Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4183cbb63c7387f5458876ec23ce674b1d3d2384 / . / private / property.te
blob: 90cfad2fe3f6b15ae7f5a295ae5ac51ed5ac7e56 [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
Richard Fung0c7c2672021-11-08 20:09:54 +0000[diff] [blame]3system_internal_prop(apexd_payload_metadata_prop)
David Anderson09bb9442020-11-13 00:45:59 -0800[diff] [blame]4system_internal_prop(ctl_snapuserd_prop)
Dennis Shendf3a1682023-08-16 19:10:13 +0000[diff] [blame]5system_internal_prop(device_config_aconfig_flags_prop)
Dennis Shen3b8c57f2023-07-25 20:15:02 +0000[diff] [blame]6system_internal_prop(device_config_core_experiments_team_internal_prop)
Suren Baghdasaryan592e06c2021-08-04 12:31:43 -0700[diff] [blame]7system_internal_prop(device_config_lmkd_native_prop)
Kalesh Singh9e257142022-04-06 14:31:26 -0700[diff] [blame]8system_internal_prop(device_config_mglru_native_prop)
Yi Kong0ac00722020-10-27 02:29:52 +0800[diff] [blame]9system_internal_prop(device_config_profcollect_native_boot_prop)
Vikram Gaure1c49f52022-09-29 21:20:22 +0000[diff] [blame]10system_internal_prop(device_config_remote_key_provisioning_native_prop)
Tej Singhdd0988f2020-11-17 19:26:23 -0800[diff] [blame]11system_internal_prop(device_config_statsd_native_prop)
12system_internal_prop(device_config_statsd_native_boot_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]13system_internal_prop(device_config_storage_native_boot_prop)
14system_internal_prop(device_config_sys_traced_prop)
15system_internal_prop(device_config_window_manager_native_boot_prop)
16system_internal_prop(device_config_configuration_prop)
Xiao Ma2d6c9f02021-02-02 10:27:38 +0000[diff] [blame]17system_internal_prop(device_config_connectivity_prop)
Nick Chalko81a4dd42021-02-11 09:12:51 -0800[diff] [blame]18system_internal_prop(device_config_swcodec_native_prop)
Alexander Potapenko0a64d102022-01-28 19:48:27 +0100[diff] [blame]19system_internal_prop(dmesgd_start_prop)
Hongguang Chen91a5f4e2020-04-23 23:43:13 -0700[diff] [blame]20system_internal_prop(fastbootd_protocol_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]21system_internal_prop(gsid_prop)
22system_internal_prop(init_perf_lsm_hooks_prop)
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]23system_internal_prop(init_service_status_private_prop)
Suren Baghdasaryan9fdb2982022-09-07 13:13:47 -0700[diff] [blame]24system_internal_prop(init_storage_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]25system_internal_prop(init_svc_debug_prop)
Hasini Gunasinghe4fa6b1a2021-07-02 23:14:50 +0000[diff] [blame]26system_internal_prop(keystore_crash_prop)
Paul Crowleyb0c55712021-02-23 08:40:05 -0800[diff] [blame]27system_internal_prop(keystore_listen_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]28system_internal_prop(last_boot_reason_prop)
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]29system_internal_prop(localization_prop)
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]30system_internal_prop(lower_kptr_restrict_prop)
Lorenzo Colitti082ebd22021-03-10 14:45:07 +0900[diff] [blame]31system_internal_prop(net_464xlat_fromvendor_prop)
Lorenzo Colitti26d3d4a2021-03-10 15:31:36 +0900[diff] [blame]32system_internal_prop(net_connectivity_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]33system_internal_prop(netd_stable_secret_prop)
Martijn Coenenf2e4ee62021-03-16 08:34:30 +0100[diff] [blame]34system_internal_prop(odsign_prop)
Michael Rosenfeld3ccbebb2021-02-10 18:45:35 -0800[diff] [blame]35system_internal_prop(perf_drop_caches_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]36system_internal_prop(pm_prop)
Yi Kong9b658452021-03-22 22:02:22 +0800[diff] [blame]37system_internal_prop(profcollectd_node_id_prop)
Nazaninb373dd02021-04-29 21:52:42 -0700[diff] [blame]38system_internal_prop(radio_cdma_ecm_prop)
Andrew Sculledba76d2022-10-31 18:27:29 +0000[diff] [blame]39system_internal_prop(remote_prov_prop)
