Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d5a0448a53da55d21907637b22d6caee8cdd5279 / . / private / property.te
blob: 67fc551c0da2ccbd7e3ff6233f62af152c48b9f2 [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
Yi Kong0ac00722020-10-27 02:29:52 +0800[diff] [blame]3system_internal_prop(device_config_profcollect_native_boot_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]4system_internal_prop(device_config_storage_native_boot_prop)
5system_internal_prop(device_config_sys_traced_prop)
6system_internal_prop(device_config_window_manager_native_boot_prop)
7system_internal_prop(device_config_configuration_prop)
Hongguang Chen91a5f4e2020-04-23 23:43:13 -0700[diff] [blame]8system_internal_prop(fastbootd_protocol_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]9system_internal_prop(gsid_prop)
10system_internal_prop(init_perf_lsm_hooks_prop)
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]11system_internal_prop(init_service_status_private_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]12system_internal_prop(init_svc_debug_prop)
13system_internal_prop(last_boot_reason_prop)
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]14system_internal_prop(localization_prop)
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]15system_internal_prop(lower_kptr_restrict_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]16system_internal_prop(netd_stable_secret_prop)
17system_internal_prop(pm_prop)
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame^]18system_internal_prop(setupwizard_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]19system_internal_prop(system_adbd_prop)
20system_internal_prop(traced_perf_enabled_prop)
21system_internal_prop(userspace_reboot_log_prop)
22system_internal_prop(userspace_reboot_test_prop)
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame^]23system_internal_prop(verity_status_prop)
24system_internal_prop(zygote_wrap_prop)
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]25
Janis Danisevskis202e8632020-10-23 11:16:34 -0700[diff] [blame]26# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
27system_internal_prop(keystore2_enable_prop)
28
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]29###
30### Neverallow rules
31###
32
33treble_sysprop_neverallow(`
34
Inseob Kimafc09932020-09-28 13:32:43 +0900[diff] [blame]35enforce_sysprop_owner(`
36 neverallow domain {
37 property_type
38 -system_property_type
39 -product_property_type
40 -vendor_property_type
41 }:file no_rw_file_perms;
42')
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]43
44neverallow { domain -coredomain } {
45 system_property_type
46 system_internal_property_type
47 -system_restricted_property_type
48 -system_public_property_type
49}:file no_rw_file_perms;
50
51neverallow { domain -coredomain } {
52 system_property_type
53 -system_public_property_type
54}:property_service set;
55
56# init is in coredomain, but should be able to read/write all props.
57# dumpstate is also in coredomain, but should be able to read all props.
58neverallow { coredomain -init -dumpstate } {
59 vendor_property_type
60 vendor_internal_property_type
61 -vendor_restricted_property_type
62 -vendor_public_property_type
63}:file no_rw_file_perms;
64
65neverallow { coredomain -init } {
66 vendor_property_type
67 -vendor_public_property_type
68}:property_service set;
69
70')
71
72# There is no need to perform ioctl or advisory locking operations on
73# property files. If this neverallow is being triggered, it is
74# likely that the policy is using r_file_perms directly instead of
75# the get_prop() macro.
76neverallow domain property_type:file { ioctl lock };
77
78neverallow * {
79 core_property_type
80 -audio_prop
81 -config_prop
82 -cppreopt_prop
83 -dalvik_prop
84 -debuggerd_prop
85 -debug_prop
86 -default_prop
87 -dhcp_prop
88 -dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]89 -fingerprint_prop
90 -logd_prop
91 -net_radio_prop
92 -nfc_prop
93 -ota_prop
94 -pan_result_prop
95 -persist_debug_prop
96 -powerctl_prop
97 -radio_prop
98 -restorecon_prop
99 -shell_prop
100 -system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]101 -usb_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]102 -vold_prop
103}:file no_rw_file_perms;
104
105# sigstop property is only used for debugging; should only be set by su which is permissive
106# for userdebug/eng
107neverallow {
108 domain
109 -init
110 -vendor_init
111} ctl_sigstop_prop:property_service set;
112
113# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
114# in the audit log
115dontaudit domain {
116 ctl_bootanim_prop
117 ctl_bugreport_prop
118 ctl_console_prop
119 ctl_default_prop
120 ctl_dumpstate_prop
