Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / afc09932f6fa07c5f6beffbcdc2bb4691e527321 / . / private / property.te
blob: 09e93e9850ef6bab1540afd699c6593a664ec3da [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
3system_internal_prop(device_config_storage_native_boot_prop)
4system_internal_prop(device_config_sys_traced_prop)
5system_internal_prop(device_config_window_manager_native_boot_prop)
6system_internal_prop(device_config_configuration_prop)
Hongguang Chen91a5f4e2020-04-23 23:43:13 -0700[diff] [blame]7system_internal_prop(fastbootd_protocol_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]8system_internal_prop(gsid_prop)
9system_internal_prop(init_perf_lsm_hooks_prop)
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]10system_internal_prop(init_service_status_private_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]11system_internal_prop(init_svc_debug_prop)
12system_internal_prop(last_boot_reason_prop)
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]13system_internal_prop(localization_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]14system_internal_prop(netd_stable_secret_prop)
15system_internal_prop(pm_prop)
16system_internal_prop(system_adbd_prop)
17system_internal_prop(traced_perf_enabled_prop)
18system_internal_prop(userspace_reboot_log_prop)
19system_internal_prop(userspace_reboot_test_prop)
20
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]21###
22### Neverallow rules
23###
24
25treble_sysprop_neverallow(`
26
Inseob Kimafc09932020-09-28 13:32:43 +0900[diff] [blame^]27enforce_sysprop_owner(`
28 neverallow domain {
29 property_type
30 -system_property_type
31 -product_property_type
32 -vendor_property_type
33 }:file no_rw_file_perms;
34')
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]35
36neverallow { domain -coredomain } {
37 system_property_type
38 system_internal_property_type
39 -system_restricted_property_type
40 -system_public_property_type
41}:file no_rw_file_perms;
42
43neverallow { domain -coredomain } {
44 system_property_type
45 -system_public_property_type
46}:property_service set;
47
48# init is in coredomain, but should be able to read/write all props.
49# dumpstate is also in coredomain, but should be able to read all props.
50neverallow { coredomain -init -dumpstate } {
51 vendor_property_type
52 vendor_internal_property_type
53 -vendor_restricted_property_type
54 -vendor_public_property_type
55}:file no_rw_file_perms;
56
57neverallow { coredomain -init } {
58 vendor_property_type
59 -vendor_public_property_type
60}:property_service set;
61
62')
63
64# There is no need to perform ioctl or advisory locking operations on
65# property files. If this neverallow is being triggered, it is
66# likely that the policy is using r_file_perms directly instead of
67# the get_prop() macro.
68neverallow domain property_type:file { ioctl lock };
69
70neverallow * {
71 core_property_type
72 -audio_prop
73 -config_prop
74 -cppreopt_prop
75 -dalvik_prop
76 -debuggerd_prop
77 -debug_prop
78 -default_prop
79 -dhcp_prop
80 -dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]81 -fingerprint_prop
82 -logd_prop
83 -net_radio_prop
84 -nfc_prop
85 -ota_prop
86 -pan_result_prop
87 -persist_debug_prop
88 -powerctl_prop
89 -radio_prop
90 -restorecon_prop
91 -shell_prop
92 -system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]93 -usb_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]94 -vold_prop
95}:file no_rw_file_perms;
96
97# sigstop property is only used for debugging; should only be set by su which is permissive
98# for userdebug/eng
99neverallow {
100 domain
101 -init
102 -vendor_init
103} ctl_sigstop_prop:property_service set;
104
105# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
106# in the audit log
107dontaudit domain {
108 ctl_bootanim_prop
109 ctl_bugreport_prop
110 ctl_console_prop
111 ctl_default_prop
112 ctl_dumpstate_prop
113 ctl_fuse_prop
114 ctl_mdnsd_prop
115 ctl_rildaemon_prop
116}:property_service set;
117
118neverallow {
119 domain
120 -init
121} init_svc_debug_prop:property_service set;
122
123neverallow {
124 domain
125 -init
126 -dumpstate
127 userdebug_or_eng(`-su')