JW Wang0f8cf042021-02-24 14:29:06 +0800[diff] [blame]40system_internal_prop(rollback_test_prop)
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame]41system_internal_prop(setupwizard_prop)
David Andersonbf5b6ce2021-07-26 15:03:11 -0700[diff] [blame]42system_internal_prop(snapuserd_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]43system_internal_prop(system_adbd_prop)
Neil Fullerbbb00fa2022-09-23 14:10:35 +0100[diff] [blame]44system_internal_prop(timezone_metadata_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]45system_internal_prop(traced_perf_enabled_prop)
Hongguang95155592022-08-09 14:57:02 -0700[diff] [blame]46system_internal_prop(tuner_server_ctl_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]47system_internal_prop(userspace_reboot_log_prop)
48system_internal_prop(userspace_reboot_test_prop)
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame]49system_internal_prop(verity_status_prop)
50system_internal_prop(zygote_wrap_prop)
hkuangde370e52021-05-14 12:52:54 -0700[diff] [blame]51system_internal_prop(ctl_mediatranscoding_prop)
Martijn Coenen5f21a0f2021-07-27 13:47:42 +0200[diff] [blame]52system_internal_prop(ctl_odsign_prop)
Jiyong Parkb804de22021-09-16 21:06:20 +0900[diff] [blame]53system_internal_prop(virtualizationservice_prop)
Jooyung Hanccfb0ef2022-07-07 15:42:39 +0900[diff] [blame]54system_internal_prop(ctl_apex_load_prop)
Pawan Wagh60cc0b32023-08-29 00:09:29 +0000[diff] [blame]55system_internal_prop(enable_16k_pages_prop)
Pontus Lidman0af0e712023-07-20 19:09:48 +0000[diff] [blame]56system_internal_prop(sensors_config_prop)
Jaewan Kim4183cbb2023-08-31 07:58:08 +0000[diff] [blame^]57system_internal_prop(hypervisor_pvmfw_prop)
58system_internal_prop(hypervisor_virtualizationmanager_prop)
Pontus Lidman0af0e712023-07-20 19:09:48 +0000[diff] [blame]59
Andrew Scullaedd65a2021-10-08 12:13:46 +0000[diff] [blame]60# Properties which can't be written outside system
61system_restricted_prop(device_config_virtualization_framework_native_prop)
Jiyong Parkc4f84bc2022-09-18 23:09:53 +0900[diff] [blame]62system_restricted_prop(log_file_logger_prop)
Alexander Roederer829d9742023-03-23 02:19:22 +0000[diff] [blame]63system_restricted_prop(persist_sysui_builder_extras_prop)
Alexander Roederer584a8622023-05-31 21:25:50 +0000[diff] [blame]64system_restricted_prop(persist_sysui_ranking_update_prop)
Andrew Scullaedd65a2021-10-08 12:13:46 +0000[diff] [blame]65
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]66###
67### Neverallow rules
68###
69
70treble_sysprop_neverallow(`
71
Inseob Kimafc09932020-09-28 13:32:43 +0900[diff] [blame]72enforce_sysprop_owner(`
73 neverallow domain {
74 property_type
75 -system_property_type
76 -product_property_type
77 -vendor_property_type
78 }:file no_rw_file_perms;
79')
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]80
81neverallow { domain -coredomain } {
82 system_property_type
83 system_internal_property_type
84 -system_restricted_property_type
85 -system_public_property_type
86}:file no_rw_file_perms;
87
88neverallow { domain -coredomain } {
89 system_property_type
90 -system_public_property_type
91}:property_service set;
92
93# init is in coredomain, but should be able to read/write all props.
94# dumpstate is also in coredomain, but should be able to read all props.
95neverallow { coredomain -init -dumpstate } {
96 vendor_property_type
97 vendor_internal_property_type
98 -vendor_restricted_property_type
99 -vendor_public_property_type
100}:file no_rw_file_perms;
101
102neverallow { coredomain -init } {
103 vendor_property_type
104 -vendor_public_property_type
105}:property_service set;
106
107')
108
109# There is no need to perform ioctl or advisory locking operations on
110# property files. If this neverallow is being triggered, it is
111# likely that the policy is using r_file_perms directly instead of
112# the get_prop() macro.
