2020-03-19 09:49:08 +01:00
|
|
|
# Properties used only in /system
|
|
|
|
system_internal_prop(adbd_prop)
|
2021-11-08 21:09:54 +01:00
|
|
|
system_internal_prop(apexd_payload_metadata_prop)
|
2020-11-13 09:45:59 +01:00
|
|
|
system_internal_prop(ctl_snapuserd_prop)
|
2021-08-04 21:31:43 +02:00
|
|
|
system_internal_prop(device_config_lmkd_native_prop)
|
2022-04-06 23:31:26 +02:00
|
|
|
system_internal_prop(device_config_mglru_native_prop)
|
2020-10-26 19:29:52 +01:00
|
|
|
system_internal_prop(device_config_profcollect_native_boot_prop)
|
2022-09-29 23:20:22 +02:00
|
|
|
system_internal_prop(device_config_remote_key_provisioning_native_prop)
|
2020-11-18 04:26:23 +01:00
|
|
|
system_internal_prop(device_config_statsd_native_prop)
|
|
|
|
system_internal_prop(device_config_statsd_native_boot_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(device_config_storage_native_boot_prop)
|
|
|
|
system_internal_prop(device_config_sys_traced_prop)
|
|
|
|
system_internal_prop(device_config_window_manager_native_boot_prop)
|
|
|
|
system_internal_prop(device_config_configuration_prop)
|
2021-02-02 11:27:38 +01:00
|
|
|
system_internal_prop(device_config_connectivity_prop)
|
2021-02-11 18:12:51 +01:00
|
|
|
system_internal_prop(device_config_swcodec_native_prop)
|
2022-01-28 19:48:27 +01:00
|
|
|
system_internal_prop(dmesgd_start_prop)
|
2020-04-24 08:43:13 +02:00
|
|
|
system_internal_prop(fastbootd_protocol_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(gsid_prop)
|
|
|
|
system_internal_prop(init_perf_lsm_hooks_prop)
|
2020-05-14 12:43:08 +02:00
|
|
|
system_internal_prop(init_service_status_private_prop)
|
2022-09-07 22:13:47 +02:00
|
|
|
system_internal_prop(init_storage_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(init_svc_debug_prop)
|
2021-07-03 01:14:50 +02:00
|
|
|
system_internal_prop(keystore_crash_prop)
|
2021-02-23 17:40:05 +01:00
|
|
|
system_internal_prop(keystore_listen_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(last_boot_reason_prop)
|
2020-07-08 23:11:03 +02:00
|
|
|
system_internal_prop(localization_prop)
|
2020-10-09 10:15:10 +02:00
|
|
|
system_internal_prop(lower_kptr_restrict_prop)
|
2021-03-10 06:45:07 +01:00
|
|
|
system_internal_prop(net_464xlat_fromvendor_prop)
|
2021-03-10 07:31:36 +01:00
|
|
|
system_internal_prop(net_connectivity_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(netd_stable_secret_prop)
|
2021-03-16 08:34:30 +01:00
|
|
|
system_internal_prop(odsign_prop)
|
2021-02-11 03:45:35 +01:00
|
|
|
system_internal_prop(perf_drop_caches_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(pm_prop)
|
2021-03-22 15:02:22 +01:00
|
|
|
system_internal_prop(profcollectd_node_id_prop)
|
2021-04-30 06:52:42 +02:00
|
|
|
system_internal_prop(radio_cdma_ecm_prop)
|
2022-10-31 19:27:29 +01:00
