• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1type apexd_prop, property_type;
2type audio_prop, property_type, core_property_type;
3type boottime_prop, property_type;
4type boottime_public_prop, property_type;
5type bluetooth_a2dp_offload_prop, property_type;
6type bluetooth_audio_hal_prop, property_type;
7type bluetooth_prop, property_type;
8type bpf_progs_loaded_prop, property_type;
9type bootloader_boot_reason_prop, property_type;
10type config_prop, property_type, core_property_type;
11type cppreopt_prop, property_type, core_property_type;
12type cpu_variant_prop, property_type;
13type ctl_adbd_prop, property_type;
14type ctl_bootanim_prop, property_type;
15type ctl_bugreport_prop, property_type;
16type ctl_console_prop, property_type;
17type ctl_default_prop, property_type;
18type ctl_dumpstate_prop, property_type;
19type ctl_fuse_prop, property_type;
20type ctl_gsid_prop, property_type;
21type ctl_interface_restart_prop, property_type;
22type ctl_interface_start_prop, property_type;
23type ctl_interface_stop_prop, property_type;
24type ctl_mdnsd_prop, property_type;
25type ctl_restart_prop, property_type;
26type ctl_rildaemon_prop, property_type;
27type ctl_sigstop_prop, property_type;
28type ctl_start_prop, property_type;
29type ctl_stop_prop, property_type;
30type dalvik_prop, property_type, core_property_type;
31type debuggerd_prop, property_type, core_property_type;
32type debug_prop, property_type, core_property_type;
33type default_prop, property_type, core_property_type;
34type device_config_activity_manager_native_boot_prop, property_type;
35type device_config_boot_count_prop, property_type;
36type device_config_reset_performed_prop, property_type;
37type device_config_input_native_boot_prop, property_type;
38type device_config_netd_native_prop, property_type;
39type device_config_runtime_native_boot_prop, property_type;
40type device_config_runtime_native_prop, property_type;
41type device_config_media_native_prop, property_type;
42type device_logging_prop, property_type;
43type dhcp_prop, property_type, core_property_type;
44type dumpstate_options_prop, property_type;
45type dumpstate_prop, property_type, core_property_type;
46type dynamic_system_prop, property_type;
47type exported_secure_prop, property_type;
48type sota_prop, property_type;
49type ffs_prop, property_type, core_property_type;
50type fingerprint_prop, property_type, core_property_type;
51type firstboot_prop, property_type;
52type gsid_prop, property_type;
53type heapprofd_enabled_prop, property_type;
54type heapprofd_prop, property_type;
55type hwservicemanager_prop, property_type;
56type last_boot_reason_prop, property_type;
57type system_lmk_prop, property_type;
58type llkd_prop, property_type;
59type logd_prop, property_type, core_property_type;
60type logpersistd_logging_prop, property_type;
61type log_prop, property_type, log_property_type;
62type log_tag_prop, property_type, log_property_type;
63type lowpan_prop, property_type;
64type lpdumpd_prop, property_type;
65type mmc_prop, property_type;
66type net_dns_prop, property_type;
67type net_radio_prop, property_type, core_property_type;
68type netd_stable_secret_prop, property_type;
69type nfc_prop, property_type, core_property_type;
70type nnapi_ext_deny_product_prop, property_type;
71type overlay_prop, property_type;
72type pan_result_prop, property_type, core_property_type;
73type persist_debug_prop, property_type, core_property_type;
74type persistent_properties_ready_prop, property_type;
75type pm_prop, property_type;
76type powerctl_prop, property_type, core_property_type;
77type radio_prop, property_type, core_property_type;
78type restorecon_prop, property_type, core_property_type;
79type safemode_prop, property_type;
80type serialno_prop, property_type;
81type shell_prop, property_type, core_property_type;
82type system_boot_reason_prop, property_type;
83type system_prop, property_type, core_property_type;
84type system_radio_prop, property_type, core_property_type;
85type system_trace_prop, property_type;
86type test_boot_reason_prop, property_type;
87type test_harness_prop, property_type;
88type theme_prop, property_type;
89type time_prop, property_type;
90type traced_enabled_prop, property_type;
91type traced_lazy_prop, property_type;
92type use_memfd_prop, property_type;
93type vold_prop, property_type, core_property_type;
94type wifi_log_prop, property_type, log_property_type;
95type wifi_prop, property_type;
96type vendor_security_patch_level_prop, property_type;
97
98# Properties for whitelisting
99type exported_audio_prop, property_type;
100type exported_bluetooth_prop, property_type;
101type exported_config_prop, property_type;
102type exported_dalvik_prop, property_type;
103type exported_default_prop, property_type;
104type exported_dumpstate_prop, property_type;
105type exported_ffs_prop, property_type;
106type exported_fingerprint_prop, property_type;
107type exported_overlay_prop, property_type;
108type exported_pm_prop, property_type;
109type exported_radio_prop, property_type;
110type exported_system_prop, property_type;
111type exported_system_radio_prop, property_type;
112type exported_vold_prop, property_type;
113type exported_wifi_prop, property_type;
114type exported2_config_prop, property_type;
115type exported2_default_prop, property_type;
116type exported2_radio_prop, property_type;
117type exported2_system_prop, property_type;
118type exported2_vold_prop, property_type;
119type exported3_default_prop, property_type;
120type exported3_radio_prop, property_type;
121type exported3_system_prop, property_type;
122type vendor_default_prop, property_type;
123
124allow property_type tmpfs:filesystem associate;
125
126###
127### Neverallow rules
128###
129
130# There is no need to perform ioctl or advisory locking operations on
131# property files. If this neverallow is being triggered, it is
132# likely that the policy is using r_file_perms directly instead of
133# the get_prop() macro.
