1# Properties used only in /system 2system_internal_prop(adbd_prop) 3system_internal_prop(adbd_tradeinmode_prop) 4system_internal_prop(apexd_payload_metadata_prop) 5system_internal_prop(ctl_snapuserd_prop) 6system_internal_prop(ctl_prefetch_prop) 7system_internal_prop(ctl_uprobestats_prop) 8system_internal_prop(crashrecovery_prop) 9system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop) 10system_internal_prop(device_config_core_experiments_team_internal_prop) 11system_internal_prop(device_config_lmkd_native_prop) 12system_internal_prop(device_config_mglru_native_prop) 13system_internal_prop(device_config_mmd_native_prop) 14system_internal_prop(device_config_profcollect_native_boot_prop) 15system_internal_prop(device_config_remote_key_provisioning_native_prop) 16system_internal_prop(device_config_statsd_native_prop) 17system_internal_prop(device_config_statsd_native_boot_prop) 18system_internal_prop(device_config_storage_native_boot_prop) 19system_internal_prop(device_config_sys_traced_prop) 20system_internal_prop(device_config_window_manager_native_boot_prop) 21system_internal_prop(device_config_configuration_prop) 22system_internal_prop(device_config_connectivity_prop) 23system_internal_prop(device_config_swcodec_native_prop) 24system_internal_prop(device_config_tethering_u_or_later_native_prop) 25system_internal_prop(dmesgd_start_prop) 26system_internal_prop(fastbootd_protocol_prop) 27system_internal_prop(gsid_prop) 28system_internal_prop(init_perf_lsm_hooks_prop) 29system_internal_prop(init_service_status_private_prop) 30system_internal_prop(init_storage_prop) 31system_internal_prop(init_svc_debug_prop) 32system_internal_prop(kcmdline_prop) 33system_internal_prop(keystore_diagnostics_prop) 34system_internal_prop(keystore_listen_prop) 35system_internal_prop(last_boot_reason_prop) 36system_internal_prop(localization_prop) 37system_internal_prop(logd_auditrate_prop) 38system_internal_prop(lower_kptr_restrict_prop) 39system_internal_prop(mmd_status_prop) 40system_internal_prop(net_464xlat_fromvendor_prop) 41system_internal_prop(net_connectivity_prop) 42system_internal_prop(netd_stable_secret_prop) 43system_internal_prop(next_boot_prop) 44system_internal_prop(odsign_prop) 45system_internal_prop(misctrl_prop) 46system_internal_prop(perf_drop_caches_prop) 47system_internal_prop(pm_prop) 48system_internal_prop(prefetch_service_prop) 49system_internal_prop(profcollectd_node_id_prop) 50system_internal_prop(radio_cdma_ecm_prop) 51system_internal_prop(remote_prov_prop) 52system_internal_prop(remote_prov_cert_prop) 53system_internal_prop(rollback_test_prop) 54system_internal_prop(setupwizard_prop) 55system_internal_prop(snapshotctl_prop) 56system_internal_prop(snapuserd_prop) 57system_internal_prop(system_adbd_prop) 58system_internal_prop(system_audio_config_prop) 59system_internal_prop(timezone_metadata_prop) 60system_internal_prop(traced_config_prop) 61system_internal_prop(traced_perf_enabled_prop) 62system_internal_prop(traced_relay_relay_port_prop) 63system_internal_prop(uprobestats_start_with_config_prop) 64system_internal_prop(tuner_server_ctl_prop) 65system_internal_prop(userspace_reboot_log_prop) 66system_internal_prop(userspace_reboot_test_prop) 67system_internal_prop(verity_status_prop) 68system_internal_prop(zygote_wrap_prop) 69system_internal_prop(ctl_mediatranscoding_prop) 70system_internal_prop(ctl_odsign_prop) 71system_internal_prop(virtualizationservice_prop) 72system_internal_prop(ctl_apex_load_prop) 73system_internal_prop(sensors_config_prop) 74system_internal_prop(hypervisor_pvmfw_prop) 