1# Properties used only in /system 2system_internal_prop(adbd_prop) 3system_internal_prop(adbd_tradeinmode_prop) 4system_internal_prop(apexd_payload_metadata_prop) 5system_internal_prop(bluetooth_lea_mode_prop) 6system_internal_prop(ctl_snapuserd_prop) 7system_internal_prop(ctl_prefetch_prop) 8system_internal_prop(ctl_uprobestats_prop) 9system_internal_prop(crashrecovery_prop) 10system_internal_prop(debug_tracing_desktop_mode_visible_tasks_prop) 11system_internal_prop(device_config_core_experiments_team_internal_prop) 12system_internal_prop(device_config_lmkd_native_prop) 13system_internal_prop(device_config_mglru_native_prop) 14system_internal_prop(device_config_mmd_native_prop) 15system_internal_prop(device_config_profcollect_native_boot_prop) 16system_internal_prop(device_config_remote_key_provisioning_native_prop) 17system_internal_prop(device_config_statsd_native_prop) 18system_internal_prop(device_config_statsd_native_boot_prop) 19system_internal_prop(device_config_storage_native_boot_prop) 20system_internal_prop(device_config_sys_traced_prop) 21system_internal_prop(device_config_window_manager_native_boot_prop) 22system_internal_prop(device_config_configuration_prop) 23system_internal_prop(device_config_connectivity_prop) 24system_internal_prop(device_config_swcodec_native_prop) 25system_internal_prop(device_config_tethering_u_or_later_native_prop) 26system_internal_prop(dmesgd_start_prop) 27system_internal_prop(fastbootd_protocol_prop) 28system_internal_prop(gsid_prop) 29system_internal_prop(init_perf_lsm_hooks_prop) 30system_internal_prop(init_service_status_private_prop) 31system_internal_prop(init_storage_prop) 32system_internal_prop(init_svc_debug_prop) 33system_internal_prop(kcmdline_prop) 34system_internal_prop(keystore_diagnostics_prop) 35system_internal_prop(keystore_listen_prop) 36system_internal_prop(last_boot_reason_prop) 37system_internal_prop(localization_prop) 38system_internal_prop(logd_auditrate_prop) 39system_internal_prop(lower_kptr_restrict_prop) 40system_internal_prop(mmd_status_prop) 41system_internal_prop(net_464xlat_fromvendor_prop) 42system_internal_prop(net_connectivity_prop) 43system_internal_prop(netd_stable_secret_prop) 44system_internal_prop(next_boot_prop) 45system_internal_prop(odsign_prop) 46system_internal_prop(misctrl_prop) 47system_internal_prop(perf_drop_caches_prop) 48system_internal_prop(pm_prop) 49system_internal_prop(prefetch_service_prop) 50system_internal_prop(profcollectd_node_id_prop) 51system_internal_prop(radio_cdma_ecm_prop) 52system_internal_prop(remote_prov_prop) 53system_internal_prop(remote_prov_cert_prop) 54system_internal_prop(rollback_test_prop) 55system_internal_prop(setupwizard_prop) 56system_internal_prop(snapshotctl_prop) 57system_internal_prop(snapuserd_prop) 58system_internal_prop(system_adbd_prop) 59system_internal_prop(system_audio_config_prop) 60system_internal_prop(timezone_metadata_prop) 61system_internal_prop(traced_config_prop) 62system_internal_prop(traced_perf_enabled_prop) 63system_internal_prop(traced_relay_relay_port_prop) 64system_internal_prop(uprobestats_start_with_config_prop) 65system_internal_prop(tuner_server_ctl_prop) 66system_internal_prop(userspace_reboot_log_prop) 67system_internal_prop(userspace_reboot_test_prop) 68system_internal_prop(verity_status_prop) 69system_internal_prop(zygote_wrap_prop) 70system_internal_prop(ctl_mediatranscoding_prop) 71system_internal_prop(ctl_odsign_prop) 72system_internal_prop(virtualizationservice_prop) 73system_internal_prop(ctl_apex_load_prop) 74system_internal_prop(sensors_config_prop) 