1# Properties used only in /system 2system_internal_prop(adbd_prop) 3system_internal_prop(ctl_snapuserd_prop) 4system_internal_prop(device_config_lmkd_native_prop) 5system_internal_prop(device_config_profcollect_native_boot_prop) 6system_internal_prop(device_config_statsd_native_prop) 7system_internal_prop(device_config_statsd_native_boot_prop) 8system_internal_prop(device_config_storage_native_boot_prop) 9system_internal_prop(device_config_sys_traced_prop) 10system_internal_prop(device_config_window_manager_native_boot_prop) 11system_internal_prop(device_config_configuration_prop) 12system_internal_prop(device_config_connectivity_prop) 13system_internal_prop(device_config_swcodec_native_prop) 14system_internal_prop(fastbootd_protocol_prop) 15system_internal_prop(gsid_prop) 16system_internal_prop(init_perf_lsm_hooks_prop) 17system_internal_prop(init_service_status_private_prop) 18system_internal_prop(init_svc_debug_prop) 19system_internal_prop(keystore_crash_prop) 20system_internal_prop(keystore_listen_prop) 21system_internal_prop(last_boot_reason_prop) 22system_internal_prop(localization_prop) 23system_internal_prop(lower_kptr_restrict_prop) 24system_internal_prop(net_464xlat_fromvendor_prop) 25system_internal_prop(net_connectivity_prop) 26system_internal_prop(netd_stable_secret_prop) 27system_internal_prop(odsign_prop) 28system_internal_prop(perf_drop_caches_prop) 29system_internal_prop(pm_prop) 30system_internal_prop(profcollectd_node_id_prop) 31system_internal_prop(radio_cdma_ecm_prop) 32system_internal_prop(rollback_test_prop) 33system_internal_prop(setupwizard_prop) 34system_internal_prop(system_adbd_prop) 35system_internal_prop(traced_perf_enabled_prop) 36system_internal_prop(userspace_reboot_log_prop) 37system_internal_prop(userspace_reboot_test_prop) 38system_internal_prop(verity_status_prop) 39system_internal_prop(zygote_wrap_prop) 40system_internal_prop(ctl_mediatranscoding_prop) 41system_internal_prop(ctl_odsign_prop) 42 43### 44### Neverallow rules 45### 46 47treble_sysprop_neverallow(` 48 49enforce_sysprop_owner(` 50 neverallow domain { 51 property_type 52 -system_property_type 53 -product_property_type 54 -vendor_property_type 55 }:file no_rw_file_perms; 56') 57 58neverallow { domain -coredomain } { 59 system_property_type 60 system_internal_property_type 61 -system_restricted_property_type 62 -system_public_property_type 63}:file no_rw_file_perms; 64 65neverallow { domain -coredomain } { 66 system_property_type 67 -system_public_property_type 68}:property_service set; 69 70# init is in coredomain, but should be able to read/write all props. 71# dumpstate is also in coredomain, but should be able to read all props. 72neverallow { coredomain -init -dumpstate } { 73 vendor_property_type 74 vendor_internal_property_type 75 -vendor_restricted_property_type 76 -vendor_public_property_type 77}:file no_rw_file_perms; 78 79neverallow { coredomain -init } { 80 vendor_property_type 81 -vendor_public_property_type 82}:property_service set; 83 84') 85 86# There is no need to perform ioctl or advisory locking operations on 87# property files. If this neverallow is being triggered, it is 88# likely that the policy is using r_file_perms directly instead of 89# the get_prop() macro. 90neverallow domain property_type:file { ioctl lock }; 91 92neverallow * { 93 core_property_type 94 -audio_prop 95 -config_prop 96 -cppreopt_prop 97 -dalvik_prop 98 -debuggerd_prop 99 -debug_prop 100 -dhcp_prop 101 -dumpstate_prop 102 -fingerprint_prop 103 -logd_prop 104 -net_radio_prop 105 -nfc_prop 106 -ota_prop 107 -pan_result_prop 108 -persist_debug_prop 109 -powerctl_prop 110 -radio_prop 111 -restorecon_prop 112 -shell_prop 113 -system_prop 114 -usb_prop 115 -vold_prop 116}:file no_rw_file_perms; 117 118# sigstop property is only used for debugging; should only be set by su which is permissive 119# for userdebug/eng 120neverallow { 121 domain 122 -init 123 -vendor_init 124} ctl_sigstop_prop:property_service set; 125 126# Don't audit legacy ctl. property handling. We only want the newer permission check to appear 127# in the audit log 128dontaudit domain { 129 ctl_bootanim_prop 130 ctl_bugreport_prop 131 ctl_console_prop 132 ctl_default_prop 133 ctl_dumpstate_prop 134 ctl_fuse_prop 135 ctl_mdnsd_prop 136 ctl_rildaemon_prop 137}:property_service