75system_internal_prop(hypervisor_virtualizationmanager_prop) 76system_internal_prop(game_manager_config_prop) 77system_internal_prop(hidl_memory_prop) 78system_internal_prop(suspend_debug_prop) 79system_internal_prop(system_service_enable_prop) 80system_internal_prop(ctl_artd_pre_reboot_prop) 81system_internal_prop(trusty_security_vm_sys_prop) 82system_internal_prop(hint_manager_config_prop) 83 84# Properties which can't be written outside system 85system_restricted_prop(bionic_linker_16kb_app_compat_prop) 86system_restricted_prop(device_config_virtualization_framework_native_prop) 87system_restricted_prop(fstype_prop) 88system_restricted_prop(log_file_logger_prop) 89system_restricted_prop(mmd_shared_status_prop) 90system_restricted_prop(persist_sysui_builder_extras_prop) 91system_restricted_prop(persist_sysui_ranking_update_prop) 92system_restricted_prop(page_size_prop) 93system_restricted_prop(pm_16kb_app_compat_prop) 94 95 96# Properties with no restrictions 97until_board_api(202504, ` 98 system_public_prop(bluetooth_finder_prop) 99 system_public_prop(virtual_fingerprint_prop) 100 system_public_prop(virtual_face_prop) 101') 102 103# These types will be public starting at board api 202504 104until_board_api(202504, ` 105 system_restricted_prop(enable_16k_pages_prop) 106 system_restricted_prop(profcollectd_etr_prop) 107') 108 109# These types will be public starting at board api 202504 110until_board_api(202504, ` 111 system_vendor_config_prop(trusty_security_vm_sys_vendor_prop) 112') 113 114# Properties which should only be written by vendor_init 115system_vendor_config_prop(avf_virtualizationservice_prop) 116until_board_api(202504, ` 117 system_vendor_config_prop(drm_config_prop) 118') 119system_vendor_config_prop(high_barometer_quality_prop) 120system_vendor_config_prop(mmd_prop) 121system_vendor_config_prop(mmd_shared_prop) 122system_vendor_config_prop(prefetch_boot_prop) 123 124typeattribute log_prop log_property_type; 125typeattribute log_tag_prop log_property_type; 126typeattribute wifi_log_prop log_property_type; 127 128allow property_type tmpfs:filesystem associate; 129 130# core_property_type should not be used for new properties or 131# device specific properties. Properties with this attribute 132# are readable to everyone, which is overly broad and should 133# be avoided. 134# New properties should have appropriate read / write access 135# control rules written. 136 137typeattribute audio_prop core_property_type; 138typeattribute config_prop core_property_type; 139typeattribute cppreopt_prop core_property_type; 140typeattribute dalvik_prop core_property_type; 141typeattribute debuggerd_prop core_property_type; 142typeattribute debug_prop core_property_type; 143typeattribute dhcp_prop core_property_type; 144typeattribute dumpstate_prop core_property_type; 145typeattribute logd_prop core_property_type; 146typeattribute net_radio_prop core_property_type; 147typeattribute nfc_prop core_property_type; 148typeattribute ota_prop core_property_type; 149typeattribute pan_result_prop core_property_type; 150typeattribute persist_debug_prop core_property_type; 151typeattribute powerctl_prop core_property_type; 152typeattribute radio_prop core_property_type; 153typeattribute restorecon_prop core_property_type; 154typeattribute shell_prop core_property_type; 155typeattribute system_prop core_property_type; 156typeattribute usb_prop core_property_type; 157typeattribute vold_prop core_property_type; 158 159typeattribute dalvik_config_prop dalvik_config_prop_type; 160typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type; 161 162### 163### Neverallow rules 164### 165 166treble_sysprop_neverallow(` 167 168enforce_sysprop_owner(` 169 neverallow domain { 170 property_type 171 -system_property_type 172 -product_property_type 173 -vendor_property_type 174 }:file no_rw_file_perms; 175') 176 177neverallow { domain -coredomain } { 178 system_property_type 179 system_internal_property_type 180 -system_restricted_property_type 181 -system_public_property_type 182}:file no_rw_file_perms; 183 184neverallow { domain -coredomain } { 185 system_property_type 186 -system_public_property_type 187}:property_service set; 188 189# init is in coredomain, but should be able to read/write all props. 190# dumpstate is also in coredomain, but should be able to read all props. 191neverallow { coredomain -init -dumpstate } { 192 vendor_property_type 193 vendor_internal_property_type 194 -vendor_restricted_property_type 195 -vendor_public_property_type 196}:file no_rw_file_perms; 197 198neverallow { coredomain -init } { 199 vendor_property_type 200 -vendor_public_property_type 201}:property_service set; 202 203') 204 205# There is no need to perform ioctl or advisory locking operations on 206# property files. If this neverallow is being triggered, it is 207# likely that the policy is using r_file_perms directly instead of 208# the get_prop() macro. 209neverallow domain property_type:file { ioctl lock }; 210 211neverallow * { 212 core_property_type 213 -audio_prop 214 -config_prop 215 -cppreopt_prop 216 -dalvik_prop 217 -debuggerd_prop 218 -debug_prop 219 -dhcp_prop 220 -dumpstate_prop 221 -fingerprint_prop 222 -logd_prop 223 -net_radio_prop 224 -nfc_prop 225 -ota_prop 226 -pan_result_prop 227 -persist_debug_prop 228 -powerctl_prop 229 -radio_prop 230 -restorecon_prop 231 -shell_prop 232 -system_prop 233 -usb_prop 234 -vold_prop 235}:file no_rw_file_perms; 236 237# sigstop property is only used for debugging; should only be set by su which is permissive 238# for userdebug/eng 239neverallow { 240 domain 241 -init 242 -vendor_init 243} ctl_sigstop_prop:property_service set; 244 245# Don't audit legacy ctl. property handling. We only want the newer permission check to appear 246# in the audit log 247dontaudit domain { 248 ctl_bootanim_prop 249 ctl_bugreport_prop 250 ctl_console_prop 251 ctl_default_prop 252 ctl_dumpstate_prop 253 ctl_fuse_prop 254 ctl_mdnsd_prop 255 ctl_rildaemon_prop 256}:property_service set; 257 258neverallow { 259 domain 260 -init 261 -extra_free_kbytes 262} init_storage_prop:property_service set; 263 264neverallow { 265 domain 266 -init 267} init_svc_debug_prop:property_service set; 268 269neverallow { 270 domain 271 -init 272 -dumpstate 273 userdebug_or_eng(`-su') 274} init_svc_debug_prop:file no_rw_file_perms; 275 276# DO NOT ADD: compat risk 277neverallow { 278 domain 279 -init 280 -crash_dump 281 -dumpstate 282 -misctrl 283 -statsd 284 userdebug_or_eng(`-su') 285} misctrl_prop:file no_rw_file_perms; 286neverallow { 287 domain 288 -init 289 -misctrl 290 userdebug_or_eng(`-su') 291} misctrl_prop:property_service set; 292 293compatible_property_only(` 294# Prevent properties from being set 295 neverallow { 296 domain 297 -coredomain 298 -appdomain 299 -vendor_init 300 } { 301 core_property_type 302 extended_core_property_type 303 exported_config_prop 304 exported_default_prop 305 exported_dumpstate_prop 306 exported_system_prop 307 exported3_system_prop 308 usb_control_prop 309 -nfc_prop 310 -powerctl_prop 311 -radio_prop 312 }:property_service