Blame - microdroid/system/private/property.te - android_system_sepolicy

blob: 638b24611c4e5b44eb0f37bb5875f59371ac1edc [file] [log] [blame]

Victor Hsieh	a62b3ff	2022-05-02 09:47:11 -0700	[diff] [blame]	1	system_restricted_prop(boot_status_prop)
				2
Victor Hsieh	b415c73	2021-12-14 11:06:23 -0800	[diff] [blame]	3	# Declare ART properties for CompOS
				4	system_public_prop(dalvik_config_prop)
				5	system_restricted_prop(device_config_runtime_native_prop)
Victor Hsieh	3423bc4	2022-05-10 16:14:30 -0700	[diff] [blame]	6	system_restricted_prop(device_config_runtime_native_boot_prop)
Victor Hsieh	b415c73	2021-12-14 11:06:23 -0800	[diff] [blame]	7
Inseob Kim	5ee61a7	2021-09-17 19:31:45 +0900	[diff] [blame]	8	# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
				9	# in the audit log
				10	dontaudit domain {
				11	ctl_console_prop
				12	ctl_default_prop
				13	ctl_fuse_prop
				14	}:property_service set;
				15
Inseob Kim	e138997	2021-07-19 07:48:34 +0000	[diff] [blame]	16	###
				17	### Neverallow rules
				18	###
				19
Jiyong Park	27bb6c6	2021-09-06 15:39:31 +0900	[diff] [blame]	20	# microdroid_manager_roothash_prop can only be set by microdroid_manager
				21	# and read by apkdmverity
				22	neverallow {
				23	domain
				24	-init
				25	-microdroid_manager
				26	} microdroid_manager_roothash_prop:property_service set;
				27
				28	neverallow {
				29	domain
				30	-init
				31	-microdroid_manager
				32	-apkdmverity
				33	} microdroid_manager_roothash_prop:file no_rw_file_perms;
Richard Fung	0c7c267	2021-11-08 20:09:54 +0000	[diff] [blame]	34
				35	# apexd_payload_metadata_prop can only set by init
				36	neverallow {
				37	domain
				38	-init
				39	} apexd_payload_metadata_prop:property_service set;
Nikita Ioffe	1cf4d77	2022-11-27 01:11:39 +0000	[diff] [blame]	40
				41	# Only microdroid_manager and init can set the microdroid_config_prop sysprops
				42	neverallow {
				43	domain
				44	-init
				45	-microdroid_manager
Shikha Panwar	e1578a5	2022-11-30 11:22:10 +0000	[diff] [blame]	46	} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
Nikita Ioffe	1cf4d77	2022-11-27 01:11:39 +0000	[diff] [blame]	47
				48	neverallow {
				49	domain
				50	-init
				51	-microdroid_manager
Shikha Panwar	cf5d505	2023-02-03 18:43:02 +0000	[diff] [blame^]	52	} {microdroid_lifecycle_prop}:file no_rw_file_perms;
				53
				54	neverallow {
				55	domain
				56	-init
				57	-microdroid_manager
				58	-crash_dump
				59	} {microdroid_config_prop}:file no_rw_file_perms;