• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1type apexd_prop, property_type;
2type audio_prop, property_type, core_property_type;
3type boottime_prop, property_type;
4type bluetooth_a2dp_offload_prop, property_type;
5type bluetooth_audio_hal_prop, property_type;
6type bluetooth_prop, property_type;
7type bpf_progs_loaded_prop, property_type;
8type bootloader_boot_reason_prop, property_type;
9type config_prop, property_type, core_property_type;
10type cppreopt_prop, property_type, core_property_type;
11type cpu_variant_prop, property_type;
12type ctl_adbd_prop, property_type;
13type ctl_bootanim_prop, property_type;
14type ctl_bugreport_prop, property_type;
15type ctl_console_prop, property_type;
16type ctl_default_prop, property_type;
17type ctl_dumpstate_prop, property_type;
18type ctl_fuse_prop, property_type;
19type ctl_gsid_prop, property_type;
20type ctl_interface_restart_prop, property_type;
21type ctl_interface_start_prop, property_type;
22type ctl_interface_stop_prop, property_type;
23type ctl_mdnsd_prop, property_type;
24type ctl_restart_prop, property_type;
25type ctl_rildaemon_prop, property_type;
26type ctl_sigstop_prop, property_type;
27type ctl_start_prop, property_type;
28type ctl_stop_prop, property_type;
29type dalvik_prop, property_type, core_property_type;
30type debuggerd_prop, property_type, core_property_type;
31type debug_prop, property_type, core_property_type;
32type default_prop, property_type, core_property_type;
33type device_config_activity_manager_native_boot_prop, property_type;
34type device_config_boot_count_prop, property_type;
35type device_config_reset_performed_prop, property_type;
36type device_config_input_native_boot_prop, property_type;
37type device_config_netd_native_prop, property_type;
38type device_config_runtime_native_boot_prop, property_type;
39type device_config_runtime_native_prop, property_type;
40type device_config_media_native_prop, property_type;
41type device_logging_prop, property_type;
42type dhcp_prop, property_type, core_property_type;
43type dumpstate_options_prop, property_type;
44type dumpstate_prop, property_type, core_property_type;
45type dynamic_system_prop, property_type;
46type exported_secure_prop, property_type;
47type ffs_prop, property_type, core_property_type;
48type fingerprint_prop, property_type, core_property_type;
49type firstboot_prop, property_type;
50type gsid_prop, property_type;
51type heapprofd_enabled_prop, property_type;
52type heapprofd_prop, property_type;
53type hwservicemanager_prop, property_type;
54type last_boot_reason_prop, property_type;
55type system_lmk_prop, property_type;
56type llkd_prop, property_type;
57type logd_prop, property_type, core_property_type;
58type logpersistd_logging_prop, property_type;
59type log_prop, property_type, log_property_type;
60type log_tag_prop, property_type, log_property_type;
61type lowpan_prop, property_type;
62type lpdumpd_prop, property_type;
63type mmc_prop, property_type;
64type net_dns_prop, property_type;
65type net_radio_prop, property_type, core_property_type;
66type netd_stable_secret_prop, property_type;
67type nfc_prop, property_type, core_property_type;
68type nnapi_ext_deny_product_prop, property_type;
69type overlay_prop, property_type;
70type pan_result_prop, property_type, core_property_type;
71type persist_debug_prop, property_type, core_property_type;
72type persistent_properties_ready_prop, property_type;
73type pm_prop, property_type;
74type powerctl_prop, property_type, core_property_type;
75type radio_prop, property_type, core_property_type;
76type restorecon_prop, property_type, core_property_type;
77type safemode_prop, property_type;
78type serialno_prop, property_type;
79type shell_prop, property_type, core_property_type;
80type system_boot_reason_prop, property_type;
81type system_prop, property_type, core_property_type;
82type system_radio_prop, property_type, core_property_type;
83type system_trace_prop, property_type;
84type test_boot_reason_prop, property_type;
85type test_harness_prop, property_type;
86type theme_prop, property_type;
87type time_prop, property_type;
88type traced_enabled_prop, property_type;
89type traced_lazy_prop, property_type;
90type use_memfd_prop, property_type;
91type vold_prop, property_type, core_property_type;
92type wifi_log_prop, property_type, log_property_type;
93type wifi_prop, property_type;
94type vendor_security_patch_level_prop, property_type;
95
96# Properties for whitelisting
97type exported_audio_prop, property_type;
98type exported_bluetooth_prop, property_type;
99type exported_config_prop, property_type;
100type exported_dalvik_prop, property_type;
101type exported_default_prop, property_type;
102type exported_dumpstate_prop, property_type;
103type exported_ffs_prop, property_type;
104type exported_fingerprint_prop, property_type;
105type exported_overlay_prop, property_type;
106type exported_pm_prop, property_type;
107type exported_radio_prop, property_type;
108type exported_system_prop, property_type;
109type exported_system_radio_prop, property_type;
110type exported_vold_prop, property_type;
111type exported_wifi_prop, property_type;
112type exported2_config_prop, property_type;
113type exported2_default_prop, property_type;
114type exported2_radio_prop, property_type;
115type exported2_system_prop, property_type;
116type exported2_vold_prop, property_type;
117type exported3_default_prop, property_type;
118type exported3_radio_prop, property_type;
119type exported3_system_prop, property_type;
120type vendor_default_prop, property_type;
121
122allow property_type tmpfs:filesystem associate;
123
124###
125### Neverallow rules
126###
127
128# There is no need to perform ioctl or advisory locking operations on
129# property files. If this neverallow is being triggered, it is
130# likely that the policy is using r_file_perms directly instead of
131# the get_prop() macro.
