2019-09-09 12:46:15 +02:00
|
|
|
# Properties used only in /system
|
|
|
|
system_internal_prop(apexd_prop)
|
|
|
|
system_internal_prop(bootloader_boot_reason_prop)
|
|
|
|
system_internal_prop(device_config_activity_manager_native_boot_prop)
|
|
|
|
system_internal_prop(device_config_boot_count_prop)
|
|
|
|
system_internal_prop(device_config_input_native_boot_prop)
|
|
|
|
system_internal_prop(device_config_media_native_prop)
|
|
|
|
system_internal_prop(device_config_netd_native_prop)
|
|
|
|
system_internal_prop(device_config_reset_performed_prop)
|
|
|
|
system_internal_prop(device_config_runtime_native_boot_prop)
|
|
|
|
system_internal_prop(device_config_runtime_native_prop)
|
2019-09-23 16:14:47 +02:00
|
|
|
system_internal_prop(device_config_storage_native_boot_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_internal_prop(device_config_sys_traced_prop)
|
2020-01-16 19:52:34 +01:00
|
|
|
system_internal_prop(device_config_window_manager_native_boot_prop)
|
2020-02-27 23:05:05 +01:00
|
|
|
system_internal_prop(device_config_configuration_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_internal_prop(firstboot_prop)
|
|
|
|
system_internal_prop(gsid_prop)
|
2020-01-14 19:20:06 +01:00
|
|
|
system_internal_prop(init_perf_lsm_hooks_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_internal_prop(init_svc_debug_prop)
|
|
|
|
system_internal_prop(last_boot_reason_prop)
|
|
|
|
system_internal_prop(netd_stable_secret_prop)
|
|
|
|
system_internal_prop(pm_prop)
|
2020-02-07 01:10:29 +01:00
|
|
|
system_internal_prop(userspace_reboot_log_prop)
|
2020-03-12 15:45:00 +01:00
|
|
|
system_internal_prop(userspace_reboot_test_prop)
|
2020-02-12 19:18:10 +01:00
|
|
|
system_internal_prop(system_adbd_prop)
|
|
|
|
system_internal_prop(adbd_prop)
|
2020-02-19 15:59:17 +01:00
|
|
|
system_internal_prop(traced_perf_enabled_prop)
|
2019-10-17 06:42:42 +02:00
|
|
|
|
|
|
|
compatible_property_only(`
|
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
|
|
system_internal_prop(boottime_prop)
|
|
|
|
system_internal_prop(bpf_progs_loaded_prop)
|
|
|
|
system_internal_prop(charger_prop)
|
|
|
|
system_internal_prop(cold_boot_done_prop)
|
|
|
|
system_internal_prop(ctl_adbd_prop)
|
|
|
|
system_internal_prop(ctl_apexd_prop)
|
|
|
|
system_internal_prop(ctl_bootanim_prop)
|
|
|
|
system_internal_prop(ctl_bugreport_prop)
|
|
|
|
system_internal_prop(ctl_console_prop)
|
|
|
|
system_internal_prop(ctl_dumpstate_prop)
|
|
|
|
system_internal_prop(ctl_fuse_prop)
|
|
|
|
system_internal_prop(ctl_gsid_prop)
|
|
|
|
system_internal_prop(ctl_interface_restart_prop)
|
|
|
|
system_internal_prop(ctl_interface_stop_prop)
|
|
|
|
system_internal_prop(ctl_mdnsd_prop)
|
|
|
|
system_internal_prop(ctl_restart_prop)
|
|
|
|
system_internal_prop(ctl_rildaemon_prop)
|
|
|
|
system_internal_prop(ctl_sigstop_prop)
|
|
|
|
system_internal_prop(dynamic_system_prop)
|
|
|
|
system_internal_prop(heapprofd_enabled_prop)
|
|
|
|
system_internal_prop(llkd_prop)
|
|
|
|
system_internal_prop(lpdumpd_prop)
|
|