75system_internal_prop(hypervisor_pvmfw_prop) 76system_internal_prop(hypervisor_virtualizationmanager_prop) 77system_internal_prop(game_manager_config_prop) 78system_internal_prop(hidl_memory_prop) 79system_internal_prop(suspend_debug_prop) 80system_internal_prop(system_service_enable_prop) 81system_internal_prop(ctl_artd_pre_reboot_prop) 82system_internal_prop(trusty_security_vm_sys_prop) 83system_internal_prop(trusty_widevine_vm_sys_prop) 84system_internal_prop(hint_manager_config_prop) 85 86# Properties which can't be written outside system 87system_restricted_prop(bionic_linker_16kb_app_compat_prop) 88system_restricted_prop(device_config_virtualization_framework_native_prop) 89system_restricted_prop(fstype_prop) 90system_restricted_prop(log_file_logger_prop) 91system_restricted_prop(mmd_shared_status_prop) 92system_restricted_prop(persist_sysui_builder_extras_prop) 93system_restricted_prop(persist_sysui_ranking_update_prop) 94system_restricted_prop(page_size_prop) 95system_restricted_prop(pm_16kb_app_compat_prop) 96 97 98# Properties with no restrictions 99until_board_api(202504, ` 100 system_public_prop(bluetooth_finder_prop) 101 system_public_prop(virtual_fingerprint_prop) 102 system_public_prop(virtual_face_prop) 103') 104 105# These types will be public starting at board api 202504 106until_board_api(202504, ` 107 system_restricted_prop(enable_16k_pages_prop) 108 system_restricted_prop(profcollectd_etr_prop) 109') 110 111# These types will be public starting at board api 202504 112until_board_api(202504, ` 113 system_vendor_config_prop(trusty_security_vm_sys_vendor_prop) 114') 115 116# Properties which should only be written by vendor_init 117system_vendor_config_prop(avf_virtualizationservice_prop) 118until_board_api(202504, ` 119 system_vendor_config_prop(drm_config_prop) 120') 121system_vendor_config_prop(high_barometer_quality_prop) 122system_vendor_config_prop(mmd_prop) 123system_vendor_config_prop(mmd_shared_prop) 124system_vendor_config_prop(prefetch_boot_prop) 125 126typeattribute log_prop log_property_type; 127typeattribute log_tag_prop log_property_type; 128typeattribute wifi_log_prop log_property_type; 129 130allow property_type tmpfs:filesystem associate; 131 132# core_property_type should not be used for new properties or 133# device specific properties. Properties with this attribute 134# are readable to everyone, which is overly broad and should 135# be avoided. 136# New properties should have appropriate read / write access 137# control rules written. 138 139typeattribute audio_prop core_property_type; 140typeattribute config_prop core_property_type; 141typeattribute cppreopt_prop core_property_type; 142typeattribute dalvik_prop core_property_type; 143typeattribute debuggerd_prop core_property_type; 144typeattribute debug_prop core_property_type; 145typeattribute dhcp_prop core_property_type; 146typeattribute dumpstate_prop core_property_type; 147typeattribute logd_prop core_property_type; 148typeattribute net_radio_prop core_property_type; 149typeattribute nfc_prop core_property_type; 150typeattribute ota_prop core_property_type; 151typeattribute pan_result_prop core_property_type; 152typeattribute persist_debug_prop core_property_type; 153typeattribute powerctl_prop core_property_type; 154typeattribute radio_prop core_property_type; 155typeattribute restorecon_prop core_property_type; 156typeattribute shell_prop core_property_type; 157typeattribute system_prop core_property_type; 158typeattribute usb_prop core_property_type; 159typeattribute vold_prop core_property_type; 