132neverallow domain property_type:file { ioctl lock };
133
134# core_property_type should not be used for new properties or
135# device specific properties. Properties with this attribute
136# are readable to everyone, which is overly broad and should
137# be avoided.
138# New properties should have appropriate read / write access
139# control rules written.
140
141neverallow * {
142  core_property_type
143  -audio_prop
144  -config_prop
145  -cppreopt_prop
146  -dalvik_prop
147  -debuggerd_prop
148  -debug_prop
149  -default_prop
150  -dhcp_prop
151  -dumpstate_prop
152  -ffs_prop
153  -fingerprint_prop
154  -logd_prop
155  -net_radio_prop
156  -nfc_prop
157  -pan_result_prop
158  -persist_debug_prop
159  -powerctl_prop
160  -radio_prop
161  -restorecon_prop
162  -shell_prop
163  -system_prop
164  -system_radio_prop
165  -vold_prop
166}:file no_rw_file_perms;
167
168# sigstop property is only used for debugging; should only be set by su which is permissive
169# for userdebug/eng
170neverallow {
171  domain
172  -init
173  -vendor_init
174} ctl_sigstop_prop:property_service set;
175
176# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
177# in the audit log
178dontaudit domain {
179  ctl_bootanim_prop
180  ctl_bugreport_prop
181  ctl_console_prop
182  ctl_default_prop
183  ctl_dumpstate_prop
184  ctl_fuse_prop
185  ctl_mdnsd_prop
186  ctl_rildaemon_prop
187}:property_service set;
188
189compatible_property_only(`
190# Prevent properties from being set
191  neverallow {
192    domain
193    -coredomain
194    -appdomain
195    -vendor_init
196  } {
197    core_property_type
198    extended_core_property_type
199    exported_config_prop
200    exported_dalvik_prop
201    exported_default_prop
202    exported_dumpstate_prop
203    exported_ffs_prop
204    exported_fingerprint_prop
205    exported_system_prop
206    exported_system_radio_prop
207    exported_vold_prop
208    exported2_config_prop
209    exported2_default_prop
210    exported2_system_prop
211    exported2_vold_prop
212    exported3_default_prop
213    exported3_system_prop
214    -nfc_prop
215    -powerctl_prop
216    -radio_prop
217  }:property_service set;
218
219  neverallow {
220    domain
221    -coredomain
222    -appdomain
223    -hal_nfc_server
224  } {
225    nfc_prop
226  }:property_service set;
227
228  neverallow {
229    domain
230    -coredomain
231    -appdomain
232    -hal_telephony_server
233    -vendor_init
234  } {
235    exported_radio_prop
236    exported3_radio_prop
237  }:property_service set;
238
239  neverallow {
240    domain
241    -coredomain
242    -appdomain
243    -hal_telephony_server
244  } {
245    exported2_radio_prop
246    radio_prop
247  }:property_service set;
248
249  neverallow {
250    domain
251    -coredomain
252    -bluetooth
253    -hal_bluetooth_server
254  } {
255    bluetooth_prop
256  }:property_service set;
257
258  neverallow {
259    domain
260    -coredomain
261    -bluetooth
262    -hal_bluetooth_server
263    -vendor_init
264  } {
265    exported_bluetooth_prop
266  }:property_service set;
267
268  neverallow {
269    domain
270    -coredomain
271    -hal_wifi_server
272    -wificond
273  } {
274    wifi_prop
275  }:property_service set;
276
277  neverallow {
278    domain
279    -coredomain
280    -hal_wifi_server
281    -wificond
282    -vendor_init
283  } {
284    exported_wifi_prop
285  }:property_service set;
286
287# Prevent properties from being read
288  neverallow {
289    domain
290    -coredomain
291    -appdomain
292    -vendor_init
293  } {
294    core_property_type
295    extended_core_property_type
296    exported_dalvik_prop
297    exported_ffs_prop
298    exported_system_radio_prop
299    exported2_config_prop
300    exported2_system_prop
301    exported2_vold_prop
302    exported3_default_prop
303    exported3_system_prop
304    -debug_prop
305    -logd_prop
306    -nfc_prop
307    -powerctl_prop
308    -radio_prop
309  }:file no_rw_file_perms;