|
|
system_internal_prop(mmc_prop)
|
|
|
|
system_internal_prop(mock_ota_prop)
|
|
|
|
system_internal_prop(net_dns_prop)
|
|
|
|
system_internal_prop(overlay_prop)
|
|
|
|
system_internal_prop(persistent_properties_ready_prop)
|
|
|
|
system_internal_prop(safemode_prop)
|
|
|
|
system_internal_prop(system_lmk_prop)
|
|
|
|
system_internal_prop(system_trace_prop)
|
|
|
|
system_internal_prop(test_boot_reason_prop)
|
|
|
|
system_internal_prop(time_prop)
|
|
|
|
system_internal_prop(traced_enabled_prop)
|
|
|
|
system_internal_prop(traced_lazy_prop)
|
|
|
|
')
|
2019-09-09 12:46:15 +02:00
|
|
|
|
|
|
|
# Properties which can't be written outside system
|
2020-01-28 06:43:57 +01:00
|
|
|
|
|
|
|
# Properties used by binder caches
|
|
|
|
system_restricted_prop(binder_cache_bluetooth_server_prop)
|
|
|
|
system_restricted_prop(binder_cache_system_server_prop)
|
2020-01-28 22:08:28 +01:00
|
|
|
system_restricted_prop(binder_cache_telephony_server_prop)
|
2020-03-04 04:40:41 +01:00
|
|
|
system_restricted_prop(boottime_public_prop)
|
2020-01-20 06:11:07 +01:00
|
|
|
system_restricted_prop(bq_config_prop)
|
2020-01-06 18:29:13 +01:00
|
|
|
system_restricted_prop(module_sdkextensions_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_restricted_prop(nnapi_ext_deny_product_prop)
|
|
|
|
system_restricted_prop(restorecon_prop)
|
2020-02-10 10:43:15 +01:00
|
|
|
system_restricted_prop(socket_hook_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_restricted_prop(system_boot_reason_prop)
|
2019-11-25 23:03:59 +01:00
|
|
|
system_restricted_prop(system_jvmti_agent_prop)
|
2019-11-14 13:59:15 +01:00
|
|
|
system_restricted_prop(userspace_reboot_exported_prop)
|
2019-10-17 06:42:42 +02:00
|
|
|
|
|
|
|
compatible_property_only(`
|
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
|
|
system_restricted_prop(config_prop)
|
|
|
|
system_restricted_prop(cppreopt_prop)
|
|
|
|
system_restricted_prop(dalvik_prop)
|
|
|
|
system_restricted_prop(debuggerd_prop)
|
|
|
|
system_restricted_prop(default_prop)
|
|
|
|
system_restricted_prop(device_logging_prop)
|
|
|
|
system_restricted_prop(dhcp_prop)
|
|
|
|
system_restricted_prop(dumpstate_prop)
|
|
|
|
system_restricted_prop(exported2_default_prop)
|
|
|
|
system_restricted_prop(exported3_system_prop)
|
|
|
|
system_restricted_prop(exported_dumpstate_prop)
|
|
|
|
system_restricted_prop(exported_fingerprint_prop)
|
|
|
|
system_restricted_prop(exported_secure_prop)
|
|
|
|
system_restricted_prop(exported_vold_prop)
|
|
|
|
system_restricted_prop(ffs_prop)
|
|
|
|
system_restricted_prop(fingerprint_prop)
|
|
|
|
system_restricted_prop(heapprofd_prop)
|
|
|
|
system_restricted_prop(net_radio_prop)
|
|
|
|
system_restricted_prop(pan_result_prop)
|
|
|
|
system_restricted_prop(persist_debug_prop)
|
|
|
|
system_restricted_prop(shell_prop)
|
|
|
|
system_restricted_prop(system_radio_prop)
|
|
|
|
system_restricted_prop(test_harness_prop)
|
|
|
|
system_restricted_prop(theme_prop)
|
|
|
|
system_restricted_prop(use_memfd_prop)
|
|
|
|