134neverallow domain property_type:file { ioctl lock };
135
136# core_property_type should not be used for new properties or
137# device specific properties. Properties with this attribute
138# are readable to everyone, which is overly broad and should
139# be avoided.
140# New properties should have appropriate read / write access
141# control rules written.
142
143neverallow * {
144  core_property_type
145  -audio_prop
146  -config_prop
147  -cppreopt_prop
148  -dalvik_prop
149  -debuggerd_prop
150  -debug_prop
151  -default_prop
152  -dhcp_prop
153  -dumpstate_prop
154  -ffs_prop
155  -fingerprint_prop
156  -logd_prop
157  -net_radio_prop
158  -nfc_prop
159  -pan_result_prop
160  -persist_debug_prop
161  -powerctl_prop
162  -radio_prop
163  -restorecon_prop
164  -shell_prop
165  -system_prop
166  -system_radio_prop
167  -vold_prop
168}:file no_rw_file_perms;
169
170# sigstop property is only used for debugging; should only be set by su which is permissive
171# for userdebug/eng
172neverallow {
173  domain
174  -init
175  -vendor_init
176} ctl_sigstop_prop:property_service set;
177
178# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
179# in the audit log
180dontaudit domain {
181  ctl_bootanim_prop
182  ctl_bugreport_prop
183  ctl_console_prop
184  ctl_default_prop
185  ctl_dumpstate_prop
186  ctl_fuse_prop
187  ctl_mdnsd_prop
188  ctl_rildaemon_prop
189}:property_service set;
190
191compatible_property_only(`
192# Prevent properties from being set
193  neverallow {
194    domain
195    -coredomain
196    -appdomain
197    -vendor_init
198  } {
199    core_property_type
200    extended_core_property_type
201    exported_config_prop
202    exported_dalvik_prop
203    exported_default_prop
204    exported_dumpstate_prop
205    exported_ffs_prop
206    exported_fingerprint_prop
207    exported_system_prop
208    exported_system_radio_prop
209    exported_vold_prop
210    exported2_config_prop
211    exported2_default_prop
212    exported2_system_prop
213    exported2_vold_prop
214    exported3_default_prop
215    exported3_system_prop
216    -nfc_prop
217    -powerctl_prop
218    -radio_prop
219  }:property_service set;
220
221  neverallow {
222    domain
223    -coredomain
224    -appdomain
225    -hal_nfc_server
226  } {
227    nfc_prop
228  }:property_service set;
229
230  neverallow {
231    domain
232    -coredomain
233    -appdomain
234    -hal_telephony_server
235    -vendor_init
236  } {
237    exported_radio_prop
238    exported3_radio_prop
239  }:property_service set;
240
241  neverallow {
242    domain
243    -coredomain
244    -appdomain
245    -hal_telephony_server
246  } {
247    exported2_radio_prop
248    radio_prop
249  }:property_service set;
250
251  neverallow {
252    domain
253    -coredomain
254    -bluetooth
255    -hal_bluetooth_server
256  } {
257    bluetooth_prop
258  }:property_service set;
259
260  neverallow {
261    domain
262    -coredomain
263    -bluetooth
264    -hal_bluetooth_server
265    -vendor_init
266  } {
267    exported_bluetooth_prop
268  }:property_service set;
269
270  neverallow {
271    domain
272    -coredomain
273    -hal_wifi_server
274    -wificond
275  } {
276    wifi_prop
277  }:property_service set;
278
279  neverallow {
280    domain
281    -coredomain
282    -hal_wifi_server
283    -wificond
284    -vendor_init
285  } {
286    exported_wifi_prop
287  }:property_service set;
288
289# Prevent properties from being read
290  neverallow {
291    domain
292    -coredomain
293    -appdomain
294    -vendor_init
295  } {
296    core_property_type
297    extended_core_property_type
298    exported_dalvik_prop
299    exported_ffs_prop
300    exported_system_radio_prop
301    exported2_config_prop
302    exported2_system_prop
303    exported2_vold_prop
304    exported3_default_prop
305    exported3_system_prop
306    -debug_prop
307    -logd_prop
308    -nfc_prop
309    -powerctl_prop
310    -radio_prop
311  }:file no_rw_file_perms;
312
313  neverallow {