|
|
|
system_internal_prop(remote_prov_prop)
|
2021-02-24 07:29:06 +01:00
|
|
|
system_internal_prop(rollback_test_prop)
|
2020-11-05 14:17:26 +01:00
|
|
|
system_internal_prop(setupwizard_prop)
|
2021-07-27 00:03:11 +02:00
|
|
|
system_internal_prop(snapuserd_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(system_adbd_prop)
|
2022-09-23 15:10:35 +02:00
|
|
|
system_internal_prop(timezone_metadata_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(traced_perf_enabled_prop)
|
2022-08-09 23:57:02 +02:00
|
|
|
system_internal_prop(tuner_server_ctl_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
system_internal_prop(userspace_reboot_log_prop)
|
|
|
|
system_internal_prop(userspace_reboot_test_prop)
|
2020-11-05 14:17:26 +01:00
|
|
|
system_internal_prop(verity_status_prop)
|
|
|
|
system_internal_prop(zygote_wrap_prop)
|
2021-05-14 21:52:54 +02:00
|
|
|
system_internal_prop(ctl_mediatranscoding_prop)
|
2021-07-27 13:47:42 +02:00
|
|
|
system_internal_prop(ctl_odsign_prop)
|
2021-09-16 14:06:20 +02:00
|
|
|
system_internal_prop(virtualizationservice_prop)
|
2022-07-07 08:42:39 +02:00
|
|
|
system_internal_prop(ctl_apex_load_prop)
|
2020-03-19 09:49:08 +01:00
|
|
|
|
2021-10-08 14:13:46 +02:00
|
|
|
# Properties which can't be written outside system
|
|
|
|
system_restricted_prop(device_config_virtualization_framework_native_prop)
|
2022-09-18 16:09:53 +02:00
|
|
|
system_restricted_prop(log_file_logger_prop)
|
2021-10-08 14:13:46 +02:00
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
treble_sysprop_neverallow(`
|
|
|
|
|
2020-09-28 06:32:43 +02:00
|
|
|
enforce_sysprop_owner(`
|
|
|
|
neverallow domain {
|
|
|
|
property_type
|
|
|
|
-system_property_type
|
|
|
|
-product_property_type
|
|
|
|
-vendor_property_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
')
|
2020-03-04 09:20:35 +01:00
|
|
|
|
|
|
|
neverallow { domain -coredomain } {
|
|
|
|
system_property_type
|
|
|
|
system_internal_property_type
|
|
|
|
-system_restricted_property_type
|
|
|
|
-system_public_property_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow { domain -coredomain } {
|
|
|
|
system_property_type
|
|
|
|
-system_public_property_type
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
# init is in coredomain, but should be able to read/write all props.
|
|
|
|
# dumpstate is also in coredomain, but should be able to read all props.
|
|
|
|
neverallow { coredomain -init -dumpstate } {
|
|
|
|
vendor_property_type
|
|
|
|
vendor_internal_property_type
|
|
|
|
-vendor_restricted_property_type
|
|
|
|
-vendor_public_property_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow { coredomain -init } {
|
|
|
|
vendor_property_type
|
|
|
|
-vendor_public_property_type
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
')