system_restricted_prop(vold_prop)
|
|
|
|
')
|
2019-09-09 12:46:15 +02:00
|
|
|
|
2020-02-08 00:34:17 +01:00
|
|
|
# Properties which can be written only by vendor_init
|
|
|
|
system_vendor_config_prop(apk_verity_prop)
|
|
|
|
system_vendor_config_prop(cpu_variant_prop)
|
|
|
|
system_vendor_config_prop(exported_audio_prop)
|
|
|
|
system_vendor_config_prop(exported_camera_prop)
|
|
|
|
system_vendor_config_prop(exported_config_prop)
|
|
|
|
system_vendor_config_prop(exported_default_prop)
|
|
|
|
system_vendor_config_prop(exported3_default_prop)
|
|
|
|
system_vendor_config_prop(userspace_reboot_config_prop)
|
|
|
|
system_vendor_config_prop(vehicle_hal_prop)
|
|
|
|
system_vendor_config_prop(vendor_security_patch_level_prop)
|
2020-02-10 10:43:15 +01:00
|
|
|
system_vendor_config_prop(vendor_socket_hook_prop)
|
2020-02-08 00:34:17 +01:00
|
|
|
system_vendor_config_prop(vndk_prop)
|
|
|
|
system_vendor_config_prop(virtual_ab_prop)
|
|
|
|
|
2019-09-09 12:46:15 +02:00
|
|
|
# Properties with no restrictions
|
|
|
|
system_public_prop(audio_prop)
|
|
|
|
system_public_prop(bluetooth_a2dp_offload_prop)
|
|
|
|
system_public_prop(bluetooth_audio_hal_prop)
|
|
|
|
system_public_prop(bluetooth_prop)
|
|
|
|
system_public_prop(ctl_default_prop)
|
|
|
|
system_public_prop(ctl_interface_start_prop)
|
|
|
|
system_public_prop(ctl_start_prop)
|
|
|
|
system_public_prop(ctl_stop_prop)
|
|
|
|
system_public_prop(debug_prop)
|
|
|
|
system_public_prop(dumpstate_options_prop)
|
|
|
|
system_public_prop(exported_system_prop)
|
|
|
|
system_public_prop(exported2_config_prop)
|
|
|
|
system_public_prop(exported2_radio_prop)
|
|
|
|
system_public_prop(exported2_system_prop)
|
|
|
|
system_public_prop(exported2_vold_prop)
|
|
|
|
system_public_prop(exported3_radio_prop)
|
|
|
|
system_public_prop(exported_bluetooth_prop)
|
|
|
|
system_public_prop(exported_dalvik_prop)
|
|
|
|
system_public_prop(exported_ffs_prop)
|
|
|
|
system_public_prop(exported_overlay_prop)
|
|
|
|
system_public_prop(exported_pm_prop)
|
|
|
|
system_public_prop(exported_radio_prop)
|
|
|
|
system_public_prop(exported_system_radio_prop)
|
|
|
|
system_public_prop(exported_wifi_prop)
|
2019-12-06 08:59:58 +01:00
|
|
|
system_public_prop(sota_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_public_prop(hwservicemanager_prop)
|
|
|
|
system_public_prop(logd_prop)
|
|
|
|
system_public_prop(logpersistd_logging_prop)
|
|
|
|
system_public_prop(log_prop)
|
|
|
|
system_public_prop(log_tag_prop)
|
|
|
|
system_public_prop(lowpan_prop)
|
|
|
|
system_public_prop(nfc_prop)
|
2019-11-14 23:18:40 +01:00
|
|
|
system_public_prop(ota_prop)
|
2019-09-09 12:46:15 +02:00
|
|
|
system_public_prop(powerctl_prop)
|
|
|
|
system_public_prop(radio_prop)
|
|
|
|
system_public_prop(serialno_prop)
|
|
|
|
system_public_prop(system_prop)
|
|
|
|
system_public_prop(wifi_log_prop)
|
|
|
|
system_public_prop(wifi_prop)
|
|
|
|
|
2020-01-25 01:31:58 +01:00
|
|
|
# Properties used in default HAL implementations
|
|
|
|
vendor_internal_prop(rebootescrow_hal_prop)