113neverallow domain property_type:file { ioctl lock };
114
115neverallow * {
116 core_property_type
117 -audio_prop
118 -config_prop
119 -cppreopt_prop
120 -dalvik_prop
121 -debuggerd_prop
122 -debug_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]123 -dhcp_prop
124 -dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]125 -fingerprint_prop
126 -logd_prop
127 -net_radio_prop
128 -nfc_prop
129 -ota_prop
130 -pan_result_prop
131 -persist_debug_prop
132 -powerctl_prop
133 -radio_prop
134 -restorecon_prop
135 -shell_prop
136 -system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]137 -usb_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]138 -vold_prop
139}:file no_rw_file_perms;
140
141# sigstop property is only used for debugging; should only be set by su which is permissive
142# for userdebug/eng
143neverallow {
144 domain
145 -init
146 -vendor_init
147} ctl_sigstop_prop:property_service set;
148
149# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
150# in the audit log
151dontaudit domain {
152 ctl_bootanim_prop
153 ctl_bugreport_prop
154 ctl_console_prop
155 ctl_default_prop
156 ctl_dumpstate_prop
157 ctl_fuse_prop
158 ctl_mdnsd_prop
159 ctl_rildaemon_prop
160}:property_service set;
161
162neverallow {
163 domain
164 -init
Suren Baghdasaryan9fdb2982022-09-07 13:13:47 -0700[diff] [blame]165 -extra_free_kbytes
166} init_storage_prop:property_service set;
167
168neverallow {
169 domain
170 -init
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]171} init_svc_debug_prop:property_service set;
172
173neverallow {
174 domain
175 -init
176 -dumpstate
177 userdebug_or_eng(`-su')
178} init_svc_debug_prop:file no_rw_file_perms;
179
180compatible_property_only(`
181# Prevent properties from being set
182 neverallow {
183 domain
184 -coredomain
185 -appdomain
186 -vendor_init
187 } {
188 core_property_type
189 extended_core_property_type
190 exported_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]191 exported_default_prop
192 exported_dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]193 exported_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]194 exported3_system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]195 usb_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]196 -nfc_prop
197 -powerctl_prop
198 -radio_prop
199 }:property_service set;
200
201 neverallow {
202 domain
203 -coredomain
204 -appdomain
205 -hal_nfc_server
206 } {
207 nfc_prop
208 }:property_service set;
209
210 neverallow {
211 domain
212 -coredomain
213 -appdomain
214 -hal_telephony_server
215 -vendor_init
216 } {
Inseob Kimacd02fc2020-07-28 15:17:24 +0900[diff] [blame]217 radio_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]218 }:property_service set;
219
220 neverallow {
221 domain
222 -coredomain
223 -appdomain
224 -hal_telephony_server
225 } {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]226 radio_prop
227 }:property_service set;
228
229 neverallow {
230 domain
231 -coredomain
232 -bluetooth
233 -hal_bluetooth_server
234 } {
235 bluetooth_prop
236 }:property_service set;
237
238 neverallow {
239 domain
240 -coredomain
241 -bluetooth
242 -hal_bluetooth_server
243 -vendor_init
244 } {
245 exported_bluetooth_prop
246 }:property_service set;
247
248 neverallow {
249 domain
250 -coredomain
251 -hal_camera_server
252 -cameraserver
253 -vendor_init
254 } {
255 exported_camera_prop
256 }:property_service set;
257
258 neverallow {
259 domain
260 -coredomain
261 -hal_wifi_server
262 -wificond
263 } {
264 wifi_prop
265 }:property_service set;
266
267 neverallow {
268 domain
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]269 -init
270 -dumpstate
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]271 -hal_wifi_server
272 -wificond
273 -vendor_init
274 } {
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]275 wifi_hal_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]276 }:property_service set;
277
278# Prevent properties from being read
279 neverallow {
280 domain
281 -coredomain
282 -appdomain
283 -vendor_init
284 } {
285 core_property_type
Jiakai Zhang22fb5c72023-03-30 15:50:05 +0100[diff] [blame]286 dalvik_config_prop_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]287 extended_core_property_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]288 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]289 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]290 -debug_prop
291 -logd_prop
292 -nfc_prop
293 -powerctl_prop
294 -radio_prop
295 }:file no_rw_file_perms;
296
297 neverallow {
298 domain
299 -coredomain
300 -appdomain
301 -hal_nfc_server
302 } {
303 nfc_prop
304 }:file no_rw_file_perms;
305
306 neverallow {
307 domain
308 -coredomain
309 -appdomain
310 -hal_telephony_server
311 } {
312 radio_prop
313 }:file no_rw_file_perms;
314
315 neverallow {
316 domain
317 -coredomain
318 -bluetooth
319 -hal_bluetooth_server
320 } {
321 bluetooth_prop
322 }:file no_rw_file_perms;
323
324 neverallow {
325 domain
326 -coredomain
327 -hal_wifi_server
328 -wificond
329 } {
330 wifi_prop
331 }:file no_rw_file_perms;
Benjamin Schwartz3e4d97b2020-10-30 13:55:21 -0700[diff] [blame]332
333 neverallow {
334 domain
Benjamin Schwartzc171a1d2021-04-20 09:13:02 -0700[diff] [blame]335 -coredomain
336 -vendor_init
Benjamin Schwartz3e4d97b2020-10-30 13:55:21 -0700[diff] [blame]337 } {