160 161typeattribute dalvik_config_prop dalvik_config_prop_type; 162typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type; 163 164### 165### Neverallow rules 166### 167 168treble_sysprop_neverallow(` 169 170enforce_sysprop_owner(` 171 neverallow domain { 172 property_type 173 -system_property_type 174 -product_property_type 175 -vendor_property_type 176 }:file no_rw_file_perms; 177') 178 179neverallow { domain -coredomain } { 180 system_property_type 181 system_internal_property_type 182 -system_restricted_property_type 183 -system_public_property_type 184}:file no_rw_file_perms; 185 186neverallow { domain -coredomain } { 187 system_property_type 188 -system_public_property_type 189}:property_service set; 190 191# init is in coredomain, but should be able to read/write all props. 192# dumpstate is also in coredomain, but should be able to read all props. 193neverallow { coredomain -init -dumpstate } { 194 vendor_property_type 195 vendor_internal_property_type 196 -vendor_restricted_property_type 197 -vendor_public_property_type 198}:file no_rw_file_perms; 199 200neverallow { coredomain -init } { 201 vendor_property_type 202 -vendor_public_property_type 203}:property_service set; 204 205') 206 207# There is no need to perform ioctl or advisory locking operations on 208# property files. If this neverallow is being triggered, it is 209# likely that the policy is using r_file_perms directly instead of 210# the get_prop() macro. 211neverallow domain property_type:file { ioctl lock }; 212 213neverallow * { 214 core_property_type 215 -audio_prop 216 -config_prop 217 -cppreopt_prop 218 -dalvik_prop 219 -debuggerd_prop 220 -debug_prop 221 -dhcp_prop 222 -dumpstate_prop 223 -fingerprint_prop 224 -logd_prop 225 -net_radio_prop 226 -nfc_prop 227 -ota_prop 228 -pan_result_prop 229 -persist_debug_prop 230 -powerctl_prop 231 -radio_prop 232 -restorecon_prop 233 -shell_prop 234 -system_prop 235 -usb_prop 236 -vold_prop 237}:file no_rw_file_perms; 238 239# sigstop property is only used for debugging; should only be set by su which is permissive 240# for userdebug/eng 241neverallow { 242 domain 243 -init 244 -vendor_init 245} ctl_sigstop_prop:property_service set; 246 247# Don't audit legacy ctl. property handling. We only want the newer permission check to appear 248# in the audit log 249dontaudit domain { 250 ctl_bootanim_prop 251 ctl_bugreport_prop 252 ctl_console_prop 253 ctl_default_prop 254 ctl_dumpstate_prop 255 ctl_fuse_prop 256 ctl_mdnsd_prop 257 ctl_rildaemon_prop 258}:property_service set; 259 260neverallow { 261 domain 262 -init 263 -extra_free_kbytes 264} init_storage_prop:property_service set; 265 266neverallow { 267 domain 268 -init 269} init_svc_debug_prop:property_service set; 270 271neverallow { 272 domain 273 -init 274 -dumpstate 275 userdebug_or_eng(`-su') 276} init_svc_debug_prop:file no_rw_file_perms; 277 278# DO NOT ADD: compat risk 279neverallow { 280 domain 281 -init 282 -crash_dump 283 -dumpstate 284 -misctrl 285 -statsd 286 userdebug_or_eng(`-su') 287} misctrl_prop:file no_rw_file_perms; 288neverallow { 289 domain 290 -init 291 -misctrl 292 userdebug_or_eng(`-su') 293} misctrl_prop:property_service set; 294 295compatible_property_only(` 296# Prevent properties from being set 297 neverallow { 298 domain 299 -coredomain 300 -appdomain 301 -vendor_init 302 } { 303 core_property_type 304 extended_core_property_type 305 exported_config_prop 306 exported_default_prop 307 exported_dumpstate_prop 308 exported_system_prop 309 exported3_system_prop 310 usb_control_prop 311 -nfc_prop 312 -powerctl_prop 313 -radio_prop 314 }:property_service set; 315 316 neverallow { 317 domain 318 -coredomain 319 -appdomain 320 -hal_nfc_server 321 } { 322 nfc_prop 323 }:property_service set; 324 325 neverallow { 326 domain 327 -coredomain 328 -appdomain 329 -hal_telephony_server 330 -vendor_init 331 } { 332 radio_control_prop 333 }:property_service set; 334 335 neverallow { 336 domain 337 -coredomain 338 -appdomain 339 -hal_telephony_server 340 } { 341 radio_prop 342 }:property_service set; 343 344 neverallow { 345 domain 346 -coredomain 347 -bluetooth 348 -hal_bluetooth_server 349 } { 350 bluetooth_prop 351 }:property_service set; 352 353 neverallow { 354 domain 355 -coredomain 356 -bluetooth 357 -hal_bluetooth_server 358 -vendor_init 359 } { 360 exported_bluetooth_prop 361 }:property_service set; 362 363 neverallow { 364 domain 365 -coredomain 366 -hal_camera_server 367 -cameraserver 368 -vendor_init 369 } { 370 exported_camera_prop 371 }:property_service set; 372 373 neverallow { 374 domain 375 -coredomain 376 -hal_wifi_server 377 -wificond 378 } { 379 wifi_prop 380 }:property_service set; 381 382 neverallow { 383 domain 384 -init 385 -dumpstate 386 -hal_wifi_server 387 -wificond 388 -vendor_init 389 } { 390 wifi_hal_prop 391 }:property_service set; 392 393# Prevent properties from being read 394 neverallow { 395 domain 396 -coredomain 397 -appdomain 398 -vendor_init 399 } { 400 core_property_type 401 dalvik_config_prop_type 402 extended_core_property_type 403 exported3_system_prop 404 systemsound_config_prop 405 -debug_prop 406 -logd_prop 407 -nfc_prop 408 -powerctl_prop 409 -radio_prop 410 -dalvik_dynamic_config_prop 411 }:file no_rw_file_perms; 412 413 neverallow { 414 domain 415 -coredomain 416 -appdomain 417 -vendor_init 418 -hal_power_server 419 } dalvik_dynamic_config_prop:file no_rw_file_perms; 420 421 neverallow { 422 domain 423 -coredomain 424 -appdomain 425 -hal_nfc_server 426 } { 427 nfc_prop 428 }:file no_rw_file_perms; 429 430 neverallow { 431 domain 432 -coredomain 433 -appdomain 434 -hal_telephony_server 435 } { 436 radio_prop 437 }:file no_rw_file_perms; 438 439 neverallow { 440 domain 441 -coredomain 442 -bluetooth 443 -hal_bluetooth_server 444 } { 445 bluetooth_prop 446 }:file no_rw_file_perms; 447 448 neverallow { 449 domain 450 -coredomain 451 -hal_wifi_server 452 -wificond 453 } { 454 wifi_prop 455 }:file no_rw_file_perms; 456 457 neverallow { 458 domain 459 -coredomain 460 -vendor_init 461 } { 462 suspend_prop 463 }:property_service set; 464 465 neverallow { 466 domain 467 -init 468 } { 469 suspend_debug_prop 470 }:property_service set; 471 472 neverallow { 473 domain 474 -init 475 -vendor_init 476 } { 477 high_barometer_quality_prop 478 }:property_service set; 479 480 neverallow { 481 domain 482 -init 483 -dumpstate 484 userdebug_or_eng(`-system_suspend') 485 } { 486 suspend_debug_prop 487 }:file no_rw_file_perms; 488') 489 490dontaudit system_suspend suspend_debug_prop:file r_file_perms; 491 492compatible_property_only(` 493 # Neverallow coredomain to set vendor properties 494 neverallow { 495 coredomain 496 -init 497 -system_writes_vendor_properties_violators 498 } { 499 property_type 500 -system_property_type 501 -extended_core_property_type 502 }:property_service set; 503') 504 505neverallow { 506 domain 507 -coredomain 508 -vendor_init 509} { 510 ffs_config_prop 511 ffs_control_prop 512}:file no_rw_file_perms; 513 514neverallow { 515 domain 516 -init 517 -system_server 518} { 519 userspace_reboot_log_prop 520}:property_service set; 521 522neverallow { 523 # Only allow