Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / cd452300a78de4ca0f85770966a76cc90f6a6b4d / . / private / property.te
blob: 18d94d25a4d6afe7c6bd286611ade09cee0a3788 [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
3system_internal_prop(device_config_storage_native_boot_prop)
4system_internal_prop(device_config_sys_traced_prop)
5system_internal_prop(device_config_window_manager_native_boot_prop)
6system_internal_prop(device_config_configuration_prop)
Hongguang Chen91a5f4e2020-04-23 23:43:13 -0700[diff] [blame]7system_internal_prop(fastbootd_protocol_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]8system_internal_prop(gsid_prop)
9system_internal_prop(init_perf_lsm_hooks_prop)
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]10system_internal_prop(init_service_status_private_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]11system_internal_prop(init_svc_debug_prop)
12system_internal_prop(last_boot_reason_prop)
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]13system_internal_prop(localization_prop)
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame^]14system_internal_prop(lower_kptr_restrict_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]15system_internal_prop(netd_stable_secret_prop)
16system_internal_prop(pm_prop)
17system_internal_prop(system_adbd_prop)
18system_internal_prop(traced_perf_enabled_prop)
19system_internal_prop(userspace_reboot_log_prop)
20system_internal_prop(userspace_reboot_test_prop)
21
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]22###
23### Neverallow rules
24###
25
26treble_sysprop_neverallow(`
27
Inseob Kimafc09932020-09-28 13:32:43 +0900[diff] [blame]28enforce_sysprop_owner(`
29 neverallow domain {
30 property_type
31 -system_property_type
32 -product_property_type
33 -vendor_property_type
34 }:file no_rw_file_perms;
35')
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]36
37neverallow { domain -coredomain } {
38 system_property_type
39 system_internal_property_type
40 -system_restricted_property_type
41 -system_public_property_type
42}:file no_rw_file_perms;
43
44neverallow { domain -coredomain } {
45 system_property_type
46 -system_public_property_type
47}:property_service set;
48
49# init is in coredomain, but should be able to read/write all props.
50# dumpstate is also in coredomain, but should be able to read all props.
51neverallow { coredomain -init -dumpstate } {
52 vendor_property_type
53 vendor_internal_property_type
54 -vendor_restricted_property_type
55 -vendor_public_property_type
56}:file no_rw_file_perms;
57
58neverallow { coredomain -init } {
59 vendor_property_type
60 -vendor_public_property_type
61}:property_service set;
62
63')
64
65# There is no need to perform ioctl or advisory locking operations on
66# property files. If this neverallow is being triggered, it is
67# likely that the policy is using r_file_perms directly instead of
68# the get_prop() macro.
69neverallow domain property_type:file { ioctl lock };
70
71neverallow * {
72 core_property_type
73 -audio_prop
74 -config_prop
75 -cppreopt_prop
76 -dalvik_prop
77 -debuggerd_prop
78 -debug_prop
79 -default_prop
80 -dhcp_prop
81 -dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]82 -fingerprint_prop
83 -logd_prop
84 -net_radio_prop
85 -nfc_prop
86 -ota_prop
87 -pan_result_prop
88 -persist_debug_prop
89 -powerctl_prop
90 -radio_prop
91 -restorecon_prop
92 -shell_prop
93 -system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]94 -usb_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]95 -vold_prop
96}:file no_rw_file_perms;
97
98# sigstop property is only used for debugging; should only be set by su which is permissive
99# for userdebug/eng
100neverallow {
101 domain
102 -init
103 -vendor_init
104} ctl_sigstop_prop:property_service set;
105
106# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
107# in the audit log
108dontaudit domain {
109 ctl_bootanim_prop
110 ctl_bugreport_prop
111 ctl_console_prop
112 ctl_default_prop
113 ctl_dumpstate_prop
114 ctl_fuse_prop
115 ctl_mdnsd_prop
116 ctl_rildaemon_prop
117}:property_service set;
118
119neverallow {
120 domain
121 -init
122} init_svc_debug_prop:property_service set;
123
124neverallow {
125 domain
126 -init
127 -dumpstate
128 userdebug_or_eng(`-su')