338 suspend_prop
339 }:property_service set;
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]340')
341
342compatible_property_only(`
343 # Neverallow coredomain to set vendor properties
344 neverallow {
345 coredomain
346 -init
347 -system_writes_vendor_properties_violators
348 } {
349 property_type
350 -system_property_type
351 -extended_core_property_type
352 }:property_service set;
353')
354
355neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]356 domain
Inseob Kimbfb37082020-04-27 23:49:15 +0900[diff] [blame]357 -coredomain
358 -vendor_init
359} {
360 ffs_config_prop
361 ffs_control_prop
362}:file no_rw_file_perms;
363
364neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]365 domain
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]366 -init
367 -system_server
368} {
369 userspace_reboot_log_prop
370}:property_service set;
371
372neverallow {
373 # Only allow init and system_server to set system_adbd_prop
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]374 domain
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]375 -init
376 -system_server
377} {
378 system_adbd_prop
379}:property_service set;
380
Josh Gao0cac6fd2020-10-28 13:56:23 -0700[diff] [blame]381# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
382neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]383 domain
Josh Gao0cac6fd2020-10-28 13:56:23 -0700[diff] [blame]384 -init
385 -vendor_init
386 -adbd
387 -system_server
388} {
389 adbd_config_prop
390}:property_service set;
391
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]392neverallow {
393 # Only allow init and adbd to set adbd_prop
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]394 domain
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]395 -init
396 -adbd
397} {
398 adbd_prop
399}:property_service set;
400
401neverallow {
Richard Fung0c7c2672021-11-08 20:09:54 +0000[diff] [blame]402 # Only allow init to set apexd_payload_metadata_prop
403 domain
404 -init
405} {
406 apexd_payload_metadata_prop
407}:property_service set;
408
409
410neverallow {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]411 # Only allow init and shell to set userspace_reboot_test_prop
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]412 domain
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]413 -init
414 -shell
415} {
416 userspace_reboot_test_prop
417}:property_service set;
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame]418
419neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]420 domain
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame]421 -init
422 -system_server
423 -vendor_init
424} {
425 surfaceflinger_color_prop
426}:property_service set;
Inseob Kim9add20f2020-05-06 22:20:35 +0900[diff] [blame]427
428neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]429 domain
Inseob Kim9add20f2020-05-06 22:20:35 +0900[diff] [blame]430 -init
431} {
432 libc_debug_prop
433}:property_service set;
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]434
Mitch Phillips8cd32cd2022-03-22 15:59:57 -0700[diff] [blame]435# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
436# shell access can control the settings on their device. Allow system apps to
437# set MTE props, so Developer Options can set them.
Mitch Phillipseaf14042020-12-03 17:23:06 -0800[diff] [blame]438neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]439 domain
Mitch Phillipseaf14042020-12-03 17:23:06 -0800[diff] [blame]440 -init
441 -shell
Florian Mayer39f29f72021-12-21 12:06:31 -0800[diff] [blame]442 -system_app
Florian Mayer152f8322022-12-16 16:50:13 -0800[diff] [blame]443 -system_server
Florian Mayer51382a32022-09-21 14:53:48 -0700[diff] [blame]444 -mtectrl
Mitch Phillipseaf14042020-12-03 17:23:06 -0800[diff] [blame]445} {
446 arm64_memtag_prop
Mitch Phillips8cd32cd2022-03-22 15:59:57 -0700[diff] [blame]447 gwp_asan_prop
Mitch Phillipseaf14042020-12-03 17:23:06 -0800[diff] [blame]448}:property_service set;
449
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]450neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]451 domain
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]452 -init
453 -system_server
454 -vendor_init
455} zram_control_prop:property_service set;
Inseob Kim1337e152020-05-12 22:51:48 +0900[diff] [blame]456
457neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]458 domain
Inseob Kim1337e152020-05-12 22:51:48 +0900[diff] [blame]459 -init
460 -system_server
461 -vendor_init
462} dalvik_runtime_prop:property_service set;
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]463
464neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]465 domain
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]466 -coredomain
467 -vendor_init
468} {
469 usb_config_prop
470 usb_control_prop
471}:property_service set;
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]472
473neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]474 domain
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]475 -init
476 -system_server
477} {
478 provisioned_prop
479 retaildemo_prop
480}:property_service set;
481
482neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]483 domain
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]484 -coredomain
485 -vendor_init
486} {
487 provisioned_prop
488 retaildemo_prop
489}:file no_rw_file_perms;