init and system_server to set system_adbd_prop 524 domain 525 -init 526 -system_server 527} { 528 system_adbd_prop 529}:property_service set; 530 531# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port 532neverallow { 533 domain 534 -init 535 -vendor_init 536 -adbd 537 -adbd_tradeinmode 538 -system_server 539} { 540 adbd_config_prop 541}:property_service set; 542 543neverallow { 544 # Only allow init and adbd to set adbd_prop 545 domain 546 -init 547 -adbd 548 -adbd_tradeinmode 549} { 550 adbd_prop 551}:property_service set; 552 553neverallow { 554 # Only allow init to set apexd_payload_metadata_prop 555 domain 556 -init 557} { 558 apexd_payload_metadata_prop 559}:property_service set; 560 561 562neverallow { 563 # Only allow init and shell to set userspace_reboot_test_prop 564 domain 565 -init 566 -shell 567} { 568 userspace_reboot_test_prop 569}:property_service set; 570 571neverallow { 572 domain 573 -init 574 -system_server 575 -vendor_init 576} { 577 surfaceflinger_color_prop 578}:property_service set; 579 580neverallow { 581 domain 582 -init 583} { 584 libc_debug_prop 585}:property_service set; 586 587# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb 588# shell access can control the settings on their device. Allow system apps to 589# set MTE props, so Developer Options can set them. 590neverallow { 591 domain 592 -init 593 -shell 594 -system_app 595 -system_server 596 -mtectrl 597} { 598 arm64_memtag_prop 599 gwp_asan_prop 600}:property_service set; 601 602neverallow { 603 domain 604 -init 605 -shell 606 -kcmdlinectrl 607} { 608 kcmdline_prop 609}:property_service set; 610 611neverallow { 612 domain 613 -init 614 -system_server 615 -vendor_init 616} zram_control_prop:property_service set; 617 618neverallow { 619 domain 620 -init 621 -system_server 622 -vendor_init 623} dalvik_runtime_prop:property_service set; 624 625neverallow { 626 domain 627 -coredomain 628 -vendor_init 629} { 630 usb_config_prop 631 usb_control_prop 632}:property_service set; 633 634neverallow { 635 domain 636 -init 637 -system_server 638} { 639 provisioned_prop 640 retaildemo_prop 641}:property_service set; 642 643neverallow { 644 domain 645 -coredomain 646 -vendor_init 647} { 648 provisioned_prop 649 retaildemo_prop 650}:file no_rw_file_perms; 651 652neverallow { 653 domain 654 -init 655} { 656 init_service_status_private_prop 657 init_service_status_prop 658}:property_service set; 659 660neverallow { 661 domain 662 -init 663 -radio 664 -appdomain 665 -hal_telephony_server 666 not_compatible_property(`-vendor_init') 667} telephony_status_prop:property_service set; 668 669neverallow { 670 domain 671 -init 672 -vendor_init 673} { 674 graphics_config_prop 675}:property_service set; 676 677neverallow { 678 domain 679 -init 680 -surfaceflinger 681} { 682 surfaceflinger_display_prop 683}:property_service set; 684 685neverallow { 686 domain 687 -coredomain 688 -appdomain 689 -vendor_init 690} packagemanager_config_prop:file no_rw_file_perms; 691 692neverallow { 693 domain 694 -coredomain 695 -vendor_init 696} keyguard_config_prop:file no_rw_file_perms; 697 698neverallow { 699 domain 700 -init 701} { 702 localization_prop 703}:property_service set; 704 705neverallow { 706 domain 707 -init 708 -vendor_init 709 -dumpstate 710 -system_app 711} oem_unlock_prop:file no_rw_file_perms; 712 713neverallow { 714 domain 715 -coredomain 716 -vendor_init 717} storagemanager_config_prop:file no_rw_file_perms; 718 719neverallow { 720 domain 721 -init 722 -vendor_init 723 -dumpstate 724 -appdomain 725} sendbug_config_prop:file