129} init_svc_debug_prop:file no_rw_file_perms;
130
131compatible_property_only(`
132# Prevent properties from being set
133 neverallow {
134 domain
135 -coredomain
136 -appdomain
137 -vendor_init
138 } {
139 core_property_type
140 extended_core_property_type
141 exported_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]142 exported_default_prop
143 exported_dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]144 exported_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]145 exported3_system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]146 usb_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]147 -nfc_prop
148 -powerctl_prop
149 -radio_prop
150 }:property_service set;
151
152 neverallow {
153 domain
154 -coredomain
155 -appdomain
156 -hal_nfc_server
157 } {
158 nfc_prop
159 }:property_service set;
160
161 neverallow {
162 domain
163 -coredomain
164 -appdomain
165 -hal_telephony_server
166 -vendor_init
167 } {
Inseob Kimacd02fc2020-07-28 15:17:24 +0900[diff] [blame]168 radio_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]169 }:property_service set;
170
171 neverallow {
172 domain
173 -coredomain
174 -appdomain
175 -hal_telephony_server
176 } {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]177 radio_prop
178 }:property_service set;
179
180 neverallow {
181 domain
182 -coredomain
183 -bluetooth
184 -hal_bluetooth_server
185 } {
186 bluetooth_prop
187 }:property_service set;
188
189 neverallow {
190 domain
191 -coredomain
192 -bluetooth
193 -hal_bluetooth_server
194 -vendor_init
195 } {
196 exported_bluetooth_prop
197 }:property_service set;
198
199 neverallow {
200 domain
201 -coredomain
202 -hal_camera_server
203 -cameraserver
204 -vendor_init
205 } {
206 exported_camera_prop
207 }:property_service set;
208
209 neverallow {
210 domain
211 -coredomain
212 -hal_wifi_server
213 -wificond
214 } {
215 wifi_prop
216 }:property_service set;
217
218 neverallow {
219 domain
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]220 -init
221 -dumpstate
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]222 -hal_wifi_server
223 -wificond
224 -vendor_init
225 } {
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]226 wifi_hal_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]227 }:property_service set;
228
229# Prevent properties from being read
230 neverallow {
231 domain
232 -coredomain
233 -appdomain
234 -vendor_init
235 } {
236 core_property_type
Inseob Kimd8c39d92020-04-20 19:36:33 +0900[diff] [blame]237 dalvik_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]238 extended_core_property_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]239 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]240 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]241 -debug_prop
242 -logd_prop
243 -nfc_prop
244 -powerctl_prop
245 -radio_prop
246 }:file no_rw_file_perms;
247
248 neverallow {
249 domain
250 -coredomain
251 -appdomain
252 -hal_nfc_server
253 } {
254 nfc_prop
255 }:file no_rw_file_perms;
256
257 neverallow {
258 domain
259 -coredomain
260 -appdomain
261 -hal_telephony_server
262 } {
263 radio_prop
264 }:file no_rw_file_perms;
265
266 neverallow {
267 domain
268 -coredomain
269 -bluetooth
270 -hal_bluetooth_server
271 } {
272 bluetooth_prop
273 }:file no_rw_file_perms;
274
275 neverallow {
276 domain
277 -coredomain
278 -hal_wifi_server
279 -wificond
280 } {
281 wifi_prop
282 }:file no_rw_file_perms;
283')
284
285compatible_property_only(`
286 # Neverallow coredomain to set vendor properties
287 neverallow {
288 coredomain
289 -init
290 -system_writes_vendor_properties_violators
291 } {
292 property_type
293 -system_property_type
294 -extended_core_property_type
295 }:property_service set;
296')
297
298neverallow {
Inseob Kimbfb37082020-04-27 23:49:15 +0900[diff] [blame]299 -coredomain
300 -vendor_init
301} {
302 ffs_config_prop
303 ffs_control_prop
304}:file no_rw_file_perms;
305
306neverallow {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]307 -init
308 -system_server
309} {
310 userspace_reboot_log_prop
311}:property_service set;
312
313neverallow {
314 # Only allow init and system_server to set system_adbd_prop
315 -init
316 -system_server
317} {
318 system_adbd_prop
319}:property_service set;
320