310
311  neverallow {
312    domain
313    -coredomain
314    -appdomain
315    -hal_nfc_server
316  } {
317    nfc_prop
318  }:file no_rw_file_perms;
319
320  neverallow {
321    domain
322    -coredomain
323    -appdomain
324    -hal_telephony_server
325  } {
326    radio_prop
327  }:file no_rw_file_perms;
328
329  neverallow {
330    domain
331    -coredomain
332    -bluetooth
333    -hal_bluetooth_server
334  } {
335    bluetooth_prop
336  }:file no_rw_file_perms;
337
338  neverallow {
339    domain
340    -coredomain
341    -hal_wifi_server
342    -wificond
343  } {
344    wifi_prop
345  }:file no_rw_file_perms;
346')
347
348compatible_property_only(`
349  # Neverallow coredomain to set vendor properties
350  neverallow {
351    coredomain
352    -init
353    -system_writes_vendor_properties_violators
354  } {
355    property_type
356    -apexd_prop
357    -audio_prop
358    -bluetooth_a2dp_offload_prop
359    -bluetooth_audio_hal_prop
360    -bluetooth_prop
361    -bootloader_boot_reason_prop
362    -boottime_prop
363    -bpf_progs_loaded_prop
364    -config_prop
365    -cppreopt_prop
366    -ctl_adbd_prop
367    -ctl_bootanim_prop
368    -ctl_bugreport_prop
369    -ctl_console_prop
370    -ctl_default_prop
371    -ctl_dumpstate_prop
372    -ctl_fuse_prop
373    -ctl_gsid_prop
374    -ctl_interface_restart_prop
375    -ctl_interface_start_prop
376    -ctl_interface_stop_prop
377    -ctl_mdnsd_prop
378    -ctl_restart_prop
379    -ctl_rildaemon_prop
380    -ctl_sigstop_prop
381    -ctl_start_prop
382    -ctl_stop_prop
383    -dalvik_prop
384    -debug_prop
385    -debuggerd_prop
386    -default_prop
387    -device_logging_prop
388    -dhcp_prop
389    -dumpstate_options_prop
390    -dumpstate_prop
391    -exported2_config_prop
392    -exported2_default_prop
393    -exported2_radio_prop
394    -exported2_system_prop
395    -exported2_vold_prop
396    -exported3_default_prop
397    -exported3_radio_prop
398    -exported3_system_prop
399    -exported_bluetooth_prop
400    -exported_config_prop
401    -exported_dalvik_prop
402    -exported_default_prop
403    -exported_dumpstate_prop
404    -exported_ffs_prop
405    -exported_fingerprint_prop
406    -exported_overlay_prop
407    -exported_pm_prop
408    -exported_radio_prop
409    -exported_secure_prop
410    -exported_system_prop
411    -exported_system_radio_prop
412    -exported_vold_prop
413    -exported_wifi_prop
414    -extended_core_property_type
415    -ffs_prop
416    -fingerprint_prop
417    -firstboot_prop
418    -device_config_activity_manager_native_boot_prop
419    -device_config_reset_performed_prop
420    -device_config_boot_count_prop
421    -device_config_input_native_boot_prop
422    -device_config_netd_native_prop
423    -device_config_runtime_native_boot_prop
424    -device_config_runtime_native_prop
425    -device_config_media_native_prop
426    -dynamic_system_prop
427    -gsid_prop
428    -heapprofd_enabled_prop
429    -heapprofd_prop
430    -hwservicemanager_prop
431    -last_boot_reason_prop
432    -system_lmk_prop
433    -log_prop
434    -log_tag_prop
435    -logd_prop
436    -logpersistd_logging_prop
437    -lowpan_prop
438    -lpdumpd_prop
439    -mmc_prop
440    -net_dns_prop
441    -net_radio_prop
442    -netd_stable_secret_prop
443    -nfc_prop
444    -overlay_prop
445    -pan_result_prop
446    -persist_debug_prop
447    -persistent_properties_ready_prop
448    -pm_prop
449    -powerctl_prop
450    -radio_prop
451    -restorecon_prop
452    -safemode_prop
453    -serialno_prop
454    -shell_prop
455    -system_boot_reason_prop
456    -system_prop
457    -system_radio_prop
458    -system_trace_prop
459    -test_boot_reason_prop
460    -test_harness_prop
461    -theme_prop
462    -time_prop
463    -traced_enabled_prop
464    -traced_lazy_prop
465    -vendor_default_prop
466    -vendor_security_patch_level_prop
467    -vold_prop
468    -wifi_log_prop
469    -wifi_prop
470  }:property_service set;
471')
472