set; 313 314 neverallow { 315 domain 316 -coredomain 317 -appdomain 318 -hal_nfc_server 319 } { 320 nfc_prop 321 }:property_service set; 322 323 neverallow { 324 domain 325 -coredomain 326 -appdomain 327 -hal_telephony_server 328 -vendor_init 329 } { 330 radio_control_prop 331 }:property_service set; 332 333 neverallow { 334 domain 335 -coredomain 336 -appdomain 337 -hal_telephony_server 338 } { 339 radio_prop 340 }:property_service set; 341 342 neverallow { 343 domain 344 -coredomain 345 -bluetooth 346 -hal_bluetooth_server 347 } { 348 bluetooth_prop 349 }:property_service set; 350 351 neverallow { 352 domain 353 -coredomain 354 -bluetooth 355 -hal_bluetooth_server 356 -vendor_init 357 } { 358 exported_bluetooth_prop 359 }:property_service set; 360 361 neverallow { 362 domain 363 -coredomain 364 -hal_camera_server 365 -cameraserver 366 -vendor_init 367 } { 368 exported_camera_prop 369 }:property_service set; 370 371 neverallow { 372 domain 373 -coredomain 374 -hal_wifi_server 375 -wificond 376 } { 377 wifi_prop 378 }:property_service set; 379 380 neverallow { 381 domain 382 -init 383 -dumpstate 384 -hal_wifi_server 385 -wificond 386 -vendor_init 387 } { 388 wifi_hal_prop 389 }:property_service set; 390 391# Prevent properties from being read 392 neverallow { 393 domain 394 -coredomain 395 -appdomain 396 -vendor_init 397 } { 398 core_property_type 399 dalvik_config_prop_type 400 extended_core_property_type 401 exported3_system_prop 402 systemsound_config_prop 403 -debug_prop 404 -logd_prop 405 -nfc_prop 406 -powerctl_prop 407 -radio_prop 408 -dalvik_dynamic_config_prop 409 }:file no_rw_file_perms; 410 411 neverallow { 412 domain 413 -coredomain 414 -appdomain 415 -vendor_init 416 -hal_power_server 417 } dalvik_dynamic_config_prop:file no_rw_file_perms; 418 419 neverallow { 420 domain 421 -coredomain 422 -appdomain 423 -hal_nfc_server 424 } { 425 nfc_prop 426 }:file no_rw_file_perms; 427 428 neverallow { 429 domain 430 -coredomain 431 -appdomain 432 -hal_telephony_server 433 } { 434 radio_prop 435 }:file no_rw_file_perms; 436 437 neverallow { 438 domain 439 -coredomain 440 -bluetooth 441 -hal_bluetooth_server 442 } { 443 bluetooth_prop 444 }:file no_rw_file_perms; 445 446 neverallow { 447 domain 448 -coredomain 449 -hal_wifi_server 450 -wificond 451 } { 452 wifi_prop 453 }:file no_rw_file_perms; 454 455 neverallow { 456 domain 457 -coredomain 458 -vendor_init 459 } { 460 suspend_prop 461 }:property_service set; 462 463 neverallow { 464 domain 465 -init 466 } { 467 suspend_debug_prop 468 }:property_service set; 469 470 neverallow { 471 domain 472 -init 473 -vendor_init 474 } { 475 high_barometer_quality_prop 476 }:property_service set; 477 478 neverallow { 479 domain 480 -init 481 -dumpstate 482 userdebug_or_eng(`-system_suspend') 483 } { 484 suspend_debug_prop 485 }:file no_rw_file_perms; 486') 487 488dontaudit system_suspend suspend_debug_prop:file r_file_perms; 489 490compatible_property_only(` 491 # Neverallow coredomain to set vendor properties 492 neverallow { 493 coredomain 494 -init 495 -system_writes_vendor_properties_violators 496 } { 497 property_type 498 -system_property_type 499 -extended_core_property_type 500 }:property_service set; 501') 502 503neverallow { 504 domain 505 -coredomain 506 -vendor_init 507} { 508 ffs_config_prop 509 ffs_control_prop 510}:file no_rw_file_perms; 511 512neverallow { 513 domain 514 -init 515 -system_server 516} { 517 userspace_reboot_log_prop 518}:property_service set; 519 520neverallow { 521 # Only allow init and system_server to set