121 ctl_fuse_prop
122 ctl_mdnsd_prop
123 ctl_rildaemon_prop
124}:property_service set;
125
126neverallow {
127 domain
128 -init
129} init_svc_debug_prop:property_service set;
130
131neverallow {
132 domain
133 -init
134 -dumpstate
135 userdebug_or_eng(`-su')
136} init_svc_debug_prop:file no_rw_file_perms;
137
138compatible_property_only(`
139# Prevent properties from being set
140 neverallow {
141 domain
142 -coredomain
143 -appdomain
144 -vendor_init
145 } {
146 core_property_type
147 extended_core_property_type
148 exported_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]149 exported_default_prop
150 exported_dumpstate_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]151 exported_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]152 exported3_system_prop
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]153 usb_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]154 -nfc_prop
155 -powerctl_prop
156 -radio_prop
157 }:property_service set;
158
159 neverallow {
160 domain
161 -coredomain
162 -appdomain
163 -hal_nfc_server
164 } {
165 nfc_prop
166 }:property_service set;
167
168 neverallow {
169 domain
170 -coredomain
171 -appdomain
172 -hal_telephony_server
173 -vendor_init
174 } {
Inseob Kimacd02fc2020-07-28 15:17:24 +0900[diff] [blame]175 radio_control_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]176 }:property_service set;
177
178 neverallow {
179 domain
180 -coredomain
181 -appdomain
182 -hal_telephony_server
183 } {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]184 radio_prop
185 }:property_service set;
186
187 neverallow {
188 domain
189 -coredomain
190 -bluetooth
191 -hal_bluetooth_server
192 } {
193 bluetooth_prop
194 }:property_service set;
195
196 neverallow {
197 domain
198 -coredomain
199 -bluetooth
200 -hal_bluetooth_server
201 -vendor_init
202 } {
203 exported_bluetooth_prop
204 }:property_service set;
205
206 neverallow {
207 domain
208 -coredomain
209 -hal_camera_server
210 -cameraserver
211 -vendor_init
212 } {
213 exported_camera_prop
214 }:property_service set;
215
216 neverallow {
217 domain
218 -coredomain
219 -hal_wifi_server
220 -wificond
221 } {
222 wifi_prop
223 }:property_service set;
224
225 neverallow {
226 domain
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]227 -init
228 -dumpstate
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]229 -hal_wifi_server
230 -wificond
231 -vendor_init
232 } {
Inseob Kim3dbf3d82020-06-25 21:20:42 +0900[diff] [blame]233 wifi_hal_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]234 }:property_service set;
235
236# Prevent properties from being read
237 neverallow {
238 domain
239 -coredomain
240 -appdomain
241 -vendor_init
242 } {
243 core_property_type
Inseob Kimd8c39d92020-04-20 19:36:33 +0900[diff] [blame]244 dalvik_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]245 extended_core_property_type
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]246 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]247 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]248 -debug_prop
249 -logd_prop
250 -nfc_prop
251 -powerctl_prop
252 -radio_prop
253 }:file no_rw_file_perms;
254
255 neverallow {
256 domain
257 -coredomain
258 -appdomain
259 -hal_nfc_server
260 } {
261 nfc_prop
262 }:file no_rw_file_perms;
263
264 neverallow {
265 domain
266 -coredomain
267 -appdomain
268 -hal_telephony_server
269 } {
270 radio_prop
271 }:file no_rw_file_perms;
272
273 neverallow {
274 domain
275 -coredomain
276 -bluetooth
277 -hal_bluetooth_server
278 } {
279 bluetooth_prop
280 }:file no_rw_file_perms;
281
282 neverallow {
283 domain
284 -coredomain
285 -hal_wifi_server
286 -wificond
287 } {
288 wifi_prop
289 }:file no_rw_file_perms;
290')
291
292compatible_property_only(`
293 # Neverallow coredomain to set vendor properties
294 neverallow {
295 coredomain
296 -init
297 -system_writes_vendor_properties_violators
298 } {
299 property_type
300 -system_property_type
301 -extended_core_property_type
302 }:property_service set;
303')
304
305neverallow {
Inseob Kimbfb37082020-04-27 23:49:15 +0900[diff] [blame]306 -coredomain
307 -vendor_init
308} {
309 ffs_config_prop
310 ffs_control_prop
311}:file no_rw_file_perms;
312
313neverallow {
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]314 -init
315 -system_server
316} {
317 userspace_reboot_log_prop
318}:property_service set;
319
320neverallow {
321 # Only allow init and system_server to set system_adbd_prop
322 -init
323 -system_server
324} {
325 system_adbd_prop
326}:property_service set;
327
328neverallow {
329 # Only allow init and adbd to set adbd_prop
330 -init
331 -adbd
332} {
333 adbd_prop
334}:property_service set;
335
