Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 721d921aa59885264bbcc6ecd4a910b9bf98fd1f / . / private / property.te
blob: d479502373d1d3daf86b76849ec785fef57d691f [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
3system_internal_prop(device_config_storage_native_boot_prop)
4system_internal_prop(device_config_sys_traced_prop)
5system_internal_prop(device_config_window_manager_native_boot_prop)
6system_internal_prop(device_config_configuration_prop)
7system_internal_prop(gsid_prop)
8system_internal_prop(init_perf_lsm_hooks_prop)
9system_internal_prop(init_svc_debug_prop)
10system_internal_prop(last_boot_reason_prop)
11system_internal_prop(netd_stable_secret_prop)
12system_internal_prop(pm_prop)
13system_internal_prop(system_adbd_prop)
14system_internal_prop(traced_perf_enabled_prop)
15system_internal_prop(userspace_reboot_log_prop)
16system_internal_prop(userspace_reboot_test_prop)
17
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]18###
19### Neverallow rules
20###
21
22treble_sysprop_neverallow(`
23
24# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
25# neverallow domain {
26# property_type
27# -system_property_type
28# -product_property_type
29# -vendor_property_type
30# }:file no_rw_file_perms;
31
32neverallow { domain -coredomain } {
33 system_property_type
34 system_internal_property_type
35 -system_restricted_property_type
36 -system_public_property_type
37}:file no_rw_file_perms;
38
39neverallow { domain -coredomain } {
40 system_property_type
41 -system_public_property_type
42}:property_service set;
43
44# init is in coredomain, but should be able to read/write all props.
45# dumpstate is also in coredomain, but should be able to read all props.
46neverallow { coredomain -init -dumpstate } {
47 vendor_property_type
48 vendor_internal_property_type
49 -vendor_restricted_property_type
50 -vendor_public_property_type
51}:file no_rw_file_perms;
52
53neverallow { coredomain -init } {
54 vendor_property_type
55 -vendor_public_property_type
56}:property_service set;
57
58')
59
60# There is no need to perform ioctl or advisory locking operations on
61# property files. If this neverallow is being triggered, it is
62# likely that the policy is using r_file_perms directly instead of
63# the get_prop() macro.
64neverallow domain property_type:file { ioctl lock };
65
66neverallow * {
67 core_property_type
68 -audio_prop
69 -config_prop
70 -cppreopt_prop
71 -dalvik_prop
72 -debuggerd_prop
73 -debug_prop
74 -default_prop
75 -dhcp_prop
76 -dumpstate_prop
77 -ffs_prop
78 -fingerprint_prop
79 -logd_prop
80 -net_radio_prop
81 -nfc_prop
82 -ota_prop
83 -pan_result_prop
84 -persist_debug_prop
85 -powerctl_prop
86 -radio_prop
87 -restorecon_prop
88 -shell_prop
89 -system_prop
90 -system_radio_prop
91 -vold_prop
92}:file no_rw_file_perms;
93
94# sigstop property is only used for debugging; should only be set by su which is permissive
95# for userdebug/eng
96neverallow {
97 domain
98 -init
99 -vendor_init
100} ctl_sigstop_prop:property_service set;
101
102# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
103# in the audit log
104dontaudit domain {
105 ctl_bootanim_prop
106 ctl_bugreport_prop
107 ctl_console_prop
108 ctl_default_prop
109 ctl_dumpstate_prop
110 ctl_fuse_prop
111 ctl_mdnsd_prop
112 ctl_rildaemon_prop
113}:property_service set;
114
115neverallow {
116 domain
117 -init
118} init_svc_debug_prop:property_service set;
119
120neverallow {
121 domain
122 -init
123 -dumpstate
124 userdebug_or_eng(`-su')
125} init_svc_debug_prop:file no_rw_file_perms;
126
127compatible_property_only(`
128# Prevent properties from being set
129 neverallow {
130 domain
131 -coredomain
132 -appdomain
133 -vendor_init
134 } {
135 core_property_type
136 extended_core_property_type
137 exported_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]138 exported_default_prop
139 exported_dumpstate_prop
140 exported_ffs_prop
141 exported_fingerprint_prop
142 exported_system_prop
