property_type
+    extended_core_property_type
+    exported_config_prop
+    exported_dalvik_prop
+    exported_default_prop
+    exported_dumpstate_prop
+    exported_ffs_prop
+    exported_fingerprint_prop
+    exported_system_prop
+    exported_system_radio_prop
+    exported_vold_prop
+    exported2_config_prop
+    exported2_default_prop
+    exported2_system_prop
+    exported2_vold_prop
+    exported3_default_prop
+    exported3_system_prop
+    -nfc_prop
+    -powerctl_prop
+    -radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_nfc_server
+  } {
+    nfc_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+    -vendor_init
+  } {
+    exported_radio_prop
+    exported3_radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+  } {
+    exported2_radio_prop
+    radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth_server
+  } {
+    bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth_server
+    -vendor_init
+  } {
+    exported_bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_camera_server
+    -cameraserver
+    -vendor_init
+  } {
+    exported_camera_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi_server
+    -wificond
+  } {
+    wifi_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi_server
+    -wificond
+    -vendor_init
+  } {
+    exported_wifi_prop
+  }:property_service set;
+
+# Prevent properties from being read
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -vendor_init
+  } {
+    core_property_type
+    extended_core_property_type
+    exported_dalvik_prop
+    exported_ffs_prop
+    exported_system_radio_prop
+    exported2_config_prop
+    exported2_system_prop
+    exported2_vold_prop
+    exported3_default_prop
+    exported3_system_prop
+    -debug_prop
+    -logd_prop
+    -nfc_prop
+    -powerctl_prop
+    -radio_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_nfc_server
+  } {
+    nfc_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+  } {
+    radio_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth_server
+  } {
+    bluetooth_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi_server
+    -wificond
+  } {
+    wifi_prop
+  }:file no_rw_file_perms;
+')
+
+compatible_property_only(`
+  # Neverallow coredomain to set vendor properties
+  neverallow {
+    coredomain
+    -init
+    -system_writes_vendor_properties_violators
+  } {
+    property_type
+    -system_property_type
+    -extended_core_property_type
+  }:property_service set;
+')
+
+neverallow {
+  -init
+  -system_server
+} {
+  userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+  # Only allow init and system_server to set system_adbd_prop
+  -init
+  -system_server
+} {
+  system_adbd_prop
+}:property_service set;
+
+neverallow {
+  # Only allow init and adbd to set adbd_prop
+  -init
+  -adbd
+} {
+  adbd_prop
+}:property_service set;
+
+neverallow {
+  # Only allow init and shell to set userspace_reboot_test_prop
+  -init
+  -shell
+} {
+  userspace_reboot_test_prop
+}:property_service set;

private/radio.te

diff --git a/private/radio.te b/private/radio.te
index 17a4fdd..9b2e9db 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -4,6 +4,16 @@
 
 read_runtime_log_tags(radio)
 
+# Property service
+set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
+set_prop(radio, net_radio_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
 # Telephony code contains time / time zone detection logic so it reads the associated properties.
 get_prop(radio, time_prop)
 

private/recovery.te

diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7..eee1698 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,24 @@
 typeattribute recovery coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+  # Reboot the device
+  set_prop(recovery, powerctl_prop)
+
+  # Read serial number of the device from system properties
+  get_prop(recovery, serialno_prop)
+
+  # Set sys.usb.ffs.ready when starting minadbd for sideload.
+  set_prop(recovery, ffs_prop)
+  set_prop(recovery, exported_ffs_prop)
+
+  # Set sys.usb.config when switching into fastboot.
+  set_prop(recovery, system_radio_prop)
+  set_prop(recovery, exported_system_radio_prop)
+
+  # Read ro.boot.bootreason
+  get_prop(recovery, bootloader_boot_reason_prop)
+
+  set_prop(recovery, gsid_prop)
+')

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 76ff073..63757eb 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,3 +1,4 @@
+
 typeattribute shell coredomain;
 
 # allow shell input injection
@@ -90,3 +91,52 @@
 # not the whole system.
 allow shell self:perf_event { open read write kernel };
 neverallow shell self:perf_event ~{ open read write kernel };
+
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
+# property.
+set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
+userdebug_or_eng(`set_prop(shell, persist_debug_prop)')

private/traceur_app.te

diff --git a/private/traceur_app.te b/private/traceur_app.te
index 94841df..b7e58ba 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -20,3 +20,8 @@
 unix_socket_connect(traceur_app, traced_consumer, traced)
 
 dontaudit traceur_app debugfs_tracing_debug:file audit_access;
+
+# Allow Traceur to enable traced if necessary.
+set_prop(traceur_app, traced_enabled_prop)
+
+set_prop(traceur_app, debug_prop)

private/ueventd.te

diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd6773..8bcdbf9 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,7 @@
 typeattribute ueventd coredomain;
 
 tmpfs_domain(ueventd)
+
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)

private/uncrypt.te

diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224..1a94cd1 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,6 @@
 typeattribute uncrypt coredomain;
 
 init_daemon_domain(uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)

private/update_engine.te

diff --git a/private/update_engine.te b/private/update_engine.te
index e4e7009..a76ab49 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -5,3 +5,9 @@
 # Allow to talk to gsid.
 allow update_engine gsi_service:service_manager find;
 binder_call(update_engine, gsid)
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)

private/update_verifier.te

diff --git a/private/update_verifier.te b/private/update_verifier.te
index 1b934d9..5e1b27b 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,9 @@
 typeattribute update_verifier coredomain;
 
 init_daemon_domain(update_verifier)
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)

private/usbd.te

diff --git a/private/usbd.te b/private/usbd.te
index 13a0ad7..42f2324 100644
--- a/private/usbd.te
+++ b/private/usbd.te
@@ -10,3 +10,6 @@
 
 # start adbd during boot if adb is enabled
 set_prop(usbd, ctl_default_prop)
+
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)

private/vold.te

diff --git a/private/vold.te b/private/vold.te
index dea24a5..19d74b1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -17,3 +17,13 @@
 # from accidentally writing when the mount point isn't present.
 type_transition vold storage_file:dir storage_stub_file;
 type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
+
+# Property Service
+set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)

private/wificond.te

diff --git a/private/wificond.te b/private/wificond.te
index cc76447..7bffaba 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,4 +1,10 @@
 typeattribute wificond coredomain;
 
+set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+get_prop(wificond, hwservicemanager_prop)
+
 init_daemon_domain(wificond)
 hal_client_domain(wificond, hal_wifi_offload)