Blame - microdroid/system/private/property.te - android_system_sepolicy

blob: 30773018ffa869ab7d4666743118d888f20c116e [file] [log] [blame]

Victor Hsieh	a62b3ff	2022-05-02 09:47:11 -0700	[diff] [blame]	1	system_restricted_prop(boot_status_prop)
				2
Victor Hsieh	b415c73	2021-12-14 11:06:23 -0800	[diff] [blame]	3	# Declare ART properties for CompOS
				4	system_public_prop(dalvik_config_prop)
Jiakai Zhang	22fb5c7	2023-03-30 15:50:05 +0100	[diff] [blame^]	5	system_public_prop(dalvik_dynamic_config_prop)
Victor Hsieh	b415c73	2021-12-14 11:06:23 -0800	[diff] [blame]	6	system_restricted_prop(device_config_runtime_native_prop)
Victor Hsieh	3423bc4	2022-05-10 16:14:30 -0700	[diff] [blame]	7	system_restricted_prop(device_config_runtime_native_boot_prop)
Victor Hsieh	b415c73	2021-12-14 11:06:23 -0800	[diff] [blame]	8
Inseob Kim	5ee61a7	2021-09-17 19:31:45 +0900	[diff] [blame]	9	# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
				10	# in the audit log
				11	dontaudit domain {
				12	ctl_console_prop
				13	ctl_default_prop
				14	ctl_fuse_prop
				15	}:property_service set;
				16
Inseob Kim	e138997	2021-07-19 07:48:34 +0000	[diff] [blame]	17	###
				18	### Neverallow rules
				19	###
				20
Jiyong Park	27bb6c6	2021-09-06 15:39:31 +0900	[diff] [blame]	21	# microdroid_manager_roothash_prop can only be set by microdroid_manager
				22	# and read by apkdmverity
				23	neverallow {
				24	domain
				25	-init
				26	-microdroid_manager
				27	} microdroid_manager_roothash_prop:property_service set;
				28
				29	neverallow {
				30	domain
				31	-init
				32	-microdroid_manager
				33	-apkdmverity
				34	} microdroid_manager_roothash_prop:file no_rw_file_perms;
Richard Fung	0c7c267	2021-11-08 20:09:54 +0000	[diff] [blame]	35
				36	# apexd_payload_metadata_prop can only set by init
				37	neverallow {
				38	domain
				39	-init
				40	} apexd_payload_metadata_prop:property_service set;
Nikita Ioffe	1cf4d77	2022-11-27 01:11:39 +0000	[diff] [blame]	41
				42	# Only microdroid_manager and init can set the microdroid_config_prop sysprops
				43	neverallow {
				44	domain
				45	-init
				46	-microdroid_manager
Shikha Panwar	e1578a5	2022-11-30 11:22:10 +0000	[diff] [blame]	47	} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
Nikita Ioffe	1cf4d77	2022-11-27 01:11:39 +0000	[diff] [blame]	48
				49	neverallow {
				50	domain
				51	-init
				52	-microdroid_manager
Shikha Panwar	cf5d505	2023-02-03 18:43:02 +0000	[diff] [blame]	53	} {microdroid_lifecycle_prop}:file no_rw_file_perms;
				54
				55	neverallow {
				56	domain
				57	-init
				58	-microdroid_manager
				59	-crash_dump
				60	} {microdroid_config_prop}:file no_rw_file_perms;