• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1type audio_prop, property_type, core_property_type;
2type boottime_prop, property_type;
3type bluetooth_a2dp_offload_prop, property_type;
4type bluetooth_prop, property_type;
5type bootloader_boot_reason_prop, property_type;
6type config_prop, property_type, core_property_type;
7type cppreopt_prop, property_type, core_property_type;
8type ctl_bootanim_prop, property_type;
9type ctl_bugreport_prop, property_type;
10type ctl_console_prop, property_type;
11type ctl_default_prop, property_type;
12type ctl_dumpstate_prop, property_type;
13type ctl_fuse_prop, property_type;
14type ctl_interface_restart_prop, property_type;
15type ctl_interface_start_prop, property_type;
16type ctl_interface_stop_prop, property_type;
17type ctl_mdnsd_prop, property_type;
18type ctl_restart_prop, property_type;
19type ctl_rildaemon_prop, property_type;
20type ctl_sigstop_prop, property_type;
21type ctl_start_prop, property_type;
22type ctl_stop_prop, property_type;
23type dalvik_prop, property_type, core_property_type;
24type debuggerd_prop, property_type, core_property_type;
25type debug_prop, property_type, core_property_type;
26type default_prop, property_type, core_property_type;
27type device_logging_prop, property_type;
28type dhcp_prop, property_type, core_property_type;
29type dumpstate_options_prop, property_type;
30type dumpstate_prop, property_type, core_property_type;
31type exported_secure_prop, property_type;
32type ffs_prop, property_type, core_property_type;
33type fingerprint_prop, property_type, core_property_type;
34type firstboot_prop, property_type;
35type hwservicemanager_prop, property_type;
36type last_boot_reason_prop, property_type;
37type logd_prop, property_type, core_property_type;
38type logpersistd_logging_prop, property_type;
39type log_prop, property_type, log_property_type;
40type log_tag_prop, property_type, log_property_type;
41type lowpan_prop, property_type;
42type mmc_prop, property_type;
43type net_dns_prop, property_type;
44type net_radio_prop, property_type, core_property_type;
45type netd_stable_secret_prop, property_type;
46type nfc_prop, property_type, core_property_type;
47type overlay_prop, property_type;
48type pan_result_prop, property_type, core_property_type;
49type persist_debug_prop, property_type, core_property_type;
50type persistent_properties_ready_prop, property_type;
51type pm_prop, property_type;
52type powerctl_prop, property_type, core_property_type;
53type radio_prop, property_type, core_property_type;
54type restorecon_prop, property_type, core_property_type;
55type safemode_prop, property_type;
56type serialno_prop, property_type;
57type shell_prop, property_type, core_property_type;
58type system_boot_reason_prop, property_type;
59type system_prop, property_type, core_property_type;
60type system_radio_prop, property_type, core_property_type;
61type test_boot_reason_prop, property_type;
62type traced_enabled_prop, property_type;
63type vold_prop, property_type, core_property_type;
64type wifi_log_prop, property_type, log_property_type;
65type wifi_prop, property_type;
66type vendor_security_patch_level_prop, property_type;
67
68# Properties for whitelisting
69type exported_audio_prop, property_type;
70type exported_bluetooth_prop, property_type;
71type exported_config_prop, property_type;
72type exported_dalvik_prop, property_type;
73type exported_default_prop, property_type;
74type exported_dumpstate_prop, property_type;
75type exported_ffs_prop, property_type;
76type exported_fingerprint_prop, property_type;
77type exported_overlay_prop, property_type;
78type exported_pm_prop, property_type;
79type exported_radio_prop, property_type;
80type exported_system_prop, property_type;
81type exported_system_radio_prop, property_type;
82type exported_vold_prop, property_type;
83type exported_wifi_prop, property_type;
84type exported2_config_prop, property_type;
85type exported2_default_prop, property_type;
86type exported2_radio_prop, property_type;
87type exported2_system_prop, property_type;
88type exported2_vold_prop, property_type;
89type exported3_default_prop, property_type;
90type exported3_radio_prop, property_type;
91type exported3_system_prop, property_type;
92type vendor_default_prop, property_type;
93
94allow property_type tmpfs:filesystem associate;
95
96###
97### Neverallow rules
98###
99
100# core_property_type should not be used for new properties or
101# device specific properties. Properties with this attribute
102# are readable to everyone, which is overly broad and should
103# be avoided.
