1# Properties used only in /system 2system_internal_prop(adbd_prop) 3system_internal_prop(apexd_payload_metadata_prop) 4system_internal_prop(ctl_snapuserd_prop) 5system_internal_prop(device_config_lmkd_native_prop) 6system_internal_prop(device_config_mglru_native_prop) 7system_internal_prop(device_config_profcollect_native_boot_prop) 8system_internal_prop(device_config_statsd_native_prop) 9system_internal_prop(device_config_statsd_native_boot_prop) 10system_internal_prop(device_config_storage_native_boot_prop) 11system_internal_prop(device_config_sys_traced_prop) 12system_internal_prop(device_config_window_manager_native_boot_prop) 13system_internal_prop(device_config_configuration_prop) 14system_internal_prop(device_config_connectivity_prop) 15system_internal_prop(device_config_swcodec_native_prop) 16system_internal_prop(dmesgd_start_prop) 17system_internal_prop(fastbootd_protocol_prop) 18system_internal_prop(gsid_prop) 19system_internal_prop(init_perf_lsm_hooks_prop) 20system_internal_prop(init_service_status_private_prop) 21system_internal_prop(init_svc_debug_prop) 22system_internal_prop(keystore_crash_prop) 23system_internal_prop(keystore_listen_prop) 24system_internal_prop(last_boot_reason_prop) 25system_internal_prop(localization_prop) 26system_internal_prop(lower_kptr_restrict_prop) 27system_internal_prop(net_464xlat_fromvendor_prop) 28system_internal_prop(net_connectivity_prop) 29system_internal_prop(netd_stable_secret_prop) 30system_internal_prop(odsign_prop) 31system_internal_prop(perf_drop_caches_prop) 32system_internal_prop(pm_prop) 33system_internal_prop(profcollectd_node_id_prop) 34system_internal_prop(radio_cdma_ecm_prop) 35system_internal_prop(remote_prov_prop) 36system_internal_prop(rollback_test_prop) 37system_internal_prop(setupwizard_prop) 38system_internal_prop(snapuserd_prop) 39system_internal_prop(system_adbd_prop) 40system_internal_prop(traced_perf_enabled_prop) 41system_internal_prop(userspace_reboot_log_prop) 42system_internal_prop(userspace_reboot_test_prop) 43system_internal_prop(verity_status_prop) 44system_internal_prop(zygote_wrap_prop) 45system_internal_prop(ctl_mediatranscoding_prop) 46system_internal_prop(ctl_odsign_prop) 47system_internal_prop(virtualizationservice_prop) 48 49# Properties which can't be written outside system 50system_restricted_prop(device_config_virtualization_framework_native_prop) 51system_restricted_prop(system_user_mode_emulation_prop) 52 53### 54### Neverallow rules 55### 56 57treble_sysprop_neverallow(` 58 59enforce_sysprop_owner(` 60 neverallow domain { 61 property_type 62 -system_property_type 63 -product_property_type 64 -vendor_property_type 65 }:file no_rw_file_perms; 66') 67 68neverallow { domain -coredomain } { 69 system_property_type 70 system_internal_property_type 71 -system_restricted_property_type 72 -system_public_property_type 73}:file no_rw_file_perms; 74 75neverallow { domain -coredomain } { 76 system_property_type 77 -system_public_property_type 78}:property_service set; 79 80# init is in coredomain, but should be able to read/write all props. 81# dumpstate is also in coredomain, but should be able to read all props. 82neverallow { coredomain -init -dumpstate } { 83 vendor_property_type 84 vendor_internal_property_type 85 -vendor_restricted_property_type 86 -vendor_public_property_type 87}:file no_rw_file_perms; 88 89neverallow { coredomain -init } { 90 vendor_property_type 91 -vendor_public_property_type 92}:property_service set; 93 94') 95 96# There is no need to perform ioctl or advisory locking operations on 97# property files. If this neverallow is being triggered, it is 98# likely that the policy is using r_file_perms directly instead of 99# the get_prop() macro. 