336neverallow {
337 # Only allow init and shell to set userspace_reboot_test_prop
338 -init
339 -shell
340} {
341 userspace_reboot_test_prop
342}:property_service set;
Inseob Kim721d9212020-04-24 21:25:17 +0900[diff] [blame]343
344neverallow {
345 -init
346 -system_server
347 -vendor_init
348} {
349 surfaceflinger_color_prop
350}:property_service set;
Inseob Kim9add20f2020-05-06 22:20:35 +0900[diff] [blame]351
352neverallow {
353 -init
354} {
355 libc_debug_prop
356}:property_service set;
Inseob Kim36aeb162020-05-08 20:42:25 +0900[diff] [blame]357
358neverallow {
359 -init
360 -system_server
361 -vendor_init
362} zram_control_prop:property_service set;
Inseob Kim1337e152020-05-12 22:51:48 +0900[diff] [blame]363
364neverallow {
365 -init
366 -system_server
367 -vendor_init
368} dalvik_runtime_prop:property_service set;
Inseob Kimdc1e5012020-04-27 21:13:01 +0900[diff] [blame]369
370neverallow {
371 -coredomain
372 -vendor_init
373} {
374 usb_config_prop
375 usb_control_prop
376}:property_service set;
Inseob Kim3b82aec2020-05-14 01:38:40 +0900[diff] [blame]377
378neverallow {
379 -init
380 -system_server
381} {
382 provisioned_prop
383 retaildemo_prop
384}:property_service set;
385
386neverallow {
387 -coredomain
388 -vendor_init
389} {
390 provisioned_prop
391 retaildemo_prop
392}:file no_rw_file_perms;
Inseob Kim15e5e0a2020-05-14 19:43:08 +0900[diff] [blame]393
394neverallow {
395 -init
396} {
397 init_service_status_private_prop
398 init_service_status_prop
399}:property_service set;
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]400
401neverallow {
402 -init
403 -radio
404 -appdomain
405 -hal_telephony_server
Inseob Kim285da2f2020-06-04 20:29:43 +0900[diff] [blame]406 not_compatible_property(`-vendor_init')
Inseob Kimad631702020-05-14 21:47:43 +0900[diff] [blame]407} telephony_status_prop:property_service set;
Peiyong Lin37dea072020-06-03 12:20:41 -0700[diff] [blame]408
409neverallow {
410 -init
411 -vendor_init
412} {
413 graphics_config_prop
414}:property_service set;
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]415
416neverallow {
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]417 -init
Midas Chien0d0391f2020-06-17 22:13:21 +0800[diff] [blame]418 -surfaceflinger
Amy Hsu0f352fb2020-06-15 17:04:12 +0800[diff] [blame]419} {
420 surfaceflinger_display_prop
421}:property_service set;
422
Inseob Kim072b0142020-06-16 20:00:41 +0900[diff] [blame]423neverallow {
Inseob Kim5eacf722020-07-01 01:27:49 +0900[diff] [blame]424 -coredomain
425 -appdomain
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]426 -vendor_init
Inseob Kim6ffdf1b2020-06-16 20:00:41 +0900[diff] [blame]427} packagemanager_config_prop:file no_rw_file_perms;
Inseob Kim04f435c2020-07-07 12:46:24 +0900[diff] [blame]428
429neverallow {
430 -coredomain
431 -vendor_init
432} keyguard_config_prop:file no_rw_file_perms;
Alexander Mishkovetsf0be89b2020-07-08 23:11:03 +0200[diff] [blame]433
434neverallow {
435 -init
436} {
437 localization_prop
438}:property_service set;
Inseob Kimc80b0242020-07-16 22:25:47 +0900[diff] [blame]439
440neverallow {
441 -init
442 -vendor_init
443 -dumpstate
444 -system_app
445} oem_unlock_prop:file no_rw_file_perms;
446
447neverallow {
448 -coredomain
449 -vendor_init
450} storagemanager_config_prop:file no_rw_file_perms;
451
452neverallow {
453 -init
454 -vendor_init
455 -dumpstate
456 -appdomain
457} sendbug_config_prop:file no_rw_file_perms;
Inseob Kimc97a97c2020-07-20 20:26:07 +0900[diff] [blame]458
459neverallow {
460 -init
461 -vendor_init
462 -dumpstate
463 -appdomain
464} camera_calibration_prop:file no_rw_file_perms;
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]465
466neverallow {
467 -init
468 -dumpstate
Jeff Vander Stoep684d25b2020-08-25 11:41:00 +0200[diff] [blame]469 -hal_dumpstate_server
Inseob Kim46dd4be2020-08-18 11:25:32 +0900[diff] [blame]470 not_compatible_property(`-vendor_init')
471} hal_dumpstate_config_prop:file no_rw_file_perms;
Primiano Tuccicd452302020-10-09 09:15:10 +0100[diff] [blame]472
473neverallow {
474 -init
475 userdebug_or_eng(`-traced_probes')
476} {
477 lower_kptr_restrict_prop
478}:property_service set;
Janis Danisevskis202e8632020-10-23 11:16:34 -0700[diff] [blame]479
480# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
481neverallow {
482 -init
483 -dumpstate
484 -system_app
485 -system_server
486 -zygote
487} keystore2_enable_prop:file no_rw_file_perms;
Inseob Kimd5a04482020-11-05 22:17:26 +0900[diff] [blame^]488
489neverallow {
490 -init
491} zygote_wrap_prop:property_service set;
492
493neverallow {
494 -init
495} verity_status_prop:property_service set;
496
497neverallow {
498 -init
499} setupwizard_prop:property_service set;