Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / acd02fc5e4bae95820cf3b33910e01f2ed6f900c / . / private / property.te
blob: a06879916d927e875d5cb869230165a255ef5815 [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
3system_internal_prop(device_config_storage_native_boot_prop)
4system_internal_prop(device_config_sys_traced_prop)
5system_internal_prop(device_config_window_manager_native_boot_prop)
6system_internal_prop(device_config_configuration_prop)
Hongguang Chen91a5f4e2020-04-23 23:43:13 -0700[diff] [blame]7system_internal_prop(fastbootd_protocol_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]8system_internal_prop(gsid_prop)
9system_internal_prop(init_perf_lsm_hooks_prop)
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]10system_internal_prop(init_service_status_private_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]11system_internal_prop(init_svc_debug_prop)
12system_internal_prop(last_boot_reason_prop)
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]13system_internal_prop(localization_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]14system_internal_prop(netd_stable_secret_prop)
15system_internal_prop(pm_prop)
16system_internal_prop(system_adbd_prop)
17system_internal_prop(traced_perf_enabled_prop)
18system_internal_prop(userspace_reboot_log_prop)
19system_internal_prop(userspace_reboot_test_prop)
20
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]21###
22### Neverallow rules
23###
24
25treble_sysprop_neverallow(`
26
27# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
28# neverallow domain {
29# property_type
30# -system_property_type
31# -product_property_type
32# -vendor_property_type
33# }:file no_rw_file_perms;
34
35neverallow { domain -coredomain } {
36 system_property_type
37 system_internal_property_type
38 -system_restricted_property_type
39 -system_public_property_type
40}:file no_rw_file_perms;
41
42neverallow { domain -coredomain } {
43 system_property_type
44 -system_public_property_type
45}:property_service set;
46
47# init is in coredomain, but should be able to read/write all props.
48# dumpstate is also in coredomain, but should be able to read all props.
49neverallow { coredomain -init -dumpstate } {
50 vendor_property_type
51 vendor_internal_property_type
52 -vendor_restricted_property_type
53 -vendor_public_property_type
54}:file no_rw_file_perms;
55
56neverallow { coredomain -init } {
57 vendor_property_type
58 -vendor_public_property_type
59}:property_service set;
60
61')
62
63# There is no need to perform ioctl or advisory locking operations on
64# property files. If this neverallow is being triggered, it is
65# likely that the policy is using r_file_perms directly instead of
66# the get_prop() macro.
67neverallow domain property_type:file { ioctl lock };
68
69neverallow * {
70 core_property_type
71 -audio_prop
72 -config_prop
73 -cppreopt_prop
74 -dalvik_prop
75 -debuggerd_prop
76 -debug_prop
77 -default_prop
78 -dhcp_prop
79 -dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]80 -fingerprint_prop
81 -logd_prop
82 -net_radio_prop
83 -nfc_prop
84 -ota_prop
85 -pan_result_prop
86 -persist_debug_prop
87 -powerctl_prop
88 -radio_prop
89 -restorecon_prop
90 -shell_prop
91 -system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]92 -usb_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]93 -vold_prop
94}:file no_rw_file_perms;
95
96# sigstop property is only used for debugging; should only be set by su which is permissive
97# for userdebug/eng
98neverallow {
99 domain
100 -init
101 -vendor_init
102} ctl_sigstop_prop:property_service set;
103
104# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
105# in the audit log
106dontaudit domain {
107 ctl_bootanim_prop
108 ctl_bugreport_prop
109 ctl_console_prop
110 ctl_default_prop
111 ctl_dumpstate_prop
112 ctl_fuse_prop
113 ctl_mdnsd_prop
114 ctl_rildaemon_prop
115}:property_service set;
116
117neverallow {
118 domain
119 -init
120} init_svc_debug_prop:property_service set;
121
122neverallow {
123 domain
124 -init
125 -dumpstate
126 userdebug_or_eng(`-su')
127} init_svc_debug_prop:file no_rw_file_perms;
128
129compatible_property_only(`
130# Prevent properties from being set
131 neverallow {
132 domain
133 -coredomain
134 -appdomain
135 -vendor_init
136 } {
137 core_property_type
138 extended_core_property_type
139 exported_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]140 exported_default_prop
141 exported_dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]142 exported_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]143 exported2_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]144 exported3_system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]145 usb_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]146 -nfc_prop
147 -powerctl_prop
148 -radio_prop
149 }:property_service set;
150
151 neverallow {
152 domain
153 -coredomain
154 -appdomain
155 -hal_nfc_server
156 } {
157 nfc_prop
158 }:property_service set;
159
160 neverallow {
161 domain
162 -coredomain
163 -appdomain
164 -hal_telephony_server
165 -vendor_init
166 } {
Inseob Kimacd02fc2020-07-28 15:17:24 +0900[diff] [blame^]167 radio_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]168 }:property_service set;
169
170 neverallow {
171 domain
172 -coredomain
173 -appdomain
174 -hal_telephony_server
175 } {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]176 radio_prop
177 }:property_service set;
178
179 neverallow {
180 domain
181 -coredomain
182 -bluetooth
183 -hal_bluetooth_server
184 } {
185 bluetooth_prop
186 }:property_service set;
187
188 neverallow {
189 domain
190 -coredomain
191 -bluetooth
192 -hal_bluetooth_server
193 -vendor_init
194 } {
195 exported_bluetooth_prop
196 }:property_service set;
197
198 neverallow {
199 domain
200 -coredomain
201 -hal_camera_server
202 -cameraserver
203 -vendor_init
204 } {
205 exported_camera_prop
206 }:property_service set;