104# New properties should have appropriate read / write access
105# control rules written.
106
107neverallow * {
108  core_property_type
109  -audio_prop
110  -config_prop
111  -cppreopt_prop
112  -dalvik_prop
113  -debuggerd_prop
114  -debug_prop
115  -default_prop
116  -dhcp_prop
117  -dumpstate_prop
118  -ffs_prop
119  -fingerprint_prop
120  -logd_prop
121  -net_radio_prop
122  -nfc_prop
123  -pan_result_prop
124  -persist_debug_prop
125  -powerctl_prop
126  -radio_prop
127  -restorecon_prop
128  -shell_prop
129  -system_prop
130  -system_radio_prop
131  -vold_prop
132}:file no_rw_file_perms;
133
134# sigstop property is only used for debugging; should only be set by su which is permissive
135# for userdebug/eng
136neverallow {
137  domain
138  -init
139  -vendor_init
140} ctl_sigstop_prop:property_service set;
141
142# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
143# in the audit log
144dontaudit domain {
145  ctl_bootanim_prop
146  ctl_bugreport_prop
147  ctl_console_prop
148  ctl_default_prop
149  ctl_dumpstate_prop
150  ctl_fuse_prop
151  ctl_mdnsd_prop
152  ctl_rildaemon_prop
153}:property_service set;
154
155compatible_property_only(`
156# Prevent properties from being set
157  neverallow {
158    domain
159    -coredomain
160    -appdomain
161    -vendor_init
162  } {
163    core_property_type
164    extended_core_property_type
165    exported_config_prop
166    exported_dalvik_prop
167    exported_default_prop
168    exported_dumpstate_prop
169    exported_ffs_prop
170    exported_fingerprint_prop
171    exported_system_prop
172    exported_system_radio_prop
173    exported_vold_prop
174    exported2_config_prop
175    exported2_default_prop
176    exported2_system_prop
177    exported2_vold_prop
178    exported3_default_prop
179    exported3_system_prop
180    -nfc_prop
181    -powerctl_prop
182    -radio_prop
183  }:property_service set;
184
185  neverallow {
186    domain
187    -coredomain
188    -appdomain
189    -hal_nfc_server
190  } {
191    nfc_prop
192  }:property_service set;
193
194  neverallow {
195    domain
196    -coredomain
197    -appdomain
198    -hal_telephony_server
199    -vendor_init
200  } {
201    exported_radio_prop
202    exported3_radio_prop
203  }:property_service set;
204
205  neverallow {
206    domain
207    -coredomain
208    -appdomain
209    -hal_telephony_server
210  } {
211    exported2_radio_prop
212    radio_prop
213  }:property_service set;
214
215  neverallow {
216    domain
217    -coredomain
218    -bluetooth
219    -hal_bluetooth_server
220  } {
221    bluetooth_prop
222  }:property_service set;
223
224  neverallow {
225    domain
226    -coredomain
227    -bluetooth
228    -hal_bluetooth_server
229    -vendor_init
230  } {
231    exported_bluetooth_prop
232  }:property_service set;
233
234  neverallow {
235    domain
236    -coredomain
237    -hal_wifi_server
238    -wificond
239  } {
240    wifi_prop
241  }:property_service set;
242
243  neverallow {
244    domain
245    -coredomain
246    -hal_wifi_server
247    -wificond
248    -vendor_init
249  } {
250    exported_wifi_prop
251  }:property_service set;
252
253# Prevent properties from being read
254  neverallow {
255    domain
256    -coredomain
257    -appdomain
258    -vendor_init
259  } {
260    core_property_type
261    extended_core_property_type
262    exported_dalvik_prop
263    exported_ffs_prop
264    exported_system_radio_prop
265    exported2_config_prop
