Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / bc8dc3aa9d03598fc69df3e0b3990cddcf807616 / . / prebuilts / api / 29.0 / public / property.te
blob: 3ccaad7221fbdb801915d772dcb82c3f835d0846 [file] [log] [blame]
Tri Vobc8dc3a2019-05-26 13:17:08 -0700[diff] [blame^]1type apexd_prop, property_type;
2type audio_prop, property_type, core_property_type;
3type boottime_prop, property_type;
4type bluetooth_a2dp_offload_prop, property_type;
5type bluetooth_audio_hal_prop, property_type;
6type bluetooth_prop, property_type;
7type bpf_progs_loaded_prop, property_type;
8type bootloader_boot_reason_prop, property_type;
9type config_prop, property_type, core_property_type;
10type cppreopt_prop, property_type, core_property_type;
11type cpu_variant_prop, property_type;
12type ctl_adbd_prop, property_type;
13type ctl_bootanim_prop, property_type;
14type ctl_bugreport_prop, property_type;
15type ctl_console_prop, property_type;
16type ctl_default_prop, property_type;
17type ctl_dumpstate_prop, property_type;
18type ctl_fuse_prop, property_type;
19type ctl_gsid_prop, property_type;
20type ctl_interface_restart_prop, property_type;
21type ctl_interface_start_prop, property_type;
22type ctl_interface_stop_prop, property_type;
23type ctl_mdnsd_prop, property_type;
24type ctl_restart_prop, property_type;
25type ctl_rildaemon_prop, property_type;
26type ctl_sigstop_prop, property_type;
27type ctl_start_prop, property_type;
28type ctl_stop_prop, property_type;
29type dalvik_prop, property_type, core_property_type;
30type debuggerd_prop, property_type, core_property_type;
31type debug_prop, property_type, core_property_type;
32type default_prop, property_type, core_property_type;
33type device_config_activity_manager_native_boot_prop, property_type;
34type device_config_boot_count_prop, property_type;
35type device_config_reset_performed_prop, property_type;
36type device_config_input_native_boot_prop, property_type;
37type device_config_netd_native_prop, property_type;
38type device_config_runtime_native_boot_prop, property_type;
39type device_config_runtime_native_prop, property_type;
40type device_config_media_native_prop, property_type;
41type device_logging_prop, property_type;
42type dhcp_prop, property_type, core_property_type;
43type dumpstate_options_prop, property_type;
44type dumpstate_prop, property_type, core_property_type;
45type dynamic_system_prop, property_type;
46type exported_secure_prop, property_type;
47type ffs_prop, property_type, core_property_type;
48type fingerprint_prop, property_type, core_property_type;
49type firstboot_prop, property_type;
50type gsid_prop, property_type;
51type heapprofd_enabled_prop, property_type;
52type heapprofd_prop, property_type;
53type hwservicemanager_prop, property_type;
54type last_boot_reason_prop, property_type;
55type system_lmk_prop, property_type;
56type llkd_prop, property_type;
57type logd_prop, property_type, core_property_type;
58type logpersistd_logging_prop, property_type;
59type log_prop, property_type, log_property_type;
60type log_tag_prop, property_type, log_property_type;
61type lowpan_prop, property_type;
62type lpdumpd_prop, property_type;
63type mmc_prop, property_type;
64type net_dns_prop, property_type;
65type net_radio_prop, property_type, core_property_type;
66type netd_stable_secret_prop, property_type;
67type nfc_prop, property_type, core_property_type;
68type nnapi_ext_deny_product_prop, property_type;
69type overlay_prop, property_type;
70type pan_result_prop, property_type, core_property_type;
71type persist_debug_prop, property_type, core_property_type;
72type persistent_properties_ready_prop, property_type;
73type pm_prop, property_type;
74type powerctl_prop, property_type, core_property_type;
75type radio_prop, property_type, core_property_type;
76type restorecon_prop, property_type, core_property_type;
77type safemode_prop, property_type;
78type serialno_prop, property_type;
79type shell_prop, property_type, core_property_type;
80type system_boot_reason_prop, property_type;
81type system_prop, property_type, core_property_type;
82type system_radio_prop, property_type, core_property_type;
83type system_trace_prop, property_type;
84type test_boot_reason_prop, property_type;
85type test_harness_prop, property_type;
86type time_prop, property_type;
87type traced_enabled_prop, property_type;
88type traced_lazy_prop, property_type;
89type use_memfd_prop, property_type;
90type vold_prop, property_type, core_property_type;
91type wifi_log_prop, property_type, log_property_type;
92type wifi_prop, property_type;
93type vendor_security_patch_level_prop, property_type;
94
95# Properties for whitelisting
96type exported_audio_prop, property_type;
97type exported_bluetooth_prop, property_type;
98type exported_config_prop, property_type;
99type exported_dalvik_prop, property_type;
100type exported_default_prop, property_type;
101type exported_dumpstate_prop, property_type;
102type exported_ffs_prop, property_type;
103type exported_fingerprint_prop, property_type;
104type exported_overlay_prop, property_type;
105type exported_pm_prop, property_type;
106type exported_radio_prop, property_type;
107type exported_system_prop, property_type;
108type exported_system_radio_prop, property_type;
109type exported_vold_prop, property_type;
110type exported_wifi_prop, property_type;
111type exported2_config_prop, property_type;
112type exported2_default_prop, property_type;
113type exported2_radio_prop, property_type;
114type exported2_system_prop, property_type;
115type exported2_vold_prop, property_type;
116type exported3_default_prop, property_type;
117type exported3_radio_prop, property_type;
118type exported3_system_prop, property_type;
119type vendor_default_prop, property_type;
120
121allow property_type tmpfs:filesystem associate;
122
123###
124### Neverallow rules
125###
126
127# There is no need to perform ioctl or advisory locking operations on
128# property files. If this neverallow is being triggered, it is
129# likely that the policy is using r_file_perms directly instead of
130# the get_prop() macro.