no_rw_file_perms; 726 727neverallow { 728 domain 729 -init 730 -vendor_init 731 -dumpstate 732 -appdomain 733} camera_calibration_prop:file no_rw_file_perms; 734 735neverallow { 736 domain 737 -init 738 -dumpstate 739 -hal_dumpstate_server 740 not_compatible_property(`-vendor_init') 741} hal_dumpstate_config_prop:file no_rw_file_perms; 742 743neverallow { 744 domain 745 -init 746 userdebug_or_eng(`-profcollectd') 747 userdebug_or_eng(`-simpleperf_boot') 748 userdebug_or_eng(`-traced_probes') 749 userdebug_or_eng(`-traced_perf') 750} { 751 lower_kptr_restrict_prop 752}:property_service set; 753 754neverallow { 755 domain 756 -init 757} zygote_wrap_prop:property_service set; 758 759neverallow { 760 domain 761 -init 762} verity_status_prop:property_service set; 763 764neverallow { 765 domain 766 -init 767 -vendor_init 768} setupwizard_mode_prop:property_service set; 769 770neverallow { 771 domain 772 -init 773} setupwizard_prop:property_service set; 774 775# ro.product.property_source_order is useless after initialization of ro.product.* props. 776# So making it accessible only from init and vendor_init. 777neverallow { 778 domain 779 -init 780 -dumpstate 781 -vendor_init 782} build_config_prop:file no_rw_file_perms; 783 784neverallow { 785 domain 786 -init 787 -shell 788} sqlite_log_prop:property_service set; 789 790neverallow { 791 domain 792 -coredomain 793 -appdomain 794} sqlite_log_prop:file no_rw_file_perms; 795 796neverallow { 797 domain 798 -init 799} default_prop:property_service set; 800 801# Only one of system_property_type and vendor_property_type can be assigned. 802# Property types having both attributes won't be accessible from anywhere. 803neverallow domain system_and_vendor_property_type:{file property_service} *; 804 805neverallow { 806 domain 807 -init 808 -keystore 809 -shell 810 -system_server 811 -rkpdapp 812} remote_prov_prop:property_service set; 813 814neverallow { 815 domain 816 -init 817} remote_prov_cert_prop:property_service set; 818 819neverallow { 820 # Only allow init and shell to set rollback_test_prop 821 domain 822 -init 823 -shell 824} rollback_test_prop:property_service set; 825 826neverallow { 827 domain 828 -init 829 -apexd 830} ctl_apex_load_prop:property_service set; 831 832neverallow { 833 domain 834 -coredomain 835 -init 836 -dumpstate 837 -apexd 838} ctl_apex_load_prop:file no_rw_file_perms; 839 840neverallow { 841 domain 842 -init 843 -apexd 844} apex_ready_prop:property_service set; 845 846neverallow { 847 domain 848 -coredomain 849 -dumpstate 850 -apexd 851 -vendor_init 852} apex_ready_prop:file no_rw_file_perms; 853 854neverallow { 855 # Only allow init and profcollectd to access profcollectd_node_id_prop 856 domain 857 -init 858 -dumpstate 859 -profcollectd 860} profcollectd_node_id_prop:file r_file_perms; 861 862neverallow { 863 domain 864 -init 865} log_file_logger_prop:property_service set; 866 867neverallow { 868 domain 869 -init 870 -vendor_init 871} usb_uvc_enabled_prop:property_service set; 872 873# Disallow non system apps from reading ro.usb.uvc.enabled 874neverallow { 875 appdomain 876 -system_app 877 -device_as_webcam 878} usb_uvc_enabled_prop:file no_rw_file_perms; 879 880neverallow { 881 domain 882 -init 883 -vendor_init 884} pm_archiving_enabled_prop:property_service set; 885 886neverallow { 887 domain 888 -init 889 -shell 890 userdebug_or_eng(`-su') 891} bionic_linker_16kb_app_compat_prop:property_service set; 892 893neverallow { 894 domain 895 -init 896 -shell 897 userdebug_or_eng(`-su') 898} pm_16kb_app_compat_prop:property_service set; 899