Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a1d78f908eef75af380be698351d0484ee803179 / . / private / property.te
blob: 0cdadbf17dd9579464ad58dd3e1b55596fd814e2 [file] [log] [blame]
Inseob Kimbbae4a92020-03-19 17:49:08 +0900[diff] [blame]1# Properties used only in /system
2system_internal_prop(adbd_prop)
3system_internal_prop(device_config_storage_native_boot_prop)
4system_internal_prop(device_config_sys_traced_prop)
5system_internal_prop(device_config_window_manager_native_boot_prop)
6system_internal_prop(device_config_configuration_prop)
7system_internal_prop(gsid_prop)
8system_internal_prop(init_perf_lsm_hooks_prop)
9system_internal_prop(init_svc_debug_prop)
10system_internal_prop(last_boot_reason_prop)
11system_internal_prop(netd_stable_secret_prop)
12system_internal_prop(pm_prop)
13system_internal_prop(system_adbd_prop)
14system_internal_prop(traced_perf_enabled_prop)
15system_internal_prop(userspace_reboot_log_prop)
16system_internal_prop(userspace_reboot_test_prop)
17
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]18###
19### Neverallow rules
20###
21
22treble_sysprop_neverallow(`
23
24# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
25# neverallow domain {
26# property_type
27# -system_property_type
28# -product_property_type
29# -vendor_property_type
30# }:file no_rw_file_perms;
31
32neverallow { domain -coredomain } {
33 system_property_type
34 system_internal_property_type
35 -system_restricted_property_type
36 -system_public_property_type
37}:file no_rw_file_perms;
38
39neverallow { domain -coredomain } {
40 system_property_type
41 -system_public_property_type
42}:property_service set;
43
44# init is in coredomain, but should be able to read/write all props.
45# dumpstate is also in coredomain, but should be able to read all props.
46neverallow { coredomain -init -dumpstate } {
47 vendor_property_type
48 vendor_internal_property_type
49 -vendor_restricted_property_type
50 -vendor_public_property_type
51}:file no_rw_file_perms;
52
53neverallow { coredomain -init } {
54 vendor_property_type
55 -vendor_public_property_type
56}:property_service set;
57
58')
59
60# There is no need to perform ioctl or advisory locking operations on
61# property files. If this neverallow is being triggered, it is
62# likely that the policy is using r_file_perms directly instead of
63# the get_prop() macro.
64neverallow domain property_type:file { ioctl lock };
65
66neverallow * {
67 core_property_type
68 -audio_prop
69 -config_prop
70 -cppreopt_prop
71 -dalvik_prop
72 -debuggerd_prop
73 -debug_prop
74 -default_prop
75 -dhcp_prop
76 -dumpstate_prop
77 -ffs_prop
78 -fingerprint_prop
79 -logd_prop
80 -net_radio_prop
81 -nfc_prop
82 -ota_prop
83 -pan_result_prop
84 -persist_debug_prop
85 -powerctl_prop
86 -radio_prop
87 -restorecon_prop
88 -shell_prop
89 -system_prop
90 -system_radio_prop
91 -vold_prop
92}:file no_rw_file_perms;
93
94# sigstop property is only used for debugging; should only be set by su which is permissive
95# for userdebug/eng
96neverallow {
97 domain
98 -init
99 -vendor_init
100} ctl_sigstop_prop:property_service set;
101
102# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
103# in the audit log
104dontaudit domain {
105 ctl_bootanim_prop
106 ctl_bugreport_prop
107 ctl_console_prop
108 ctl_default_prop
109 ctl_dumpstate_prop
110 ctl_fuse_prop
111 ctl_mdnsd_prop
112 ctl_rildaemon_prop
113}:property_service set;
114
115neverallow {
116 domain
117 -init
118} init_svc_debug_prop:property_service set;
119
120neverallow {
121 domain
122 -init
123 -dumpstate
124 userdebug_or_eng(`-su')
125} init_svc_debug_prop:file no_rw_file_perms;
126
127compatible_property_only(`
128# Prevent properties from being set
129 neverallow {
130 domain
131 -coredomain
132 -appdomain
133 -vendor_init
134 } {
135 core_property_type
136 extended_core_property_type
137 exported_config_prop
