Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-15 / . / microdroid / system / private / property.te
blob: daf6185373ecebda48f168766c88245973734fd3 [file] [log] [blame]
Victor Hsieha62b3ff2022-05-02 09:47:11 -0700[diff] [blame]1system_restricted_prop(boot_status_prop)
2
Victor Hsiehb415c732021-12-14 11:06:23 -0800[diff] [blame]3# Declare ART properties for CompOS
4system_public_prop(dalvik_config_prop)
Jiakai Zhang22fb5c72023-03-30 15:50:05 +0100[diff] [blame]5system_public_prop(dalvik_dynamic_config_prop)
Victor Hsiehb415c732021-12-14 11:06:23 -0800[diff] [blame]6system_restricted_prop(device_config_runtime_native_prop)
Victor Hsieh3423bc42022-05-10 16:14:30 -0700[diff] [blame]7system_restricted_prop(device_config_runtime_native_boot_prop)
Inseob Kimdeaa8b92023-06-09 11:24:38 +0900[diff] [blame]8system_restricted_prop(non_existing_prop)
Victor Hsiehb415c732021-12-14 11:06:23 -0800[diff] [blame]9
Alan Stokesf85f2982023-04-04 15:17:06 +0100[diff] [blame]10typeattribute dalvik_config_prop dalvik_config_prop_type;
11typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
12
Inseob Kim5ee61a72021-09-17 19:31:45 +0900[diff] [blame]13# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
14# in the audit log
15dontaudit domain {
16 ctl_console_prop
17 ctl_default_prop
18 ctl_fuse_prop
19}:property_service set;
20
Inseob Kim9bad60c2024-03-28 15:23:18 +0900[diff] [blame]21allow property_type tmpfs:filesystem associate;
22
23dontaudit { domain -init } default_prop:file no_rw_file_perms;
24dontaudit { domain -init } default_prop:property_service set;
25
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]26###
27### Neverallow rules
28###
29
Jiyong Park27bb6c62021-09-06 15:39:31 +0900[diff] [blame]30# microdroid_manager_roothash_prop can only be set by microdroid_manager
31# and read by apkdmverity
32neverallow {
33 domain
34 -init
35 -microdroid_manager
36} microdroid_manager_roothash_prop:property_service set;
37
38neverallow {
39 domain
40 -init
41 -microdroid_manager
42 -apkdmverity
43} microdroid_manager_roothash_prop:file no_rw_file_perms;
Richard Fung0c7c2672021-11-08 20:09:54 +0000[diff] [blame]44
45# apexd_payload_metadata_prop can only set by init
46neverallow {
47 domain
48 -init
49} apexd_payload_metadata_prop:property_service set;
Nikita Ioffe1cf4d772022-11-27 01:11:39 +0000[diff] [blame]50
51# Only microdroid_manager and init can set the microdroid_config_prop sysprops
52neverallow {
53 domain
54 -init
55 -microdroid_manager
Shikha Panware1578a52022-11-30 11:22:10 +0000[diff] [blame]56} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
Nikita Ioffe1cf4d772022-11-27 01:11:39 +0000[diff] [blame]57
58neverallow {
59 domain
60 -init
61 -microdroid_manager
Shikha Panwarcf5d5052023-02-03 18:43:02 +0000[diff] [blame]62} {microdroid_lifecycle_prop}:file no_rw_file_perms;
63
64neverallow {
65 domain
66 -init
67 -microdroid_manager
68 -crash_dump
69} {microdroid_config_prop}:file no_rw_file_perms;
Inseob Kimdeaa8b92023-06-09 11:24:38 +0900[diff] [blame]70
71neverallow {
72 domain
73 -init
74} non_existing_prop:property_service set;
Inseob Kim9bad60c2024-03-28 15:23:18 +0900[diff] [blame]75
76# Properties should be explicitly labeled in property_contexts
77neverallow { domain -init } default_prop:file no_rw_file_perms;
78neverallow { domain -init } default_prop:property_service set;