|
|
|
|
|
|
|
|
# There is no need to perform ioctl or advisory locking operations on
|
|
|
|
# property files. If this neverallow is being triggered, it is
|
|
|
|
# likely that the policy is using r_file_perms directly instead of
|
|
|
|
# the get_prop() macro.
|
|
|
|
neverallow domain property_type:file { ioctl lock };
|
|
|
|
|
|
|
|
neverallow * {
|
|
|
|
core_property_type
|
|
|
|
-audio_prop
|
|
|
|
-config_prop
|
|
|
|
-cppreopt_prop
|
|
|
|
-dalvik_prop
|
|
|
|
-debuggerd_prop
|
|
|
|
-debug_prop
|
|
|
|
-dhcp_prop
|
|
|
|
-dumpstate_prop
|
|
|
|
-fingerprint_prop
|
|
|
|
-logd_prop
|
|
|
|
-net_radio_prop
|
|
|
|
-nfc_prop
|
|
|
|
-ota_prop
|
|
|
|
-pan_result_prop
|
|
|
|
-persist_debug_prop
|
|
|
|
-powerctl_prop
|
|
|
|
-radio_prop
|
|
|
|
-restorecon_prop
|
|
|
|
-shell_prop
|
|
|
|
-system_prop
|
2020-04-27 14:13:01 +02:00
|
|
|
-usb_prop
|
2020-03-04 09:20:35 +01:00
|
|
|
-vold_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
|
|
|
# for userdebug/eng
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} ctl_sigstop_prop:property_service set;
|
|
|
|
|
|
|
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
|
|
|
# in the audit log
|
|
|
|
dontaudit domain {
|
|
|
|
ctl_bootanim_prop
|
|
|
|
ctl_bugreport_prop
|
|
|
|
ctl_console_prop
|
|
|
|
ctl_default_prop
|
|
|
|
ctl_dumpstate_prop
|
|
|
|
ctl_fuse_prop
|
|
|
|
ctl_mdnsd_prop
|
|
|
|
ctl_rildaemon_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2022-09-07 22:13:47 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-extra_free_kbytes
|
|
|
|
} init_storage_prop:property_service set;
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
} init_svc_debug_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-dumpstate
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
} init_svc_debug_prop:file no_rw_file_perms;
|
|
|
|
|
|
|
|
compatible_property_only(`
|
|
|
|
# Prevent properties from being set
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
core_property_type
|
|
|
|
extended_core_property_type
|
|
|
|
exported_config_prop
|
|
|
|
exported_default_prop
|
|
|
|
exported_dumpstate_prop
|
|
|
|
exported_system_prop
|
|
|
|
exported3_system_prop
|
2020-04-27 14:13:01 +02:00
|
|
|
usb_control_prop
|
2020-03-04 09:20:35 +01:00
|
|
|
-nfc_prop
|
|
|
|
-powerctl_prop
|
|
|
|
-radio_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_nfc_server
|
|
|
|
} {
|
|
|
|
nfc_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_telephony_server
|
|
|
|
-vendor_init
|
|
|
|
} {
|
2020-07-28 08:17:24 +02:00
|
|
|
radio_control_prop
|
2020-03-04 09:20:35 +01:00
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_telephony_server
|
|
|
|
} {
|
|
|
|
radio_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-bluetooth
|
|
|
|
-hal_bluetooth_server
|
|
|
|
} {
|
|
|
|
bluetooth_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-bluetooth
|
|
|
|
-hal_bluetooth_server
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
exported_bluetooth_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-hal_camera_server
|
|
|
|
-cameraserver
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
exported_camera_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-hal_wifi_server
|
|
|
|
-wificond
|
|
|
|
} {
|
|
|
|
wifi_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
2020-06-25 14:20:42 +02:00
|
|
|
-init
|
|
|
|
-dumpstate
|
2020-03-04 09:20:35 +01:00
|
|
|
-hal_wifi_server
|
|
|
|
-wificond
|
|
|
|
-vendor_init
|
|
|
|
} {
|
2020-06-25 14:20:42 +02:00
|
|
|
wifi_hal_prop
|
2020-03-04 09:20:35 +01:00
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
# Prevent properties from being read
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
core_property_type
|
2020-04-20 12:36:33 +02:00
|
|
|
dalvik_config_prop
|
2020-03-04 09:20:35 +01:00
|
|
|
extended_core_property_type
|
|
|
|
exported3_system_prop
|
2020-04-01 03:01:16 +02:00
|
|
|
systemsound_config_prop
|
2020-03-04 09:20:35 +01:00
|
|
|
-debug_prop
|
|
|
|
-logd_prop
|
|
|
|
-nfc_prop
|
|
|
|
-powerctl_prop
|
|
|
|
-radio_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_nfc_server
|
|
|
|
} {
|
|
|
|
nfc_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_telephony_server
|
|
|
|
} {
|
|
|
|