131neverallow domain property_type:file { ioctl lock };
132
133# core_property_type should not be used for new properties or
134# device specific properties. Properties with this attribute
135# are readable to everyone, which is overly broad and should
136# be avoided.
137# New properties should have appropriate read / write access
138# control rules written.
139
140neverallow * {
141 core_property_type
142 -audio_prop
143 -config_prop
144 -cppreopt_prop
145 -dalvik_prop
146 -debuggerd_prop
147 -debug_prop
148 -default_prop
149 -dhcp_prop
150 -dumpstate_prop
151 -ffs_prop
152 -fingerprint_prop
153 -logd_prop
154 -net_radio_prop
155 -nfc_prop
156 -pan_result_prop
157 -persist_debug_prop
158 -powerctl_prop
159 -radio_prop
160 -restorecon_prop
161 -shell_prop
162 -system_prop
163 -system_radio_prop
164 -vold_prop
165}:file no_rw_file_perms;
166
167# sigstop property is only used for debugging; should only be set by su which is permissive
168# for userdebug/eng
169neverallow {
170 domain
171 -init
172 -vendor_init
173} ctl_sigstop_prop:property_service set;
174
175# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
176# in the audit log
177dontaudit domain {
178 ctl_bootanim_prop
179 ctl_bugreport_prop
180 ctl_console_prop
181 ctl_default_prop
182 ctl_dumpstate_prop
183 ctl_fuse_prop
184 ctl_mdnsd_prop
185 ctl_rildaemon_prop
186}:property_service set;
187
188compatible_property_only(`
189# Prevent properties from being set
190 neverallow {
191 domain
192 -coredomain
193 -appdomain
194 -vendor_init
195 } {
196 core_property_type
197 extended_core_property_type
198 exported_config_prop
199 exported_dalvik_prop
200 exported_default_prop
201 exported_dumpstate_prop
202 exported_ffs_prop
203 exported_fingerprint_prop
204 exported_system_prop
205 exported_system_radio_prop
206 exported_vold_prop
207 exported2_config_prop
208 exported2_default_prop
209 exported2_system_prop
210 exported2_vold_prop
211 exported3_default_prop
212 exported3_system_prop
213 -nfc_prop
214 -powerctl_prop
215 -radio_prop
216 }:property_service set;
217
218 neverallow {
219 domain
220 -coredomain
221 -appdomain
222 -hal_nfc_server
223 } {
224 nfc_prop
225 }:property_service set;
226
227 neverallow {
228 domain
229 -coredomain
230 -appdomain
231 -hal_telephony_server
232 -vendor_init
233 } {
234 exported_radio_prop
235 exported3_radio_prop
236 }:property_service set;
237
238 neverallow {
239 domain
240 -coredomain
241 -appdomain
242 -hal_telephony_server
243 } {
244 exported2_radio_prop
245 radio_prop
246 }:property_service set;
247
248 neverallow {
249 domain
250 -coredomain
251 -bluetooth
252 -hal_bluetooth_server
253 } {
254 bluetooth_prop
255 }:property_service set;
256
257 neverallow {
258 domain
259 -coredomain
260 -bluetooth
261 -hal_bluetooth_server
262 -vendor_init
263 } {
264 exported_bluetooth_prop
265 }:property_service set;
266
267 neverallow {
268 domain
269 -coredomain
270 -hal_wifi_server
271 -wificond
272 } {
273 wifi_prop
274 }:property_service set;
275
276 neverallow {
277 domain
278 -coredomain
279 -hal_wifi_server
280 -wificond
281 -vendor_init
282 } {
283 exported_wifi_prop
284 }:property_service set;
285
286# Prevent properties from being read
287 neverallow {
288 domain
289 -coredomain
290 -appdomain
291 -vendor_init
292 } {
293 core_property_type
294 extended_core_property_type
295 exported_dalvik_prop
296 exported_ffs_prop
297 exported_system_radio_prop
298 exported2_config_prop
299 exported2_system_prop
300 exported2_vold_prop
301 exported3_default_prop
302 exported3_system_prop
303 -debug_prop
304 -logd_prop
305 -nfc_prop