system_adbd_prop 522 domain 523 -init 524 -system_server 525} { 526 system_adbd_prop 527}:property_service set; 528 529# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port 530neverallow { 531 domain 532 -init 533 -vendor_init 534 -adbd 535 -adbd_tradeinmode 536 -system_server 537} { 538 adbd_config_prop 539}:property_service set; 540 541neverallow { 542 # Only allow init and adbd to set adbd_prop 543 domain 544 -init 545 -adbd 546 -adbd_tradeinmode 547} { 548 adbd_prop 549}:property_service set; 550 551neverallow { 552 # Only allow init to set apexd_payload_metadata_prop 553 domain 554 -init 555} { 556 apexd_payload_metadata_prop 557}:property_service set; 558 559 560neverallow { 561 # Only allow init and shell to set userspace_reboot_test_prop 562 domain 563 -init 564 -shell 565} { 566 userspace_reboot_test_prop 567}:property_service set; 568 569neverallow { 570 domain 571 -init 572 -system_server 573 -vendor_init 574} { 575 surfaceflinger_color_prop 576}:property_service set; 577 578neverallow { 579 domain 580 -init 581} { 582 libc_debug_prop 583}:property_service set; 584 585# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb 586# shell access can control the settings on their device. Allow system apps to 587# set MTE props, so Developer Options can set them. 588neverallow { 589 domain 590 -init 591 -shell 592 -system_app 593 -system_server 594 -mtectrl 595} { 596 arm64_memtag_prop 597 gwp_asan_prop 598}:property_service set; 599 600neverallow { 601 domain 602 -init 603 -shell 604 -kcmdlinectrl 605} { 606 kcmdline_prop 607}:property_service set; 608 609neverallow { 610 domain 611 -init 612 -system_server 613 -vendor_init 614} zram_control_prop:property_service set; 615 616neverallow { 617 domain 618 -init 619 -system_server 620 -vendor_init 621} dalvik_runtime_prop:property_service set; 622 623neverallow { 624 domain 625 -coredomain 626 -vendor_init 627} { 628 usb_config_prop 629 usb_control_prop 630}:property_service set; 631 632neverallow { 633 domain 634 -init 635 -system_server 636} { 637 provisioned_prop 638 retaildemo_prop 639}:property_service set; 640 641neverallow { 642 domain 643 -coredomain 644 -vendor_init 645} { 646 provisioned_prop 647 retaildemo_prop 648}:file no_rw_file_perms; 649 650neverallow { 651 domain 652 -init 653} { 654 init_service_status_private_prop 655 init_service_status_prop 656}:property_service set; 657 658neverallow { 659 domain 660 -init 661 -radio 662 -appdomain 663 -hal_telephony_server 664 not_compatible_property(`-vendor_init') 665} telephony_status_prop:property_service set; 666 667neverallow { 668 domain 669 -init 670 -vendor_init 671} { 672 graphics_config_prop 673}:property_service set; 674 675neverallow { 676 domain 677 -init 678 -surfaceflinger 679} { 680 surfaceflinger_display_prop 681}:property_service set; 682 683neverallow { 684 domain 685 -coredomain 686 -appdomain 687 -vendor_init 688} packagemanager_config_prop:file no_rw_file_perms; 689 690neverallow { 691 domain 692 -coredomain 693 -vendor_init 694} keyguard_config_prop:file no_rw_file_perms; 695 696neverallow { 697 domain 698 -init 699} { 700 localization_prop 701}:property_service set; 702 703neverallow { 704 domain 705 -init 706 -vendor_init 707 -dumpstate 708 -system_app 709} oem_unlock_prop:file no_rw_file_perms; 710 711neverallow { 712 domain 713 -coredomain 714 -vendor_init 715} storagemanager_config_prop:file no_rw_file_perms; 716 717neverallow { 718 domain 719 -init 720 -vendor_init 721 -dumpstate 722 -appdomain 723} sendbug_config_prop:file no_rw_file_perms; 724 