set; 138 139neverallow { 140 domain 141 -init 142} init_svc_debug_prop:property_service set; 143 144neverallow { 145 domain 146 -init 147 -dumpstate 148 userdebug_or_eng(`-su') 149} init_svc_debug_prop:file no_rw_file_perms; 150 151compatible_property_only(` 152# Prevent properties from being set 153 neverallow { 154 domain 155 -coredomain 156 -appdomain 157 -vendor_init 158 } { 159 core_property_type 160 extended_core_property_type 161 exported_config_prop 162 exported_default_prop 163 exported_dumpstate_prop 164 exported_system_prop 165 exported3_system_prop 166 usb_control_prop 167 -nfc_prop 168 -powerctl_prop 169 -radio_prop 170 }:property_service set; 171 172 neverallow { 173 domain 174 -coredomain 175 -appdomain 176 -hal_nfc_server 177 } { 178 nfc_prop 179 }:property_service set; 180 181 neverallow { 182 domain 183 -coredomain 184 -appdomain 185 -hal_telephony_server 186 -vendor_init 187 } { 188 radio_control_prop 189 }:property_service set; 190 191 neverallow { 192 domain 193 -coredomain 194 -appdomain 195 -hal_telephony_server 196 } { 197 radio_prop 198 }:property_service set; 199 200 neverallow { 201 domain 202 -coredomain 203 -bluetooth 204 -hal_bluetooth_server 205 } { 206 bluetooth_prop 207 }:property_service set; 208 209 neverallow { 210 domain 211 -coredomain 212 -bluetooth 213 -hal_bluetooth_server 214 -vendor_init 215 } { 216 exported_bluetooth_prop 217 }:property_service set; 218 219 neverallow { 220 domain 221 -coredomain 222 -hal_camera_server 223 -cameraserver 224 -vendor_init 225 } { 226 exported_camera_prop 227 }:property_service set; 228 229 neverallow { 230 domain 231 -coredomain 232 -hal_wifi_server 233 -wificond 234 } { 235 wifi_prop 236 }:property_service set; 237 238 neverallow { 239 domain 240 -init 241 -dumpstate 242 -hal_wifi_server 243 -wificond 244 -vendor_init 245 } { 246 wifi_hal_prop 247 }:property_service set; 248 249# Prevent properties from being read 250 neverallow { 251 domain 252 -coredomain 253 -appdomain 254 -vendor_init 255 } { 256 core_property_type 257 dalvik_config_prop 258 extended_core_property_type 259 exported3_system_prop 260 systemsound_config_prop 261 -debug_prop 262 -logd_prop 263 -nfc_prop 264 -powerctl_prop 265 -radio_prop 266 }:file no_rw_file_perms; 267 268 neverallow { 269 domain 270 -coredomain 271 -appdomain 272 -hal_nfc_server 273 } { 274 nfc_prop 275 }:file no_rw_file_perms; 276 277 neverallow { 278 domain 279 -coredomain 280 -appdomain 281 -hal_telephony_server 282 } { 283 radio_prop 284 }:file no_rw_file_perms; 285 286 neverallow { 287 domain 288 -coredomain 289 -bluetooth 290 -hal_bluetooth_server 291 } { 292 bluetooth_prop 293 }:file no_rw_file_perms; 294 295 neverallow { 296 domain 297 -coredomain 298 -hal_wifi_server 299 -wificond 300 } { 301 wifi_prop 302 }:file no_rw_file_perms; 303 304 neverallow { 305 domain 306 -coredomain 307 -vendor_init 308 } { 309 suspend_prop 310 }:property_service set; 311') 312 313compatible_property_only(` 314 # Neverallow coredomain to set vendor properties 315 neverallow { 316 coredomain 317 -init 318 -system_writes_vendor_properties_violators 319 } { 320 property_type 321 -system_property_type 322 -extended_core_property_type 323 }:property_service set; 324') 325 326neverallow { 327 domain 328 -coredomain 329 -vendor_init 330} { 331 ffs_config_prop 332 ffs_control_prop 333}:file no_rw_file_perms; 334 335neverallow { 336 domain 337 -init 338 -system_server 339} { 340 userspace_reboot_log_prop 341}:property_service set; 342 343neverallow { 344 # Only allow init and system_server to set system_adbd_prop 345 domain 346 -init 347 -system_server 348} { 349 system_adbd_prop 350}:property_service set; 351 352# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port 353neverallow { 354 domain 355 -init 356 -vendor_init 357 -adbd 358 -system_server 359} { 360 adbd_config_prop 361}:property_service set; 362 363neverallow { 364 # Only allow init and adbd to set adbd_prop 365 domain 366 -init 367 -adbd 368} { 369 adbd_prop 370}:property_service set; 371 372neverallow { 373 # Only allow init and shell to set userspace_reboot_test_prop 374 domain 375 -init 376 -shell 377} { 378 userspace_reboot_test_prop 379}:property_service set; 380 381neverallow { 382 domain 383 -init 384 -system_server 385 -vendor_init 386} { 387 surfaceflinger_color_prop 388}:property_service set; 389 390neverallow { 391 domain 392 -init 393} { 394 libc_debug_prop 395}:property_service set; 396 397# Allow the shell to set MTE props, so that non-root users with adb shell 398# access can control the settings on their device. 