• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1type audio_prop, property_type, core_property_type;
2type boottime_prop, property_type;
3type boottime_public_prop, property_type;
4type bluetooth_a2dp_offload_prop, property_type;
5type bluetooth_prop, property_type;
6type bootloader_boot_reason_prop, property_type;
7type config_prop, property_type, core_property_type;
8type cppreopt_prop, property_type, core_property_type;
9type ctl_bootanim_prop, property_type;
10type ctl_bugreport_prop, property_type;
11type ctl_console_prop, property_type;
12type ctl_default_prop, property_type;
13type ctl_dumpstate_prop, property_type;
14type ctl_fuse_prop, property_type;
15type ctl_interface_restart_prop, property_type;
16type ctl_interface_start_prop, property_type;
17type ctl_interface_stop_prop, property_type;
18type ctl_mdnsd_prop, property_type;
19type ctl_restart_prop, property_type;
20type ctl_rildaemon_prop, property_type;
21type ctl_sigstop_prop, property_type;
22type ctl_start_prop, property_type;
23type ctl_stop_prop, property_type;
24type dalvik_prop, property_type, core_property_type;
25type debuggerd_prop, property_type, core_property_type;
26type debug_prop, property_type, core_property_type;
27type default_prop, property_type, core_property_type;
28type device_logging_prop, property_type;
29type dhcp_prop, property_type, core_property_type;
30type dumpstate_options_prop, property_type;
31type dumpstate_prop, property_type, core_property_type;
32type exported_secure_prop, property_type;
33type ffs_prop, property_type, core_property_type;
34type fingerprint_prop, property_type, core_property_type;
35type firstboot_prop, property_type;
36type hwservicemanager_prop, property_type;
37type last_boot_reason_prop, property_type;
38type logd_prop, property_type, core_property_type;
39type logpersistd_logging_prop, property_type;
40type log_prop, property_type, log_property_type;
41type log_tag_prop, property_type, log_property_type;
42type lowpan_prop, property_type;
43type mmc_prop, property_type;
44type net_dns_prop, property_type;
45type net_radio_prop, property_type, core_property_type;
46type netd_stable_secret_prop, property_type;
47type nfc_prop, property_type, core_property_type;
48type overlay_prop, property_type;
49type pan_result_prop, property_type, core_property_type;
50type persist_debug_prop, property_type, core_property_type;
51type persistent_properties_ready_prop, property_type;
52type pm_prop, property_type;
53type powerctl_prop, property_type, core_property_type;
54type radio_prop, property_type, core_property_type;
55type restorecon_prop, property_type, core_property_type;
56type safemode_prop, property_type;
57type serialno_prop, property_type;
58type shell_prop, property_type, core_property_type;
59type system_boot_reason_prop, property_type;
60type system_prop, property_type, core_property_type;
61type system_radio_prop, property_type, core_property_type;
62type test_boot_reason_prop, property_type;
63type traced_enabled_prop, property_type;
64type vold_prop, property_type, core_property_type;
65type wifi_log_prop, property_type, log_property_type;
66type wifi_prop, property_type;
67type vendor_security_patch_level_prop, property_type;
68
69# Properties for whitelisting
70type exported_audio_prop, property_type;
71type exported_bluetooth_prop, property_type;
72type exported_config_prop, property_type;
73type exported_dalvik_prop, property_type;
74type exported_default_prop, property_type;
75type exported_dumpstate_prop, property_type;
76type exported_ffs_prop, property_type;
77type exported_fingerprint_prop, property_type;
78type exported_overlay_prop, property_type;
79type exported_pm_prop, property_type;
80type exported_radio_prop, property_type;
81type exported_system_prop, property_type;
82type exported_system_radio_prop, property_type;
83type exported_vold_prop, property_type;
84type exported_wifi_prop, property_type;
85type exported2_config_prop, property_type;
86type exported2_default_prop, property_type;
87type exported2_radio_prop, property_type;
88type exported2_system_prop, property_type;
89type exported2_vold_prop, property_type;
90type exported3_default_prop, property_type;
91type exported3_radio_prop, property_type;
92type exported3_system_prop, property_type;
93type vendor_default_prop, property_type;
94
95allow property_type tmpfs:filesystem associate;
96
97###
98### Neverallow rules
99###
100
101# core_property_type should not be used for new properties or
102# device specific properties. Properties with this attribute
103# are readable to everyone, which is overly broad and should
104# be avoided.