100neverallow domain property_type:file { ioctl lock }; 101 102neverallow * { 103 core_property_type 104 -audio_prop 105 -config_prop 106 -cppreopt_prop 107 -dalvik_prop 108 -debuggerd_prop 109 -debug_prop 110 -dhcp_prop 111 -dumpstate_prop 112 -fingerprint_prop 113 -logd_prop 114 -net_radio_prop 115 -nfc_prop 116 -ota_prop 117 -pan_result_prop 118 -persist_debug_prop 119 -powerctl_prop 120 -radio_prop 121 -restorecon_prop 122 -shell_prop 123 -system_prop 124 -system_user_mode_emulation_prop 125 -usb_prop 126 -vold_prop 127}:file no_rw_file_perms; 128 129# sigstop property is only used for debugging; should only be set by su which is permissive 130# for userdebug/eng 131neverallow { 132 domain 133 -init 134 -vendor_init 135} ctl_sigstop_prop:property_service set; 136 137# Don't audit legacy ctl. property handling. We only want the newer permission check to appear 138# in the audit log 139dontaudit domain { 140 ctl_bootanim_prop 141 ctl_bugreport_prop 142 ctl_console_prop 143 ctl_default_prop 144 ctl_dumpstate_prop 145 ctl_fuse_prop 146 ctl_mdnsd_prop 147 ctl_rildaemon_prop 148}:property_service set; 149 150neverallow { 151 domain 152 -init 153} init_svc_debug_prop:property_service set; 154 155neverallow { 156 domain 157 -init 158 -dumpstate 159 userdebug_or_eng(`-su') 160} init_svc_debug_prop:file no_rw_file_perms; 161 162compatible_property_only(` 163# Prevent properties from being set 164 neverallow { 165 domain 166 -coredomain 167 -appdomain 168 -vendor_init 169 } { 170 core_property_type 171 extended_core_property_type 172 exported_config_prop 173 exported_default_prop 174 exported_dumpstate_prop 175 exported_system_prop 176 exported3_system_prop 177 usb_control_prop 178 -nfc_prop 179 -powerctl_prop 180 -radio_prop 181 }:property_service set; 182 183 neverallow { 184 domain 185 -coredomain 186 -appdomain 187 -hal_nfc_server 188 } { 189 nfc_prop 190 }:property_service set; 191 192 neverallow { 193 domain 194 -coredomain 195 -appdomain 196 -hal_telephony_server 197 -vendor_init 198 } { 199 radio_control_prop 200 }:property_service set; 201 202 neverallow { 203 domain 204 -coredomain 205 -appdomain 206 -hal_telephony_server 207 } { 208 radio_prop 209 }:property_service set; 210 211 neverallow { 212 domain 213 -coredomain 214 -bluetooth 215 -hal_bluetooth_server 216 } { 217 bluetooth_prop 218 }:property_service set; 219 220 neverallow { 221 domain 222 -coredomain 223 -bluetooth 224 -hal_bluetooth_server 225 -vendor_init 226 } { 227 exported_bluetooth_prop 228 }:property_service set; 229 230 neverallow { 231 domain 232 -coredomain 233 -hal_camera_server 234 -cameraserver 235 -vendor_init 236 } { 237 exported_camera_prop 238 }:property_service set; 239 240 neverallow { 241 domain 242 -coredomain 243 -hal_wifi_server 244 -wificond 245 } { 246 wifi_prop 247 }:property_service set; 248 249 neverallow { 250 domain 251 -init 252 -dumpstate 253 -hal_wifi_server 254 -wificond 255 -vendor_init 256 } { 257 wifi_hal_prop 258 }:property_service set; 259 260# Prevent properties from being read 261 neverallow { 262 domain 263 -coredomain 264 -appdomain 265 -vendor_init 266 } { 267 core_property_type 268 dalvik_config_prop 269 extended_core_property_type 270 exported3_system_prop 271 systemsound_config_prop 