138 exported_dalvik_prop
139 exported_default_prop
140 exported_dumpstate_prop
141 exported_ffs_prop
142 exported_fingerprint_prop
143 exported_system_prop
144 exported_system_radio_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]145 exported2_default_prop
146 exported2_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]147 exported3_default_prop
148 exported3_system_prop
149 -nfc_prop
150 -powerctl_prop
151 -radio_prop
152 }:property_service set;
153
154 neverallow {
155 domain
156 -coredomain
157 -appdomain
158 -hal_nfc_server
159 } {
160 nfc_prop
161 }:property_service set;
162
163 neverallow {
164 domain
165 -coredomain
166 -appdomain
167 -hal_telephony_server
168 -vendor_init
169 } {
170 exported_radio_prop
171 exported3_radio_prop
172 }:property_service set;
173
174 neverallow {
175 domain
176 -coredomain
177 -appdomain
178 -hal_telephony_server
179 } {
180 exported2_radio_prop
181 radio_prop
182 }:property_service set;
183
184 neverallow {
185 domain
186 -coredomain
187 -bluetooth
188 -hal_bluetooth_server
189 } {
190 bluetooth_prop
191 }:property_service set;
192
193 neverallow {
194 domain
195 -coredomain
196 -bluetooth
197 -hal_bluetooth_server
198 -vendor_init
199 } {
200 exported_bluetooth_prop
201 }:property_service set;
202
203 neverallow {
204 domain
205 -coredomain
206 -hal_camera_server
207 -cameraserver
208 -vendor_init
209 } {
210 exported_camera_prop
211 }:property_service set;
212
213 neverallow {
214 domain
215 -coredomain
216 -hal_wifi_server
217 -wificond
218 } {
219 wifi_prop
220 }:property_service set;
221
222 neverallow {
223 domain
224 -coredomain
225 -hal_wifi_server
226 -wificond
227 -vendor_init
228 } {
229 exported_wifi_prop
230 }:property_service set;
231
232# Prevent properties from being read
233 neverallow {
234 domain
235 -coredomain
236 -appdomain
237 -vendor_init
238 } {
239 core_property_type
240 extended_core_property_type
241 exported_dalvik_prop
242 exported_ffs_prop
243 exported_system_radio_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]244 exported2_system_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]245 exported3_default_prop
246 exported3_system_prop
Inseob Kimfd2d6ec2020-04-01 10:01:16 +0900[diff] [blame]247 systemsound_config_prop
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]248 -debug_prop
249 -logd_prop
250 -nfc_prop
251 -powerctl_prop
252 -radio_prop
253 }:file no_rw_file_perms;
254
255 neverallow {
256 domain
257 -coredomain
258 -appdomain
259 -hal_nfc_server
260 } {
261 nfc_prop
262 }:file no_rw_file_perms;
263
264 neverallow {
265 domain
266 -coredomain
267 -appdomain
268 -hal_telephony_server
269 } {
270 radio_prop
271 }:file no_rw_file_perms;
272
273 neverallow {
274 domain
275 -coredomain
276 -bluetooth
277 -hal_bluetooth_server
278 } {
279 bluetooth_prop
280 }:file no_rw_file_perms;
281
282 neverallow {
283 domain
284 -coredomain
285 -hal_wifi_server
286 -wificond
287 } {
288 wifi_prop
289 }:file no_rw_file_perms;
290')
291
292compatible_property_only(`
293 # Neverallow coredomain to set vendor properties
294 neverallow {
295 coredomain
296 -init
297 -system_writes_vendor_properties_violators
298 } {
299 property_type
300 -system_property_type
301 -extended_core_property_type
302 }:property_service set;
303')
304
305neverallow {
306 -init
307 -system_server
308} {
309 userspace_reboot_log_prop
310}:property_service set;
311
312neverallow {
313 # Only allow init and system_server to set system_adbd_prop
314 -init
315 -system_server
316} {
317 system_adbd_prop
318}:property_service set;
319
320neverallow {
321 # Only allow init and adbd to set adbd_prop
322 -init
323 -adbd
324} {
325 adbd_prop
326}:property_service set;
327
328neverallow {
329 # Only allow init and shell to set userspace_reboot_test_prop
330 -init
331 -shell
332} {
333 userspace_reboot_test_prop
334}:property_service set;