105# New properties should have appropriate read / write access
106# control rules written.
107
108neverallow * {
109  core_property_type
110  -audio_prop
111  -config_prop
112  -cppreopt_prop
113  -dalvik_prop
114  -debuggerd_prop
115  -debug_prop
116  -default_prop
117  -dhcp_prop
118  -dumpstate_prop
119  -ffs_prop
120  -fingerprint_prop
121  -logd_prop
122  -net_radio_prop
123  -nfc_prop
124  -pan_result_prop
125  -persist_debug_prop
126  -powerctl_prop
127  -radio_prop
128  -restorecon_prop
129  -shell_prop
130  -system_prop
131  -system_radio_prop
132  -vold_prop
133}:file no_rw_file_perms;
134
135# sigstop property is only used for debugging; should only be set by su which is permissive
136# for userdebug/eng
137neverallow {
138  domain
139  -init
140  -vendor_init
141} ctl_sigstop_prop:property_service set;
142
143# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
144# in the audit log
145dontaudit domain {
146  ctl_bootanim_prop
147  ctl_bugreport_prop
148  ctl_console_prop
149  ctl_default_prop
150  ctl_dumpstate_prop
151  ctl_fuse_prop
152  ctl_mdnsd_prop
153  ctl_rildaemon_prop
154}:property_service set;
155
156compatible_property_only(`
157# Prevent properties from being set
158  neverallow {
159    domain
160    -coredomain
161    -appdomain
162    -vendor_init
163  } {
164    core_property_type
165    extended_core_property_type
166    exported_config_prop
167    exported_dalvik_prop
168    exported_default_prop
169    exported_dumpstate_prop
170    exported_ffs_prop
171    exported_fingerprint_prop
172    exported_system_prop
173    exported_system_radio_prop
174    exported_vold_prop
175    exported2_config_prop
176    exported2_default_prop
177    exported2_system_prop
178    exported2_vold_prop
179    exported3_default_prop
180    exported3_system_prop
181    -nfc_prop
182    -powerctl_prop
183    -radio_prop
184  }:property_service set;
185
186  neverallow {
187    domain
188    -coredomain
189    -appdomain
190    -hal_nfc_server
191  } {
192    nfc_prop
193  }:property_service set;
194
195  neverallow {
196    domain
197    -coredomain
198    -appdomain
199    -hal_telephony_server
200    -vendor_init
201  } {
202    exported_radio_prop
203    exported3_radio_prop
204  }:property_service set;
205
206  neverallow {
207    domain
208    -coredomain
209    -appdomain
210    -hal_telephony_server
211  } {
212    exported2_radio_prop
213    radio_prop
214  }:property_service set;
215
216  neverallow {
217    domain
218    -coredomain
219    -bluetooth
220    -hal_bluetooth_server
221  } {
222    bluetooth_prop
223  }:property_service set;
224
225  neverallow {
226    domain
227    -coredomain
228    -bluetooth
229    -hal_bluetooth_server
230    -vendor_init
231  } {
232    exported_bluetooth_prop
233  }:property_service set;
234
235  neverallow {
236    domain
237    -coredomain
238    -hal_wifi_server
239    -wificond
240  } {
241    wifi_prop
242  }:property_service set;
243
244  neverallow {
245    domain
246    -coredomain
247    -hal_wifi_server
248    -wificond
249    -vendor_init
250  } {
251    exported_wifi_prop
252  }:property_service set;
253
254# Prevent properties from being read
255  neverallow {
256    domain
257    -coredomain
258    -appdomain
259    -vendor_init
260  } {
261    core_property_type
262    extended_core_property_type
263    exported_dalvik_prop
264    exported_ffs_prop
265    exported_system_radio_prop
266    exported2_config_prop