128} init_svc_debug_prop:file no_rw_file_perms;
129
130compatible_property_only(`
131# Prevent properties from being set
132 neverallow {
133 domain
134 -coredomain
135 -appdomain
136 -vendor_init
137 } {
138 core_property_type
139 extended_core_property_type
140 exported_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]141 exported_default_prop
142 exported_dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]143 exported_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]144 exported3_system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]145 usb_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]146 -nfc_prop
147 -powerctl_prop
148 -radio_prop
149 }:property_service set;
150
151 neverallow {
152 domain
153 -coredomain
154 -appdomain
155 -hal_nfc_server
156 } {
157 nfc_prop
158 }:property_service set;
159
160 neverallow {
161 domain
162 -coredomain
163 -appdomain
164 -hal_telephony_server
165 -vendor_init
166 } {
Inseob Kimacd02fc2020-07-28 15:17:24 +0900[diff] [blame]167 radio_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]168 }:property_service set;
169
170 neverallow {
171 domain
172 -coredomain
173 -appdomain
174 -hal_telephony_server
175 } {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]176 radio_prop
177 }:property_service set;
178
179 neverallow {
180 domain
181 -coredomain
182 -bluetooth
183 -hal_bluetooth_server
184 } {
185 bluetooth_prop
186 }:property_service set;
187
188 neverallow {
189 domain
190 -coredomain
191 -bluetooth
192 -hal_bluetooth_server
193 -vendor_init
194 } {
195 exported_bluetooth_prop
196 }:property_service set;
197
198 neverallow {
199 domain
200 -coredomain
201 -hal_camera_server
202 -cameraserver
203 -vendor_init
204 } {
205 exported_camera_prop
206 }:property_service set;
207
208 neverallow {
209 domain
210 -coredomain
211 -hal_wifi_server
212 -wificond
213 } {
214 wifi_prop
215 }:property_service set;
216
217 neverallow {
218 domain
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]219 -init
220 -dumpstate
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]221 -hal_wifi_server
222 -wificond
223 -vendor_init
224 } {
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]225 wifi_hal_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]226 }:property_service set;
227
228# Prevent properties from being read
229 neverallow {
230 domain
231 -coredomain
232 -appdomain
233 -vendor_init
234 } {
235 core_property_type
Inseob Kimd8c39d92020-04-20 19:36:33 +0900[diff] [blame]236 dalvik_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]237 extended_core_property_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]238 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]239 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]240 -debug_prop
241 -logd_prop
242 -nfc_prop
243 -powerctl_prop
244 -radio_prop
245 }:file no_rw_file_perms;
246
247 neverallow {
248 domain
249 -coredomain
250 -appdomain
251 -hal_nfc_server
252 } {
253 nfc_prop
254 }:file no_rw_file_perms;
255
256 neverallow {
257 domain
258 -coredomain
259 -appdomain
260 -hal_telephony_server
261 } {
262 radio_prop
263 }:file no_rw_file_perms;
264
265 neverallow {
266 domain
267 -coredomain
268 -bluetooth
269 -hal_bluetooth_server
270 } {
271 bluetooth_prop
272 }:file no_rw_file_perms;
273
274 neverallow {
275 domain
276 -coredomain
277 -hal_wifi_server
278 -wificond
279 } {
280 wifi_prop
281 }:file no_rw_file_perms;
282')
283
284compatible_property_only(`
285 # Neverallow coredomain to set vendor properties
286 neverallow {
287 coredomain
288 -init
289 -system_writes_vendor_properties_violators
290 } {
291 property_type
292 -system_property_type
293 -extended_core_property_type
294 }:property_service set;
295')
296
297neverallow {
Inseob Kimbfb37082020-04-27 23:49:15 +0900[diff] [blame]298 -coredomain
299 -vendor_init
300} {
301 ffs_config_prop
302 ffs_control_prop
303}:file no_rw_file_perms;
304
305neverallow {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]306 -init
307 -system_server
308} {
309 userspace_reboot_log_prop
310}:property_service set;
311
312neverallow {
313 # Only allow init and system_server to set system_adbd_prop