725neverallow { 726 domain 727 -init 728 -vendor_init 729 -dumpstate 730 -appdomain 731} camera_calibration_prop:file no_rw_file_perms; 732 733neverallow { 734 domain 735 -init 736 -dumpstate 737 -hal_dumpstate_server 738 not_compatible_property(`-vendor_init') 739} hal_dumpstate_config_prop:file no_rw_file_perms; 740 741neverallow { 742 domain 743 -init 744 userdebug_or_eng(`-profcollectd') 745 userdebug_or_eng(`-simpleperf_boot') 746 userdebug_or_eng(`-traced_probes') 747 userdebug_or_eng(`-traced_perf') 748} { 749 lower_kptr_restrict_prop 750}:property_service set; 751 752neverallow { 753 domain 754 -init 755} zygote_wrap_prop:property_service set; 756 757neverallow { 758 domain 759 -init 760} verity_status_prop:property_service set; 761 762neverallow { 763 domain 764 -init 765 -vendor_init 766} setupwizard_mode_prop:property_service set; 767 768neverallow { 769 domain 770 -init 771} setupwizard_prop:property_service set; 772 773# ro.product.property_source_order is useless after initialization of ro.product.* props. 774# So making it accessible only from init and vendor_init. 775neverallow { 776 domain 777 -init 778 -dumpstate 779 -vendor_init 780} build_config_prop:file no_rw_file_perms; 781 782neverallow { 783 domain 784 -init 785 -shell 786} sqlite_log_prop:property_service set; 787 788neverallow { 789 domain 790 -coredomain 791 -appdomain 792} sqlite_log_prop:file no_rw_file_perms; 793 794neverallow { 795 domain 796 -init 797} default_prop:property_service set; 798 799# Only one of system_property_type and vendor_property_type can be assigned. 800# Property types having both attributes won't be accessible from anywhere. 801neverallow domain system_and_vendor_property_type:{file property_service} *; 802 803neverallow { 804 domain 805 -init 806 -keystore 807 -shell 808 -system_server 809 -rkpdapp 810} remote_prov_prop:property_service set; 811 812neverallow { 813 domain 814 -init 815} remote_prov_cert_prop:property_service set; 816 817neverallow { 818 # Only allow init and shell to set rollback_test_prop 819 domain 820 -init 821 -shell 822} rollback_test_prop:property_service set; 823 824neverallow { 825 domain 826 -init 827 -apexd 828} ctl_apex_load_prop:property_service set; 829 830neverallow { 831 domain 832 -coredomain 833 -init 834 -dumpstate 835 -apexd 836} ctl_apex_load_prop:file no_rw_file_perms; 837 838neverallow { 839 domain 840 -init 841 -apexd 842} apex_ready_prop:property_service set; 843 844neverallow { 845 domain 846 -coredomain 847 -dumpstate 848 -apexd 849 -vendor_init 850} apex_ready_prop:file no_rw_file_perms; 851 852neverallow { 853 # Only allow init and profcollectd to access profcollectd_node_id_prop 854 domain 855 -init 856 -dumpstate 857 -profcollectd 858} profcollectd_node_id_prop:file r_file_perms; 859 860neverallow { 861 domain 862 -init 863} log_file_logger_prop:property_service set; 864 865neverallow { 866 domain 867 -init 868 -vendor_init 869} usb_uvc_enabled_prop:property_service set; 870 871# Disallow non system apps from reading ro.usb.uvc.enabled 872neverallow { 873 appdomain 874 -system_app 875 -device_as_webcam 876} usb_uvc_enabled_prop:file no_rw_file_perms; 877 878neverallow { 879 domain 880 -init 881 -vendor_init 882} pm_archiving_enabled_prop:property_service set; 883 884neverallow { 885 domain 886 -init 887 -shell 888 userdebug_or_eng(`-su') 889} bionic_linker_16kb_app_compat_prop:property_service set; 890 891neverallow { 892 domain 893 -init 894 -shell 895 userdebug_or_eng(`-su') 896} pm_16kb_app_compat_prop:property_service set; 897