314    domain
315    -coredomain
316    -appdomain
317    -hal_nfc_server
318  } {
319    nfc_prop
320  }:file no_rw_file_perms;
321
322  neverallow {
323    domain
324    -coredomain
325    -appdomain
326    -hal_telephony_server
327  } {
328    radio_prop
329  }:file no_rw_file_perms;
330
331  neverallow {
332    domain
333    -coredomain
334    -bluetooth
335    -hal_bluetooth_server
336  } {
337    bluetooth_prop
338  }:file no_rw_file_perms;
339
340  neverallow {
341    domain
342    -coredomain
343    -hal_wifi_server
344    -wificond
345  } {
346    wifi_prop
347  }:file no_rw_file_perms;
348')
349
350compatible_property_only(`
351  # Neverallow coredomain to set vendor properties
352  neverallow {
353    coredomain
354    -init
355    -system_writes_vendor_properties_violators
356  } {
357    property_type
358    -apexd_prop
359    -audio_prop
360    -bluetooth_a2dp_offload_prop
361    -bluetooth_audio_hal_prop
362    -bluetooth_prop
363    -bootloader_boot_reason_prop
364    -boottime_prop
365    -boottime_public_prop
366    -bpf_progs_loaded_prop
367    -config_prop
368    -cppreopt_prop
369    -ctl_adbd_prop
370    -ctl_bootanim_prop
371    -ctl_bugreport_prop
372    -ctl_console_prop
373    -ctl_default_prop
374    -ctl_dumpstate_prop
375    -ctl_fuse_prop
376    -ctl_gsid_prop
377    -ctl_interface_restart_prop
378    -ctl_interface_start_prop
379    -ctl_interface_stop_prop
380    -ctl_mdnsd_prop
381    -ctl_restart_prop
382    -ctl_rildaemon_prop
383    -ctl_sigstop_prop
384    -ctl_start_prop
385    -ctl_stop_prop
386    -dalvik_prop
387    -debug_prop
388    -debuggerd_prop
389    -default_prop
390    -device_logging_prop
391    -dhcp_prop
392    -dumpstate_options_prop
393    -dumpstate_prop
394    -exported2_config_prop
395    -exported2_default_prop
396    -exported2_radio_prop
397    -exported2_system_prop
398    -exported2_vold_prop
399    -exported3_default_prop
400    -exported3_radio_prop
401    -exported3_system_prop
402    -exported_bluetooth_prop
403    -exported_config_prop
404    -exported_dalvik_prop
405    -exported_default_prop
406    -exported_dumpstate_prop
407    -exported_ffs_prop
408    -exported_fingerprint_prop
409    -exported_overlay_prop
410    -exported_pm_prop
411    -exported_radio_prop
412    -exported_secure_prop
413    -exported_system_prop
414    -exported_system_radio_prop
415    -exported_vold_prop
416    -exported_wifi_prop
417    -extended_core_property_type
418    -sota_prop
419    -ffs_prop
420    -fingerprint_prop
421    -firstboot_prop
422    -device_config_activity_manager_native_boot_prop
423    -device_config_reset_performed_prop
424    -device_config_boot_count_prop
425    -device_config_input_native_boot_prop
426    -device_config_netd_native_prop
427    -device_config_runtime_native_boot_prop
428    -device_config_runtime_native_prop
429    -device_config_media_native_prop
430    -dynamic_system_prop
431    -gsid_prop
432    -heapprofd_enabled_prop
433    -heapprofd_prop
434    -hwservicemanager_prop
435    -last_boot_reason_prop
436    -system_lmk_prop
437    -log_prop
438    -log_tag_prop
439    -logd_prop
440    -logpersistd_logging_prop
441    -lowpan_prop
442    -lpdumpd_prop
443    -mmc_prop
444    -net_dns_prop
445    -net_radio_prop
446    -netd_stable_secret_prop
447    -nfc_prop
448    -overlay_prop
449    -pan_result_prop
450    -persist_debug_prop
451    -persistent_properties_ready_prop
452    -pm_prop
453    -powerctl_prop
454    -radio_prop
455    -restorecon_prop
456    -safemode_prop
457    -serialno_prop
458    -shell_prop
459    -system_boot_reason_prop
460    -system_prop
461    -system_radio_prop
462    -system_trace_prop
463    -test_boot_reason_prop
464    -test_harness_prop
465    -theme_prop
466    -time_prop
467    -traced_enabled_prop
468    -traced_lazy_prop
469    -vendor_default_prop
470    -vendor_security_patch_level_prop
471    -vold_prop
472    -wifi_log_prop
473    -wifi_prop
474  }:property_service set;
475')
476