207
208 neverallow {
209 domain
210 -coredomain
211 -hal_wifi_server
212 -wificond
213 } {
214 wifi_prop
215 }:property_service set;
216
217 neverallow {
218 domain
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]219 -init
220 -dumpstate
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]221 -hal_wifi_server
222 -wificond
223 -vendor_init
224 } {
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]225 wifi_hal_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]226 }:property_service set;
227
228# Prevent properties from being read
229 neverallow {
230 domain
231 -coredomain
232 -appdomain
233 -vendor_init
234 } {
235 core_property_type
Inseob Kimd8c39d92020-04-20 19:36:33 +0900[diff] [blame]236 dalvik_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]237 extended_core_property_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]238 exported2_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]239 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]240 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]241 -debug_prop
242 -logd_prop
243 -nfc_prop
244 -powerctl_prop
245 -radio_prop
246 }:file no_rw_file_perms;
247
248 neverallow {
249 domain
250 -coredomain
251 -appdomain
252 -hal_nfc_server
253 } {
254 nfc_prop
255 }:file no_rw_file_perms;
256
257 neverallow {
258 domain
259 -coredomain
260 -appdomain
261 -hal_telephony_server
262 } {
263 radio_prop
264 }:file no_rw_file_perms;
265
266 neverallow {
267 domain
268 -coredomain
269 -bluetooth
270 -hal_bluetooth_server
271 } {
272 bluetooth_prop
273 }:file no_rw_file_perms;
274
275 neverallow {
276 domain
277 -coredomain
278 -hal_wifi_server
279 -wificond
280 } {
281 wifi_prop
282 }:file no_rw_file_perms;
283')
284
285compatible_property_only(`
286 # Neverallow coredomain to set vendor properties
287 neverallow {
288 coredomain
289 -init
290 -system_writes_vendor_properties_violators
291 } {
292 property_type
293 -system_property_type
294 -extended_core_property_type
295 }:property_service set;
296')
297
298neverallow {
Inseob Kimbfb37082020-04-27 23:49:15 +0900[diff] [blame]299 -coredomain
300 -vendor_init
301} {
302 ffs_config_prop
303 ffs_control_prop
304}:file no_rw_file_perms;
305
306neverallow {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]307 -init
308 -system_server
309} {
310 userspace_reboot_log_prop
311}:property_service set;
312
313neverallow {
314 # Only allow init and system_server to set system_adbd_prop
315 -init
316 -system_server
317} {
318 system_adbd_prop
319}:property_service set;
320
321neverallow {
322 # Only allow init and adbd to set adbd_prop
323 -init
324 -adbd
325} {
326 adbd_prop
327}:property_service set;
328
329neverallow {
330 # Only allow init and shell to set userspace_reboot_test_prop
331 -init
332 -shell
333} {
334 userspace_reboot_test_prop
335}:property_service set;
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame]336
337neverallow {
338 -init
339 -system_server
340 -vendor_init
341} {
342 surfaceflinger_color_prop
343}:property_service set;
Inseob Kim9add20f2020-05-06 22:20:35 +0900[diff] [blame]344
345neverallow {
346 -init
347} {
348 libc_debug_prop
349}:property_service set;
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]350
351neverallow {
352 -init
353 -system_server
354 -vendor_init
355} zram_control_prop:property_service set;
Inseob Kim1337e152020-05-12 22:51:48 +0900[diff] [blame]356
357neverallow {
358 -init
359 -system_server
360 -vendor_init
361} dalvik_runtime_prop:property_service set;
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]362
363neverallow {
364 -coredomain
365 -vendor_init
366} {
367 usb_config_prop
368 usb_control_prop
369}:property_service set;
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]370
371neverallow {
372 -init
373 -system_server
374} {
375 provisioned_prop
376 retaildemo_prop
377}:property_service set;
378
379neverallow {
380 -coredomain
381 -vendor_init
382} {
383 provisioned_prop
384 retaildemo_prop
385}:file no_rw_file_perms;
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]386
387neverallow {
388 -init
389} {
390 init_service_status_private_prop
391 init_service_status_prop
392}:property_service set;
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]393
394neverallow {
395 -init
396 -radio
397 -appdomain
398 -hal_telephony_server
Inseob Kim285da2f2020-06-04 20:29:43 +0900[diff] [blame]399 not_compatible_property(`-vendor_init')
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]400} telephony_status_prop:property_service set;
Peiyong Lin37dea072020-06-03 12:20:41 -0700[diff] [blame]401
402neverallow {
403 -init
404 -vendor_init
405} {
406 graphics_config_prop
407}:property_service set;
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]408
409neverallow {
Inseob Kim5eacf722020-07-01 01:27:49 +0900[diff] [blame]410 -coredomain
411 -appdomain
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]412 -vendor_init
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]413} packagemanager_config_prop:file no_rw_file_perms;
Inseob Kim04f435c2020-07-07 12:46:24 +0900[diff] [blame]414
415neverallow {
416 -coredomain
417 -vendor_init
418} keyguard_config_prop:file no_rw_file_perms;
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]419
420neverallow {
421 -init
422} {
423 localization_prop
424}:property_service set;
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]425
426neverallow {
427 -init
428 -vendor_init
429 -dumpstate
430 -system_app
431} oem_unlock_prop:file no_rw_file_perms;
432
433neverallow {
434 -coredomain
435 -vendor_init
436} storagemanager_config_prop:file no_rw_file_perms;
437
438neverallow {
439 -init
440 -vendor_init
441 -dumpstate
442 -appdomain
443} sendbug_config_prop:file no_rw_file_perms;
Inseob Kimc97a97c2020-07-20 20:26:07 +0900[diff] [blame]444
445neverallow {
446 -init
447 -vendor_init
448 -dumpstate
449 -appdomain
450} camera_calibration_prop:file no_rw_file_perms;