272 -debug_prop 273 -logd_prop 274 -nfc_prop 275 -powerctl_prop 276 -radio_prop 277 }:file no_rw_file_perms; 278 279 neverallow { 280 domain 281 -coredomain 282 -appdomain 283 -hal_nfc_server 284 } { 285 nfc_prop 286 }:file no_rw_file_perms; 287 288 neverallow { 289 domain 290 -coredomain 291 -appdomain 292 -hal_telephony_server 293 } { 294 radio_prop 295 }:file no_rw_file_perms; 296 297 neverallow { 298 domain 299 -coredomain 300 -bluetooth 301 -hal_bluetooth_server 302 } { 303 bluetooth_prop 304 }:file no_rw_file_perms; 305 306 neverallow { 307 domain 308 -coredomain 309 -hal_wifi_server 310 -wificond 311 } { 312 wifi_prop 313 }:file no_rw_file_perms; 314 315 neverallow { 316 domain 317 -coredomain 318 -vendor_init 319 } { 320 suspend_prop 321 }:property_service set; 322') 323 324compatible_property_only(` 325 # Neverallow coredomain to set vendor properties 326 neverallow { 327 coredomain 328 -init 329 -system_writes_vendor_properties_violators 330 } { 331 property_type 332 -system_property_type 333 -extended_core_property_type 334 }:property_service set; 335') 336 337neverallow { 338 domain 339 -coredomain 340 -vendor_init 341} { 342 ffs_config_prop 343 ffs_control_prop 344}:file no_rw_file_perms; 345 346neverallow { 347 domain 348 -init 349 -system_server 350} { 351 userspace_reboot_log_prop 352}:property_service set; 353 354neverallow { 355 # Only allow init and system_server to set system_adbd_prop 356 domain 357 -init 358 -system_server 359} { 360 system_adbd_prop 361}:property_service set; 362 363# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port 364neverallow { 365 domain 366 -init 367 -vendor_init 368 -adbd 369 -system_server 370} { 371 adbd_config_prop 372}:property_service set; 373 374neverallow { 375 # Only allow init and adbd to set adbd_prop 376 domain 377 -init 378 -adbd 379} { 380 adbd_prop 381}:property_service set; 382 383neverallow { 384 # Only allow init to set apexd_payload_metadata_prop 385 domain 386 -init 387} { 388 apexd_payload_metadata_prop 389}:property_service set; 390 391 392neverallow { 393 # Only allow init and shell to set userspace_reboot_test_prop 394 domain 395 -init 396 -shell 397} { 398 userspace_reboot_test_prop 399}:property_service set; 400 401neverallow { 402 domain 403 -init 404 -system_server 405 -vendor_init 406} { 407 surfaceflinger_color_prop 408}:property_service set; 409 410neverallow { 411 domain 412 -init 413} { 414 libc_debug_prop 415}:property_service set; 416 417# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb 418# shell access can control the settings on their device. Allow system apps to 419# set MTE props, so Developer Options can set them. 420neverallow { 421 domain 422 -init 423 -shell 424 -system_app 425} { 426 arm64_memtag_prop 427 gwp_asan_prop 428}:property_service set; 429 430neverallow { 431 domain 432 -init 433 -system_server 434 -vendor_init 435} zram_control_prop:property_service set; 436 437neverallow { 438 domain 439 -init 440 -system_server 441 -vendor_init 442} dalvik_runtime_prop:property_service set; 443 444neverallow { 445 domain 446 -coredomain 447 -vendor_init 448} { 449 usb_config_prop 450 usb_control_prop 451}:property_service set; 452 453neverallow { 454 domain 455 -init 456 -system_server 457} { 458 provisioned_prop 459 retaildemo_prop 460}:property_service set; 461 462neverallow { 463 domain 464 -coredomain 465 -vendor_init 466} { 467 provisioned_prop 468 retaildemo_prop 469}:file no_rw_file_perms; 470 471neverallow { 472 domain 473 -init 474} { 475 init_service_status_private_prop 476 init_service_status_prop 477}:property_service set; 478 479neverallow { 480 domain 481 -init 482 -radio 483 -appdomain 484 -hal_telephony_server 485 not_compatible_property(`-vendor_init') 486} telephony_status_prop:property_service set; 487 488neverallow { 489 domain 490 -init 491 -vendor_init 492} { 493 graphics_config_prop 494}:property_service set; 495 496neverallow { 497 domain 498 -init 499 -surfaceflinger 500} { 501 surfaceflinger_display_prop 502}:property_service set; 503 504neverallow { 505 domain 506 -coredomain 507 -appdomain 508 -vendor_init 509} packagemanager_config_prop:file no_rw_file_perms; 510 511neverallow { 512 domain 513 -coredomain 514 -vendor_init 515} keyguard_config_prop:file no_rw_file_perms; 516 517neverallow { 518 domain 519 -init 520} { 521 localization_prop 522}:property_service set; 523 524neverallow { 525 domain 526 -init 527 -vendor_init 528 -dumpstate 529 -system_app 530} oem_unlock_prop:file no_rw_file_perms; 531 532neverallow { 533 domain 534 -coredomain 535 -vendor_init 536} storagemanager_config_prop:file no_rw_file_perms; 537 538neverallow { 539 domain 540 -init 541 -vendor_init 542 -dumpstate 543 -appdomain 544} sendbug_config_prop:file no_rw_file_perms; 545 546neverallow { 547 domain 548 -init 549 -vendor_init 550 -dumpstate 551 -appdomain 552} camera_calibration_prop:file no_rw_file_perms; 553 554neverallow { 555 domain 556 -init 557 -dumpstate 558 -hal_dumpstate_server 559 not_compatible_property(`-vendor_init') 560} hal_dumpstate_config_prop:file no_rw_file_perms; 561 562neverallow { 563 domain 564 -init 565 userdebug_or_eng(`-profcollectd') 566 userdebug_or_eng(`-simpleperf_boot') 567 userdebug_or_eng(`-traced_probes') 568 userdebug_or_eng(`-traced_perf') 569} { 570 lower_kptr_restrict_prop 571}:property_service set; 572 573neverallow { 574 domain 575 -init 576} zygote_wrap_prop:property_service set; 577 578neverallow { 579 domain 580 -init 581} verity_status_prop:property_service set; 582 583neverallow { 584 domain 585 -init 586} setupwizard_prop:property_service set; 587 588# ro.product.property_source_order is useless after initialization of ro.product.* props. 589# So making it accessible only from init and vendor_init. 590neverallow { 591 domain 592 -init 593 -dumpstate 594 -vendor_init 595} build_config_prop:file no_rw_file_perms; 596 597neverallow { 598 domain 599 -init 600 -shell 601} sqlite_log_prop:property_service set; 602 603neverallow { 604 domain 605 -coredomain 606 -appdomain 607} sqlite_log_prop:file no_rw_file_perms; 608 609neverallow { 610 domain 611 -init 612} default_prop:property_service set; 613 614# Only one of system_property_type and vendor_property_type can be assigned. 615# Property types having both attributes won't be accessible from anywhere. 616neverallow domain system_and_vendor_property_type:{file property_service} *; 617 618neverallow { 619 # Only init and the remote provisioner can set the ro.remote_provisioning.* props 620 domain 621 -init 622 -remote_prov_app 623} remote_prov_prop:property_service set; 624 625neverallow { 626 # Only allow init and shell to set rollback_test_prop 627 domain 628 -init 629 -shell 630} rollback_test_prop:property_service set; 631 632neverallow { 633 # Only allow init and profcollectd to access profcollectd_node_id_prop 634 domain 635 -init 636 -dumpstate 637 -profcollectd 638} profcollectd_node_id_prop:file r_file_perms; 639 640