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]490
491neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]492 domain
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]493 -init
494} {
495 init_service_status_private_prop
496 init_service_status_prop
497}:property_service set;
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]498
499neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]500 domain
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]501 -init
502 -radio
503 -appdomain
504 -hal_telephony_server
Inseob Kim285da2f2020-06-04 20:29:43 +0900[diff] [blame]505 not_compatible_property(`-vendor_init')
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]506} telephony_status_prop:property_service set;
Peiyong Lin37dea072020-06-03 12:20:41 -0700[diff] [blame]507
508neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]509 domain
Peiyong Lin37dea072020-06-03 12:20:41 -0700[diff] [blame]510 -init
511 -vendor_init
512} {
513 graphics_config_prop
514}:property_service set;
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]515
516neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]517 domain
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]518 -init
Midas Chien0d0391f2020-06-17 22:13:21 +0800[diff] [blame]519 -surfaceflinger
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]520} {
521 surfaceflinger_display_prop
522}:property_service set;
523
Inseob Kim072b0142020-06-16 20:00:41 +0900[diff] [blame]524neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]525 domain
Inseob Kim5eacf722020-07-01 01:27:49 +0900[diff] [blame]526 -coredomain
527 -appdomain
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]528 -vendor_init
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]529} packagemanager_config_prop:file no_rw_file_perms;
Inseob Kim04f435c2020-07-07 12:46:24 +0900[diff] [blame]530
531neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]532 domain
Inseob Kim04f435c2020-07-07 12:46:24 +0900[diff] [blame]533 -coredomain
534 -vendor_init
535} keyguard_config_prop:file no_rw_file_perms;
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]536
537neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]538 domain
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]539 -init
540} {
541 localization_prop
542}:property_service set;
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]543
544neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]545 domain
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]546 -init
547 -vendor_init
548 -dumpstate
549 -system_app
550} oem_unlock_prop:file no_rw_file_perms;
551
552neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]553 domain
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]554 -coredomain
555 -vendor_init
556} storagemanager_config_prop:file no_rw_file_perms;
557
558neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]559 domain
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]560 -init
561 -vendor_init
562 -dumpstate
563 -appdomain
564} sendbug_config_prop:file no_rw_file_perms;
Inseob Kimc97a97c2020-07-20 20:26:07 +0900[diff] [blame]565
566neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]567 domain
Inseob Kimc97a97c2020-07-20 20:26:07 +0900[diff] [blame]568 -init
569 -vendor_init
570 -dumpstate
571 -appdomain
572} camera_calibration_prop:file no_rw_file_perms;
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]573
574neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]575 domain
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]576 -init
577 -dumpstate
Jeff Vander Stoep684d25b2020-08-25 11:41:00 +0200[diff] [blame]578 -hal_dumpstate_server
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]579 not_compatible_property(`-vendor_init')
580} hal_dumpstate_config_prop:file no_rw_file_perms;
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]581
582neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]583 domain
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]584 -init
Yabin Cuibd4c9e82021-03-18 11:15:36 -0700[diff] [blame]585 userdebug_or_eng(`-profcollectd')
Yabin Cuif17fb422021-11-24 14:06:07 -0800[diff] [blame]586 userdebug_or_eng(`-simpleperf_boot')
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]587 userdebug_or_eng(`-traced_probes')
Florian Mayer167407d2020-11-11 11:01:36 +0000[diff] [blame]588 userdebug_or_eng(`-traced_perf')
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]589} {
590 lower_kptr_restrict_prop
591}:property_service set;
Janis Danisevskis202e8632020-10-23 11:16:34 -0700[diff] [blame]592
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame]593neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]594 domain
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame]595 -init
596} zygote_wrap_prop:property_service set;
597
598neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]599 domain
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame]600 -init
601} verity_status_prop:property_service set;
602
603neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]604 domain
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame]605 -init
606} setupwizard_prop:property_service set;
Inseob Kim99855662020-11-12 22:21:51 +0900[diff] [blame]607
608# ro.product.property_source_order is useless after initialization of ro.product.* props.