306 -powerctl_prop
307 -radio_prop
308 }:file no_rw_file_perms;
309
310 neverallow {
311 domain
312 -coredomain
313 -appdomain
314 -hal_nfc_server
315 } {
316 nfc_prop
317 }:file no_rw_file_perms;
318
319 neverallow {
320 domain
321 -coredomain
322 -appdomain
323 -hal_telephony_server
324 } {
325 radio_prop
326 }:file no_rw_file_perms;
327
328 neverallow {
329 domain
330 -coredomain
331 -bluetooth
332 -hal_bluetooth_server
333 } {
334 bluetooth_prop
335 }:file no_rw_file_perms;
336
337 neverallow {
338 domain
339 -coredomain
340 -hal_wifi_server
341 -wificond
342 } {
343 wifi_prop
344 }:file no_rw_file_perms;
345')
346
347compatible_property_only(`
348 # Neverallow coredomain to set vendor properties
349 neverallow {
350 coredomain
351 -init
352 -system_writes_vendor_properties_violators
353 } {
354 property_type
355 -apexd_prop
356 -audio_prop
357 -bluetooth_a2dp_offload_prop
358 -bluetooth_audio_hal_prop
359 -bluetooth_prop
360 -bootloader_boot_reason_prop
361 -boottime_prop
362 -bpf_progs_loaded_prop
363 -config_prop
364 -cppreopt_prop
365 -ctl_adbd_prop
366 -ctl_bootanim_prop
367 -ctl_bugreport_prop
368 -ctl_console_prop
369 -ctl_default_prop
370 -ctl_dumpstate_prop
371 -ctl_fuse_prop
372 -ctl_gsid_prop
373 -ctl_interface_restart_prop
374 -ctl_interface_start_prop
375 -ctl_interface_stop_prop
376 -ctl_mdnsd_prop
377 -ctl_restart_prop
378 -ctl_rildaemon_prop
379 -ctl_sigstop_prop
380 -ctl_start_prop
381 -ctl_stop_prop
382 -dalvik_prop
383 -debug_prop
384 -debuggerd_prop
385 -default_prop
386 -device_logging_prop
387 -dhcp_prop
388 -dumpstate_options_prop
389 -dumpstate_prop
390 -exported2_config_prop
391 -exported2_default_prop
392 -exported2_radio_prop
393 -exported2_system_prop
394 -exported2_vold_prop
395 -exported3_default_prop
396 -exported3_radio_prop
397 -exported3_system_prop
398 -exported_bluetooth_prop
399 -exported_config_prop
400 -exported_dalvik_prop
401 -exported_default_prop
402 -exported_dumpstate_prop
403 -exported_ffs_prop
404 -exported_fingerprint_prop
405 -exported_overlay_prop
406 -exported_pm_prop
407 -exported_radio_prop
408 -exported_secure_prop
409 -exported_system_prop
410 -exported_system_radio_prop
411 -exported_vold_prop
412 -exported_wifi_prop
413 -extended_core_property_type
414 -ffs_prop
415 -fingerprint_prop
416 -firstboot_prop
417 -device_config_activity_manager_native_boot_prop
418 -device_config_reset_performed_prop
419 -device_config_boot_count_prop
420 -device_config_input_native_boot_prop
421 -device_config_netd_native_prop
422 -device_config_runtime_native_boot_prop
423 -device_config_runtime_native_prop
424 -device_config_media_native_prop
425 -dynamic_system_prop
426 -gsid_prop
427 -heapprofd_enabled_prop
428 -heapprofd_prop
429 -hwservicemanager_prop
430 -last_boot_reason_prop
431 -system_lmk_prop
432 -log_prop
433 -log_tag_prop
434 -logd_prop
435 -logpersistd_logging_prop
436 -lowpan_prop
437 -lpdumpd_prop
438 -mmc_prop
439 -net_dns_prop
440 -net_radio_prop
441 -netd_stable_secret_prop
442 -nfc_prop
443 -overlay_prop
444 -pan_result_prop
445 -persist_debug_prop
446 -persistent_properties_ready_prop
447 -pm_prop
448 -powerctl_prop
449 -radio_prop
450 -restorecon_prop
451 -safemode_prop
452 -serialno_prop
453 -shell_prop
454 -system_boot_reason_prop
455 -system_prop
456 -system_radio_prop
457 -system_trace_prop
458 -test_boot_reason_prop
459 -test_harness_prop
460 -time_prop
461 -traced_enabled_prop
462 -traced_lazy_prop
463 -vendor_default_prop
464 -vendor_security_patch_level_prop
465 -vold_prop
466 -wifi_log_prop
467 -wifi_prop
468 }:property_service set;
469')