143 exported_system_radio_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]144 exported2_default_prop
145 exported2_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]146 exported3_default_prop
147 exported3_system_prop
148 -nfc_prop
149 -powerctl_prop
150 -radio_prop
151 }:property_service set;
152
153 neverallow {
154 domain
155 -coredomain
156 -appdomain
157 -hal_nfc_server
158 } {
159 nfc_prop
160 }:property_service set;
161
162 neverallow {
163 domain
164 -coredomain
165 -appdomain
166 -hal_telephony_server
167 -vendor_init
168 } {
169 exported_radio_prop
170 exported3_radio_prop
171 }:property_service set;
172
173 neverallow {
174 domain
175 -coredomain
176 -appdomain
177 -hal_telephony_server
178 } {
179 exported2_radio_prop
180 radio_prop
181 }:property_service set;
182
183 neverallow {
184 domain
185 -coredomain
186 -bluetooth
187 -hal_bluetooth_server
188 } {
189 bluetooth_prop
190 }:property_service set;
191
192 neverallow {
193 domain
194 -coredomain
195 -bluetooth
196 -hal_bluetooth_server
197 -vendor_init
198 } {
199 exported_bluetooth_prop
200 }:property_service set;
201
202 neverallow {
203 domain
204 -coredomain
205 -hal_camera_server
206 -cameraserver
207 -vendor_init
208 } {
209 exported_camera_prop
210 }:property_service set;
211
212 neverallow {
213 domain
214 -coredomain
215 -hal_wifi_server
216 -wificond
217 } {
218 wifi_prop
219 }:property_service set;
220
221 neverallow {
222 domain
223 -coredomain
224 -hal_wifi_server
225 -wificond
226 -vendor_init
227 } {
228 exported_wifi_prop
229 }:property_service set;
230
231# Prevent properties from being read
232 neverallow {
233 domain
234 -coredomain
235 -appdomain
236 -vendor_init
237 } {
238 core_property_type
Inseob Kimd8c39d92020-04-20 19:36:33 +0900[diff] [blame]239 dalvik_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]240 extended_core_property_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]241 exported_ffs_prop
242 exported_system_radio_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]243 exported2_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]244 exported3_default_prop
245 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]246 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]247 -debug_prop
248 -logd_prop
249 -nfc_prop
250 -powerctl_prop
251 -radio_prop
252 }:file no_rw_file_perms;
253
254 neverallow {
255 domain
256 -coredomain
257 -appdomain
258 -hal_nfc_server
259 } {
260 nfc_prop
261 }:file no_rw_file_perms;
262
263 neverallow {
264 domain
265 -coredomain
266 -appdomain
267 -hal_telephony_server
268 } {
269 radio_prop
270 }:file no_rw_file_perms;
271
272 neverallow {
273 domain
274 -coredomain
275 -bluetooth
276 -hal_bluetooth_server
277 } {
278 bluetooth_prop
279 }:file no_rw_file_perms;
280
281 neverallow {
282 domain
283 -coredomain
284 -hal_wifi_server
285 -wificond
286 } {
287 wifi_prop
288 }:file no_rw_file_perms;
289')
290
291compatible_property_only(`
292 # Neverallow coredomain to set vendor properties
293 neverallow {
294 coredomain
295 -init
296 -system_writes_vendor_properties_violators
297 } {
298 property_type
299 -system_property_type
300 -extended_core_property_type
301 }:property_service set;
302')
303
304neverallow {
305 -init
306 -system_server
307} {
308 userspace_reboot_log_prop
309}:property_service set;
310
311neverallow {
312 # Only allow init and system_server to set system_adbd_prop
313 -init
314 -system_server
315} {
316 system_adbd_prop
317}:property_service set;
318
319neverallow {
320 # Only allow init and adbd to set adbd_prop
321 -init
322 -adbd
323} {
324 adbd_prop
325}:property_service set;
326
327neverallow {
328 # Only allow init and shell to set userspace_reboot_test_prop
329 -init
330 -shell
331} {
332 userspace_reboot_test_prop
333}:property_service set;
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame^]334
335neverallow {
336 -init
337 -system_server
338 -vendor_init
339} {
340 surfaceflinger_color_prop
341}:property_service set;