609# So making it accessible only from init and vendor_init.
610neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]611 domain
Inseob Kim99855662020-11-12 22:21:51 +0900[diff] [blame]612 -init
613 -dumpstate
614 -vendor_init
615} build_config_prop:file no_rw_file_perms;
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900[diff] [blame]616
617neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]618 domain
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900[diff] [blame]619 -init
620 -shell
621} sqlite_log_prop:property_service set;
622
623neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]624 domain
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900[diff] [blame]625 -coredomain
626 -appdomain
627} sqlite_log_prop:file no_rw_file_perms;
Inseob Kim4c110ff2020-11-26 21:50:23 +0900[diff] [blame]628
Inseob Kim5c011e52021-01-14 04:08:16 +0000[diff] [blame]629neverallow {
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]630 domain
Inseob Kim5c011e52021-01-14 04:08:16 +0000[diff] [blame]631 -init
632} default_prop:property_service set;
633
Inseob Kim4c110ff2020-11-26 21:50:23 +0900[diff] [blame]634# Only one of system_property_type and vendor_property_type can be assigned.
635# Property types having both attributes won't be accessible from anywhere.
636neverallow domain system_and_vendor_property_type:{file property_service} *;
JW Wang0f8cf042021-02-24 14:29:06 +0800[diff] [blame]637
638neverallow {
Seth Moore8bfdd822022-04-20 10:10:49 -0700[diff] [blame]639 domain
640 -init
Seth Moored3bd6862023-02-24 11:50:51 -0800[diff] [blame]641 -shell
Vikram Gaur01390082023-03-16 01:41:29 +0000[diff] [blame]642 -rkpdapp
Seth Moore8bfdd822022-04-20 10:10:49 -0700[diff] [blame]643} remote_prov_prop:property_service set;
644
645neverallow {
JW Wang0f8cf042021-02-24 14:29:06 +0800[diff] [blame]646 # Only allow init and shell to set rollback_test_prop
Inseob Kim85acf6e2021-03-10 10:42:23 +0900[diff] [blame]647 domain
JW Wang0f8cf042021-02-24 14:29:06 +0800[diff] [blame]648 -init
649 -shell
650} rollback_test_prop:property_service set;
Yi Kong9b658452021-03-22 22:02:22 +0800[diff] [blame]651
652neverallow {
Jooyung Hanccfb0ef2022-07-07 15:42:39 +0900[diff] [blame]653 domain
654 -init
Jooyung Hanccfb0ef2022-07-07 15:42:39 +0900[diff] [blame]655 -apexd
656} ctl_apex_load_prop:property_service set;
657
658neverallow {
659 domain
660 -coredomain
661 -init
662 -dumpstate
663 -apexd
Deyao Ren3fab00f2022-08-30 19:14:51 +0000[diff] [blame]664} ctl_apex_load_prop:file no_rw_file_perms;
Jooyung Hanccfb0ef2022-07-07 15:42:39 +0900[diff] [blame]665
666neverallow {
Deyao Ren7848d3a2022-09-01 22:20:10 +0000[diff] [blame]667 domain
668 -init
669 -apexd
670} apex_ready_prop:property_service set;
671
672neverallow {
673 domain
674 -coredomain
675 -dumpstate
676 -apexd
Jooyung Hancae23682022-09-02 16:26:27 +0900[diff] [blame]677 -vendor_init
Deyao Ren7848d3a2022-09-01 22:20:10 +0000[diff] [blame]678} apex_ready_prop:file no_rw_file_perms;
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]679
680neverallow {
681 # Only allow init and profcollectd to access profcollectd_node_id_prop
682 domain
683 -init
684 -dumpstate
685 -profcollectd
686} profcollectd_node_id_prop:file r_file_perms;
687
Jiyong Parkc4f84bc2022-09-18 23:09:53 +0900[diff] [blame]688neverallow {
689 domain
690 -init
691} log_file_logger_prop:property_service set;
Avichal Rakesha12d3102023-01-23 23:46:42 -0800[diff] [blame]692
693neverallow {
694 domain
695 -init
696 -vendor_init
697} usb_uvc_enabled_prop:property_service set;
Avichal Rakeshe2cb0f22023-02-01 15:56:40 -0800[diff] [blame]698
699# Disallow non system apps from reading ro.usb.uvc.enabled
700neverallow {
701 appdomain
702 -system_app
703 -device_as_webcam
704} usb_uvc_enabled_prop:file no_rw_file_perms;