314 -init
315 -system_server
316} {
317 system_adbd_prop
318}:property_service set;
319
320neverallow {
321 # Only allow init and adbd to set adbd_prop
322 -init
323 -adbd
324} {
325 adbd_prop
326}:property_service set;
327
328neverallow {
329 # Only allow init and shell to set userspace_reboot_test_prop
330 -init
331 -shell
332} {
333 userspace_reboot_test_prop
334}:property_service set;
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame]335
336neverallow {
337 -init
338 -system_server
339 -vendor_init
340} {
341 surfaceflinger_color_prop
342}:property_service set;
Inseob Kim9add20f2020-05-06 22:20:35 +0900[diff] [blame]343
344neverallow {
345 -init
346} {
347 libc_debug_prop
348}:property_service set;
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]349
350neverallow {
351 -init
352 -system_server
353 -vendor_init
354} zram_control_prop:property_service set;
Inseob Kim1337e152020-05-12 22:51:48 +0900[diff] [blame]355
356neverallow {
357 -init
358 -system_server
359 -vendor_init
360} dalvik_runtime_prop:property_service set;
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]361
362neverallow {
363 -coredomain
364 -vendor_init
365} {
366 usb_config_prop
367 usb_control_prop
368}:property_service set;
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]369
370neverallow {
371 -init
372 -system_server
373} {
374 provisioned_prop
375 retaildemo_prop
376}:property_service set;
377
378neverallow {
379 -coredomain
380 -vendor_init
381} {
382 provisioned_prop
383 retaildemo_prop
384}:file no_rw_file_perms;
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]385
386neverallow {
387 -init
388} {
389 init_service_status_private_prop
390 init_service_status_prop
391}:property_service set;
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]392
393neverallow {
394 -init
395 -radio
396 -appdomain
397 -hal_telephony_server
Inseob Kim285da2f2020-06-04 20:29:43 +0900[diff] [blame]398 not_compatible_property(`-vendor_init')
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]399} telephony_status_prop:property_service set;
Peiyong Lin37dea072020-06-03 12:20:41 -0700[diff] [blame]400
401neverallow {
402 -init
403 -vendor_init
404} {
405 graphics_config_prop
406}:property_service set;
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]407
408neverallow {
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]409 -init
Midas Chien0d0391f2020-06-17 22:13:21 +0800[diff] [blame]410 -surfaceflinger
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]411} {
412 surfaceflinger_display_prop
413}:property_service set;
414
Inseob Kim072b0142020-06-16 20:00:41 +0900[diff] [blame]415neverallow {
Inseob Kim5eacf722020-07-01 01:27:49 +0900[diff] [blame]416 -coredomain
417 -appdomain
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]418 -vendor_init
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]419} packagemanager_config_prop:file no_rw_file_perms;
Inseob Kim04f435c2020-07-07 12:46:24 +0900[diff] [blame]420
421neverallow {
422 -coredomain
423 -vendor_init
424} keyguard_config_prop:file no_rw_file_perms;
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]425
426neverallow {
427 -init
428} {
429 localization_prop
430}:property_service set;
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]431
432neverallow {
433 -init
434 -vendor_init
435 -dumpstate
436 -system_app
437} oem_unlock_prop:file no_rw_file_perms;
438
439neverallow {
440 -coredomain
441 -vendor_init
442} storagemanager_config_prop:file no_rw_file_perms;
443
444neverallow {
445 -init
446 -vendor_init
447 -dumpstate
448 -appdomain
449} sendbug_config_prop:file no_rw_file_perms;
Inseob Kimc97a97c2020-07-20 20:26:07 +0900[diff] [blame]450
451neverallow {
452 -init
453 -vendor_init
454 -dumpstate
455 -appdomain
456} camera_calibration_prop:file no_rw_file_perms;
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]457
458neverallow {
459 -init
460 -dumpstate
Jeff Vander Stoep684d25b2020-08-25 11:41:00 +0200[diff] [blame]461 -hal_dumpstate_server
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]462 not_compatible_property(`-vendor_init')
463} hal_dumpstate_config_prop:file no_rw_file_perms;