399neverallow { 400 domain 401 -init 402 -shell 403} { 404 arm64_memtag_prop 405}:property_service set; 406 407neverallow { 408 domain 409 -init 410 -system_server 411 -vendor_init 412} zram_control_prop:property_service set; 413 414neverallow { 415 domain 416 -init 417 -system_server 418 -vendor_init 419} dalvik_runtime_prop:property_service set; 420 421neverallow { 422 domain 423 -coredomain 424 -vendor_init 425} { 426 usb_config_prop 427 usb_control_prop 428}:property_service set; 429 430neverallow { 431 domain 432 -init 433 -system_server 434} { 435 provisioned_prop 436 retaildemo_prop 437}:property_service set; 438 439neverallow { 440 domain 441 -coredomain 442 -vendor_init 443} { 444 provisioned_prop 445 retaildemo_prop 446}:file no_rw_file_perms; 447 448neverallow { 449 domain 450 -init 451} { 452 init_service_status_private_prop 453 init_service_status_prop 454}:property_service set; 455 456neverallow { 457 domain 458 -init 459 -radio 460 -appdomain 461 -hal_telephony_server 462 not_compatible_property(`-vendor_init') 463} telephony_status_prop:property_service set; 464 465neverallow { 466 domain 467 -init 468 -vendor_init 469} { 470 graphics_config_prop 471}:property_service set; 472 473neverallow { 474 domain 475 -init 476 -surfaceflinger 477} { 478 surfaceflinger_display_prop 479}:property_service set; 480 481neverallow { 482 domain 483 -coredomain 484 -appdomain 485 -vendor_init 486} packagemanager_config_prop:file no_rw_file_perms; 487 488neverallow { 489 domain 490 -coredomain 491 -vendor_init 492} keyguard_config_prop:file no_rw_file_perms; 493 494neverallow { 495 domain 496 -init 497} { 498 localization_prop 499}:property_service set; 500 501neverallow { 502 domain 503 -init 504 -vendor_init 505 -dumpstate 506 -system_app 507} oem_unlock_prop:file no_rw_file_perms; 508 509neverallow { 510 domain 511 -coredomain 512 -vendor_init 513} storagemanager_config_prop:file no_rw_file_perms; 514 515neverallow { 516 domain 517 -init 518 -vendor_init 519 -dumpstate 520 -appdomain 521} sendbug_config_prop:file no_rw_file_perms; 522 523neverallow { 524 domain 525 -init 526 -vendor_init 527 -dumpstate 528 -appdomain 529} camera_calibration_prop:file no_rw_file_perms; 530 531neverallow { 532 domain 533 -init 534 -dumpstate 535 -hal_dumpstate_server 536 not_compatible_property(`-vendor_init') 537} hal_dumpstate_config_prop:file no_rw_file_perms; 538 539neverallow { 540 domain 541 -init 542 userdebug_or_eng(`-profcollectd') 543 userdebug_or_eng(`-traced_probes') 544 userdebug_or_eng(`-traced_perf') 545} { 546 lower_kptr_restrict_prop 547}:property_service set; 548 549neverallow { 550 domain 551 -init 552} zygote_wrap_prop:property_service set; 553 554neverallow { 555 domain 556 -init 557} verity_status_prop:property_service set; 558 559neverallow { 560 domain 561 -init 562} setupwizard_prop:property_service set; 563 564# ro.product.property_source_order is useless after initialization of ro.product.* props. 565# So making it accessible only from init and vendor_init. 566neverallow { 567 domain 568 -init 569 -dumpstate 570 -vendor_init 571} build_config_prop:file no_rw_file_perms; 572 573neverallow { 574 domain 575 -init 576 -shell 577} sqlite_log_prop:property_service set; 578 579neverallow { 580 domain 581 -coredomain 582 -appdomain 583} sqlite_log_prop:file no_rw_file_perms; 584 585neverallow { 586 domain 587 -init 588} default_prop:property_service set; 589 590# Only one of system_property_type and vendor_property_type can be assigned. 591# Property types having both attributes won't be accessible from anywhere. 592neverallow domain system_and_vendor_property_type:{file property_service} *; 593 594neverallow { 595 # Only allow init and shell to set rollback_test_prop 596 domain 597 -init 598 -shell 599} rollback_test_prop:property_service set; 600 601neverallow { 602 # Only allow init and profcollectd to access profcollectd_node_id_prop 603 domain 604 -init 605 -dumpstate 606 -profcollectd 607} profcollectd_node_id_prop:file r_file_perms; 608 609