267    exported2_system_prop
268    exported2_vold_prop
269    exported3_default_prop
270    exported3_system_prop
271    -debug_prop
272    -logd_prop
273    -nfc_prop
274    -powerctl_prop
275    -radio_prop
276  }:file no_rw_file_perms;
277
278  neverallow {
279    domain
280    -coredomain
281    -appdomain
282    -hal_nfc_server
283  } {
284    nfc_prop
285  }:file no_rw_file_perms;
286
287  neverallow {
288    domain
289    -coredomain
290    -appdomain
291    -hal_telephony_server
292  } {
293    radio_prop
294  }:file no_rw_file_perms;
295
296  neverallow {
297    domain
298    -coredomain
299    -bluetooth
300    -hal_bluetooth_server
301  } {
302    bluetooth_prop
303  }:file no_rw_file_perms;
304
305  neverallow {
306    domain
307    -coredomain
308    -hal_wifi_server
309    -wificond
310  } {
311    wifi_prop
312  }:file no_rw_file_perms;
313')
314
315compatible_property_only(`
316  # Neverallow coredomain to set vendor properties
317  neverallow {
318    coredomain
319    -init
320    -system_writes_vendor_properties_violators
321  } {
322    property_type
323    -audio_prop
324    -bluetooth_a2dp_offload_prop
325    -bluetooth_prop
326    -bootloader_boot_reason_prop
327    -boottime_prop
328    -config_prop
329    -cppreopt_prop
330    -ctl_bootanim_prop
331    -ctl_bugreport_prop
332    -ctl_console_prop
333    -ctl_default_prop
334    -ctl_dumpstate_prop
335    -ctl_fuse_prop
336    -ctl_interface_restart_prop
337    -ctl_interface_start_prop
338    -ctl_interface_stop_prop
339    -ctl_mdnsd_prop
340    -ctl_restart_prop
341    -ctl_rildaemon_prop
342    -ctl_sigstop_prop
343    -ctl_start_prop
344    -ctl_stop_prop
345    -dalvik_prop
346    -debug_prop
347    -debuggerd_prop
348    -default_prop
349    -device_logging_prop
350    -dhcp_prop
351    -dumpstate_options_prop
352    -dumpstate_prop
353    -exported2_config_prop
354    -exported2_default_prop
355    -exported2_radio_prop
356    -exported2_system_prop
357    -exported2_vold_prop
358    -exported3_default_prop
359    -exported3_radio_prop
360    -exported3_system_prop
361    -exported_bluetooth_prop
362    -exported_config_prop
363    -exported_dalvik_prop
364    -exported_default_prop
365    -exported_dumpstate_prop
366    -exported_ffs_prop
367    -exported_fingerprint_prop
368    -exported_overlay_prop
369    -exported_pm_prop
370    -exported_radio_prop
371    -exported_secure_prop
372    -exported_system_prop
373    -exported_system_radio_prop
374    -exported_vold_prop
375    -exported_wifi_prop
376    -extended_core_property_type
377    -ffs_prop
378    -fingerprint_prop
379    -firstboot_prop
380    -hwservicemanager_prop
381    -last_boot_reason_prop
382    -log_prop
383    -log_tag_prop
384    -logd_prop
385    -logpersistd_logging_prop
386    -lowpan_prop
387    -mmc_prop
388    -net_dns_prop
389    -net_radio_prop
390    -netd_stable_secret_prop
391    -nfc_prop
392    -overlay_prop
393    -pan_result_prop
394    -persist_debug_prop
395    -persistent_properties_ready_prop
396    -pm_prop
397    -powerctl_prop
398    -radio_prop
399    -restorecon_prop
400    -safemode_prop
401    -serialno_prop
402    -shell_prop
403    -system_boot_reason_prop
404    -system_prop
405    -system_radio_prop
406    -test_boot_reason_prop
407    -traced_enabled_prop
408    -vendor_default_prop
409    -vendor_security_patch_level_prop
410    -vold_prop
411    -wifi_log_prop
412    -wifi_prop
413  }:property_service set;
414')
415