radio_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-bluetooth
|
|
|
|
-hal_bluetooth_server
|
|
|
|
} {
|
|
|
|
bluetooth_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-hal_wifi_server
|
|
|
|
-wificond
|
|
|
|
} {
|
|
|
|
wifi_prop
|
|
|
|
}:file no_rw_file_perms;
|
2020-10-30 21:55:21 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
2021-04-20 18:13:02 +02:00
|
|
|
-coredomain
|
|
|
|
-vendor_init
|
2020-10-30 21:55:21 +01:00
|
|
|
} {
|
|
|
|
suspend_prop
|
|
|
|
}:property_service set;
|
2020-03-04 09:20:35 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
compatible_property_only(`
|
|
|
|
# Neverallow coredomain to set vendor properties
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
-system_writes_vendor_properties_violators
|
|
|
|
} {
|
|
|
|
property_type
|
|
|
|
-system_property_type
|
|
|
|
-extended_core_property_type
|
|
|
|
}:property_service set;
|
|
|
|
')
|
|
|
|
|
2020-04-27 16:49:15 +02:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-04-27 16:49:15 +02:00
|
|
|
-coredomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
ffs_config_prop
|
|
|
|
ffs_control_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-03-04 09:20:35 +01:00
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} {
|
|
|
|
userspace_reboot_log_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
# Only allow init and system_server to set system_adbd_prop
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-03-04 09:20:35 +01:00
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} {
|
|
|
|
system_adbd_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2020-10-28 21:56:23 +01:00
|
|
|
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-10-28 21:56:23 +01:00
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-adbd
|
|
|
|
-system_server
|
|
|
|
} {
|
|
|
|
adbd_config_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
neverallow {
|
|
|
|
# Only allow init and adbd to set adbd_prop
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-03-04 09:20:35 +01:00
|
|
|
-init
|
|
|
|
-adbd
|
|
|
|
} {
|
|
|
|
adbd_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2021-11-08 21:09:54 +01:00
|
|
|
neverallow {
|
|
|
|
# Only allow init to set apexd_payload_metadata_prop
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
} {
|
|
|
|
apexd_payload_metadata_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
neverallow {
|
|
|
|
# Only allow init and shell to set userspace_reboot_test_prop
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-03-04 09:20:35 +01:00
|
|
|
-init
|
|
|
|
-shell
|
|
|
|
} {
|
|
|
|
userspace_reboot_test_prop
|
|
|
|
}:property_service set;
|
2020-04-24 14:25:17 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-04-24 14:25:17 +02:00
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
surfaceflinger_color_prop
|
|
|
|
}:property_service set;
|
2020-05-06 15:20:35 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-06 15:20:35 +02:00
|
|
|
-init
|
|
|
|
} {
|
|
|
|
libc_debug_prop
|
|
|
|
}:property_service set;
|
2020-05-08 13:42:25 +02:00
|
|
|
|
2022-03-22 23:59:57 +01:00
|
|
|
# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
|
|
|
|
# shell access can control the settings on their device. Allow system apps to
|
|
|
|
# set MTE props, so Developer Options can set them.
|
2020-12-04 02:23:06 +01:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-12-04 02:23:06 +01:00
|
|
|
-init
|
|
|
|
-shell
|
2021-12-21 21:06:31 +01:00
|
|
|
-system_app
|
2022-12-17 01:50:13 +01:00
|
|
|
-system_server
|
2022-09-21 23:53:48 +02:00
|
|
|
-mtectrl
|
2020-12-04 02:23:06 +01:00
|
|
|
} {
|
|
|
|
arm64_memtag_prop
|
2022-03-22 23:59:57 +01:00
|
|
|
gwp_asan_prop
|
2020-12-04 02:23:06 +01:00
|
|
|
}:property_service set;
|
|
|
|
|
2020-05-08 13:42:25 +02:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-08 13:42:25 +02:00
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-vendor_init
|
|
|
|
} zram_control_prop:property_service set;
|
2020-05-12 15:51:48 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-12 15:51:48 +02:00
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-vendor_init
|
|
|
|
} dalvik_runtime_prop:property_service set;
|
2020-04-27 14:13:01 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-04-27 14:13:01 +02:00