266    exported2_system_prop
267    exported2_vold_prop
268    exported3_default_prop
269    exported3_system_prop
270    -debug_prop
271    -logd_prop
272    -nfc_prop
273    -powerctl_prop
274    -radio_prop
275  }:file no_rw_file_perms;
276
277  neverallow {
278    domain
279    -coredomain
280    -appdomain
281    -hal_nfc_server
282  } {
283    nfc_prop
284  }:file no_rw_file_perms;
285
286  neverallow {
287    domain
288    -coredomain
289    -appdomain
290    -hal_telephony_server
291  } {
292    radio_prop
293  }:file no_rw_file_perms;
294
295  neverallow {
296    domain
297    -coredomain
298    -bluetooth
299    -hal_bluetooth_server
300  } {
301    bluetooth_prop
302  }:file no_rw_file_perms;
303
304  neverallow {
305    domain
306    -coredomain
307    -hal_wifi_server
308    -wificond
309  } {
310    wifi_prop
311  }:file no_rw_file_perms;
312')
313
314compatible_property_only(`
315  # Neverallow coredomain to set vendor properties
316  neverallow {
317    coredomain
318    -init
319    -system_writes_vendor_properties_violators
320  } {
321    property_type
322    -audio_prop
323    -bluetooth_a2dp_offload_prop
324    -bluetooth_prop
325    -bootloader_boot_reason_prop
326    -boottime_prop
327    -config_prop
328    -cppreopt_prop
329    -ctl_bootanim_prop
330    -ctl_bugreport_prop
331    -ctl_console_prop
332    -ctl_default_prop
333    -ctl_dumpstate_prop
334    -ctl_fuse_prop
335    -ctl_interface_restart_prop
336    -ctl_interface_start_prop
337    -ctl_interface_stop_prop
338    -ctl_mdnsd_prop
339    -ctl_restart_prop
340    -ctl_rildaemon_prop
341    -ctl_sigstop_prop
342    -ctl_start_prop
343    -ctl_stop_prop
344    -dalvik_prop
345    -debug_prop
346    -debuggerd_prop
347    -default_prop
348    -device_logging_prop
349    -dhcp_prop
350    -dumpstate_options_prop
351    -dumpstate_prop
352    -exported2_config_prop
353    -exported2_default_prop
354    -exported2_radio_prop
355    -exported2_system_prop
356    -exported2_vold_prop
357    -exported3_default_prop
358    -exported3_radio_prop
359    -exported3_system_prop
360    -exported_bluetooth_prop
361    -exported_config_prop
362    -exported_dalvik_prop
363    -exported_default_prop
364    -exported_dumpstate_prop
365    -exported_ffs_prop
366    -exported_fingerprint_prop
367    -exported_overlay_prop
368    -exported_pm_prop
369    -exported_radio_prop
370    -exported_secure_prop
371    -exported_system_prop
372    -exported_system_radio_prop
373    -exported_vold_prop
374    -exported_wifi_prop
375    -extended_core_property_type
376    -ffs_prop
377    -fingerprint_prop
378    -firstboot_prop
379    -hwservicemanager_prop
380    -last_boot_reason_prop
381    -log_prop
382    -log_tag_prop
383    -logd_prop
384    -logpersistd_logging_prop
385    -lowpan_prop
386    -mmc_prop
387    -net_dns_prop
388    -net_radio_prop
389    -netd_stable_secret_prop
390    -nfc_prop
391    -overlay_prop
392    -pan_result_prop
393    -persist_debug_prop
394    -persistent_properties_ready_prop
395    -pm_prop
396    -powerctl_prop
397    -radio_prop
398    -restorecon_prop
399    -safemode_prop
400    -serialno_prop
401    -shell_prop
402    -system_boot_reason_prop
403    -system_prop
404    -system_radio_prop
405    -test_boot_reason_prop
406    -traced_enabled_prop
407    -vendor_default_prop
408    -vendor_security_patch_level_prop
409    -vold_prop
410    -wifi_log_prop
411    -wifi_prop
412  }:property_service set;
413')
414