321neverallow {
322 # Only allow init and adbd to set adbd_prop
323 -init
324 -adbd
325} {
326 adbd_prop
327}:property_service set;
328
329neverallow {
330 # Only allow init and shell to set userspace_reboot_test_prop
331 -init
332 -shell
333} {
334 userspace_reboot_test_prop
335}:property_service set;
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame]336
337neverallow {
338 -init
339 -system_server
340 -vendor_init
341} {
342 surfaceflinger_color_prop
343}:property_service set;
Inseob Kim9add20f2020-05-06 22:20:35 +0900[diff] [blame]344
345neverallow {
346 -init
347} {
348 libc_debug_prop
349}:property_service set;
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]350
351neverallow {
352 -init
353 -system_server
354 -vendor_init
355} zram_control_prop:property_service set;
Inseob Kim1337e152020-05-12 22:51:48 +0900[diff] [blame]356
357neverallow {
358 -init
359 -system_server
360 -vendor_init
361} dalvik_runtime_prop:property_service set;
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]362
363neverallow {
364 -coredomain
365 -vendor_init
366} {
367 usb_config_prop
368 usb_control_prop
369}:property_service set;
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]370
371neverallow {
372 -init
373 -system_server
374} {
375 provisioned_prop
376 retaildemo_prop
377}:property_service set;
378
379neverallow {
380 -coredomain
381 -vendor_init
382} {
383 provisioned_prop
384 retaildemo_prop
385}:file no_rw_file_perms;
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]386
387neverallow {
388 -init
389} {
390 init_service_status_private_prop
391 init_service_status_prop
392}:property_service set;
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]393
394neverallow {
395 -init
396 -radio
397 -appdomain
398 -hal_telephony_server
Inseob Kim285da2f2020-06-04 20:29:43 +0900[diff] [blame]399 not_compatible_property(`-vendor_init')
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]400} telephony_status_prop:property_service set;
Peiyong Lin37dea072020-06-03 12:20:41 -0700[diff] [blame]401
402neverallow {
403 -init
404 -vendor_init
405} {
406 graphics_config_prop
407}:property_service set;
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]408
409neverallow {
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]410 -init
Midas Chien0d0391f2020-06-17 22:13:21 +0800[diff] [blame]411 -surfaceflinger
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]412} {
413 surfaceflinger_display_prop
414}:property_service set;
415
Inseob Kim072b0142020-06-16 20:00:41 +0900[diff] [blame]416neverallow {
Inseob Kim5eacf722020-07-01 01:27:49 +0900[diff] [blame]417 -coredomain
418 -appdomain
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]419 -vendor_init
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]420} packagemanager_config_prop:file no_rw_file_perms;
Inseob Kim04f435c2020-07-07 12:46:24 +0900[diff] [blame]421
422neverallow {
423 -coredomain
424 -vendor_init
425} keyguard_config_prop:file no_rw_file_perms;
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]426
427neverallow {
428 -init
429} {
430 localization_prop
431}:property_service set;
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]432
433neverallow {
434 -init
435 -vendor_init
436 -dumpstate
437 -system_app
438} oem_unlock_prop:file no_rw_file_perms;
439
440neverallow {
441 -coredomain
442 -vendor_init
443} storagemanager_config_prop:file no_rw_file_perms;
444
445neverallow {
446 -init
447 -vendor_init
448 -dumpstate
449 -appdomain
450} sendbug_config_prop:file no_rw_file_perms;
Inseob Kimc97a97c2020-07-20 20:26:07 +0900[diff] [blame]451
452neverallow {
453 -init
454 -vendor_init
455 -dumpstate
456 -appdomain
457} camera_calibration_prop:file no_rw_file_perms;
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]458
459neverallow {
460 -init
461 -dumpstate
Jeff Vander Stoep684d25b2020-08-25 11:41:00 +0200[diff] [blame]462 -hal_dumpstate_server
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]463 not_compatible_property(`-vendor_init')
464} hal_dumpstate_config_prop:file no_rw_file_perms;
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame^]465
466neverallow {
467 -init
468 userdebug_or_eng(`-traced_probes')
469} {
470 lower_kptr_restrict_prop
471}:property_service set;