|
|
|
-coredomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
usb_config_prop
|
|
|
|
usb_control_prop
|
|
|
|
}:property_service set;
|
2020-05-13 18:38:40 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-13 18:38:40 +02:00
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} {
|
|
|
|
provisioned_prop
|
|
|
|
retaildemo_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-13 18:38:40 +02:00
|
|
|
-coredomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
provisioned_prop
|
|
|
|
retaildemo_prop
|
|
|
|
}:file no_rw_file_perms;
|
2020-05-14 12:43:08 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-14 12:43:08 +02:00
|
|
|
-init
|
|
|
|
} {
|
|
|
|
init_service_status_private_prop
|
|
|
|
init_service_status_prop
|
|
|
|
}:property_service set;
|
2020-05-14 14:47:43 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-05-14 14:47:43 +02:00
|
|
|
-init
|
|
|
|
-radio
|
|
|
|
-appdomain
|
|
|
|
-hal_telephony_server
|
2020-06-04 13:29:43 +02:00
|
|
|
not_compatible_property(`-vendor_init')
|
2020-05-14 14:47:43 +02:00
|
|
|
} telephony_status_prop:property_service set;
|
2020-06-03 21:20:41 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-06-03 21:20:41 +02:00
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
graphics_config_prop
|
|
|
|
}:property_service set;
|
2020-06-16 13:00:41 +02:00
|
|
|
|
2020-06-15 11:04:12 +02:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-06-15 11:04:12 +02:00
|
|
|
-init
|
2020-06-17 16:13:21 +02:00
|
|
|
-surfaceflinger
|
2020-06-15 11:04:12 +02:00
|
|
|
} {
|
|
|
|
surfaceflinger_display_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2020-06-16 13:00:41 +02:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-06-30 18:27:49 +02:00
|
|
|
-coredomain
|
|
|
|
-appdomain
|
2020-06-16 13:00:41 +02:00
|
|
|
-vendor_init
|
|
|
|
} packagemanager_config_prop:file no_rw_file_perms;
|
2020-07-07 05:46:24 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-07 05:46:24 +02:00
|
|
|
-coredomain
|
|
|
|
-vendor_init
|
|
|
|
} keyguard_config_prop:file no_rw_file_perms;
|
2020-07-08 23:11:03 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-08 23:11:03 +02:00
|
|
|
-init
|
|
|
|
} {
|
|
|
|
localization_prop
|
|
|
|
}:property_service set;
|
2020-07-16 15:25:47 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-16 15:25:47 +02:00
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
-system_app
|
|
|
|
} oem_unlock_prop:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-16 15:25:47 +02:00
|
|
|
-coredomain
|
|
|
|
-vendor_init
|
|
|
|
} storagemanager_config_prop:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-16 15:25:47 +02:00
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
-appdomain
|
|
|
|
} sendbug_config_prop:file no_rw_file_perms;
|
2020-07-20 13:26:07 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-20 13:26:07 +02:00
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
-appdomain
|
|
|
|
} camera_calibration_prop:file no_rw_file_perms;
|
2020-08-18 04:25:32 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-08-18 04:25:32 +02:00
|
|
|
-init
|
|
|
|
-dumpstate
|
2020-08-25 11:41:00 +02:00
|
|
|
-hal_dumpstate_server
|
2020-08-18 04:25:32 +02:00
|
|
|
not_compatible_property(`-vendor_init')
|
|
|
|
} hal_dumpstate_config_prop:file no_rw_file_perms;
|
2020-10-09 10:15:10 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-10-09 10:15:10 +02:00
|
|
|
-init
|
2021-03-18 19:15:36 +01:00
|
|
|
userdebug_or_eng(`-profcollectd')
|
2021-11-24 23:06:07 +01:00
|
|
|
userdebug_or_eng(`-simpleperf_boot')
|
2020-10-09 10:15:10 +02:00
|
|
|
userdebug_or_eng(`-traced_probes')
|
2020-11-11 12:01:36 +01:00
|
|
|
userdebug_or_eng(`-traced_perf')
|
2020-10-09 10:15:10 +02:00
|
|
|
} {
|
|
|
|
lower_kptr_restrict_prop
|
|
|
|
}:property_service set;
|
2020-10-23 20:16:34 +02:00
|
|
|
|
2020-11-05 14:17:26 +01:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-11-05 14:17:26 +01:00
|
|
|
-init
|
|
|
|
} zygote_wrap_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-11-05 14:17:26 +01:00
|
|
|
-init
|
|
|
|
} verity_status_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-11-05 14:17:26 +01:00
|
|
|
-init
|
|
|
|
} setupwizard_prop:property_service set;
|
2020-11-12 14:21:51 +01:00
|
|
|
|
|
|
|
# ro.product.property_source_order is useless after initialization of ro.product.* props.
|
|
|
|
# So making it accessible only from init and vendor_init.
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-11-12 14:21:51 +01:00
|
|
|
-init
|
|
|
|
-dumpstate
|
|
|
|
-vendor_init
|
|
|
|
} build_config_prop:file no_rw_file_perms;
|
2020-11-17 05:54:52 +01:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-11-17 05:54:52 +01:00
|
|
|
-init
|
|
|
|
-shell
|
|
|
|
} sqlite_log_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-11-17 05:54:52 +01:00
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
} sqlite_log_prop:file no_rw_file_perms;
|
2020-11-26 13:50:23 +01:00
|
|
|
|
2021-01-14 05:08:16 +01:00
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2021-01-14 05:08:16 +01:00
|
|
|
-init
|
|
|
|
} default_prop:property_service set;
|
|
|
|
|
2020-11-26 13:50:23 +01:00
|
|
|
# Only one of system_property_type and vendor_property_type can be assigned.
|
|
|
|
# Property types having both attributes won't be accessible from anywhere.
|
|
|
|
neverallow domain system_and_vendor_property_type:{file property_service} *;
|
2021-02-24 07:29:06 +01:00
|
|
|
|
2022-04-20 19:10:49 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
2023-02-24 20:50:51 +01:00
|
|
|
-shell
|
2023-03-16 02:41:29 +01:00
|
|
|
-rkpdapp
|
2022-04-20 19:10:49 +02:00
|
|
|
} remote_prov_prop:property_service set;
|
|
|
|
|
2021-02-24 07:29:06 +01:00
|
|
|
neverallow {
|
|
|
|
# Only allow init and shell to set rollback_test_prop
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2021-02-24 07:29:06 +01:00
|
|
|
-init
|
|
|
|
-shell
|
|
|
|
} rollback_test_prop:property_service set;
|
2021-03-22 15:02:22 +01:00
|
|
|
|
2022-07-07 08:42:39 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-apexd
|
|
|
|
} ctl_apex_load_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-init
|
|
|
|
-dumpstate
|
|
|
|
-apexd
|
2022-08-30 21:14:51 +02:00
|
|
|
} ctl_apex_load_prop:file no_rw_file_perms;
|
2022-07-07 08:42:39 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
2022-09-02 00:20:10 +02:00
|
|
|
-apexd
|
|
|
|
} apex_ready_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
2022-07-07 08:42:39 +02:00
|
|
|
-dumpstate
|
|
|
|
-apexd
|
2022-09-02 09:26:27 +02:00
|
|
|
-vendor_init
|
2022-09-02 00:20:10 +02:00
|
|
|
} apex_ready_prop:file no_rw_file_perms;
|
2022-07-07 08:42:39 +02:00
|
|
|
|
2021-03-22 15:02:22 +01:00
|
|
|
neverallow {
|
|
|
|
# Only allow init and profcollectd to access profcollectd_node_id_prop
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-dumpstate
|
|
|
|
-profcollectd
|
|
|
|
} profcollectd_node_id_prop:file r_file_perms;
|
|
|
|
|
2022-09-18 16:09:53 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
} log_file_logger_prop:property_service set;
|
2023-01-24 08:46:42 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} usb_uvc_enabled_prop:property_service set;
|
2023-02-02 00:56:40 +01:00
|
|
|
|
|
|
|
# Disallow non system apps from reading ro.usb.uvc.enabled
|
|
|
|
neverallow {
|
|
|
|
appdomain
|
|
|
|
-system_app
|
|
|
|
-device_as_webcam
|
|
|
|
} usb_uvc_enabled_prop:file no_rw_file_perms;
|