|
|
|
|
|
2019-10-17 06:42:42 +02:00
|
|
|
# Properties which are public for devices launching with Android O or earlier
|
|
|
|
# This should not be used for any new properties.
|
|
|
|
not_compatible_property(`
|
|
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
|
|
system_public_prop(boottime_prop)
|
|
|
|
system_public_prop(bpf_progs_loaded_prop)
|
|
|
|
system_public_prop(charger_prop)
|
|
|
|
system_public_prop(cold_boot_done_prop)
|
|
|
|
system_public_prop(ctl_adbd_prop)
|
|
|
|
system_public_prop(ctl_apexd_prop)
|
|
|
|
system_public_prop(ctl_bootanim_prop)
|
|
|
|
system_public_prop(ctl_bugreport_prop)
|
|
|
|
system_public_prop(ctl_console_prop)
|
|
|
|
system_public_prop(ctl_dumpstate_prop)
|
|
|
|
system_public_prop(ctl_fuse_prop)
|
|
|
|
system_public_prop(ctl_gsid_prop)
|
|
|
|
system_public_prop(ctl_interface_restart_prop)
|
|
|
|
system_public_prop(ctl_interface_stop_prop)
|
|
|
|
system_public_prop(ctl_mdnsd_prop)
|
|
|
|
system_public_prop(ctl_restart_prop)
|
|
|
|
system_public_prop(ctl_rildaemon_prop)
|
|
|
|
system_public_prop(ctl_sigstop_prop)
|
|
|
|
system_public_prop(dynamic_system_prop)
|
|
|
|
system_public_prop(heapprofd_enabled_prop)
|
|
|
|
system_public_prop(llkd_prop)
|
|
|
|
system_public_prop(lpdumpd_prop)
|
|
|
|
system_public_prop(mmc_prop)
|
|
|
|
system_public_prop(mock_ota_prop)
|
|
|
|
system_public_prop(net_dns_prop)
|
|
|
|
system_public_prop(overlay_prop)
|
|
|
|
system_public_prop(persistent_properties_ready_prop)
|
|
|
|
system_public_prop(safemode_prop)
|
|
|
|
system_public_prop(system_lmk_prop)
|
|
|
|
system_public_prop(system_trace_prop)
|
|
|
|
system_public_prop(test_boot_reason_prop)
|
|
|
|
system_public_prop(time_prop)
|
|
|
|
system_public_prop(traced_enabled_prop)
|
|
|
|
system_public_prop(traced_lazy_prop)
|
|
|
|
|
|
|
|
system_public_prop(config_prop)
|
|
|
|
system_public_prop(cppreopt_prop)
|
|
|
|
system_public_prop(dalvik_prop)
|
|
|
|
system_public_prop(debuggerd_prop)
|
|
|
|
system_public_prop(default_prop)
|
|
|
|
system_public_prop(device_logging_prop)
|
|
|
|
system_public_prop(dhcp_prop)
|
|
|
|
system_public_prop(dumpstate_prop)
|
|
|
|
system_public_prop(exported2_default_prop)
|
|
|
|
system_public_prop(exported3_system_prop)
|
|
|
|
system_public_prop(exported_dumpstate_prop)
|
|
|
|
system_public_prop(exported_fingerprint_prop)
|
|
|
|
system_public_prop(exported_secure_prop)
|
|
|
|
system_public_prop(exported_vold_prop)
|
|
|
|
system_public_prop(ffs_prop)
|
|
|
|
system_public_prop(fingerprint_prop)
|
|
|
|
system_public_prop(heapprofd_prop)
|
|
|
|
system_public_prop(net_radio_prop)
|
|
|
|
system_public_prop(pan_result_prop)
|
|
|
|
system_public_prop(persist_debug_prop)
|
|
|
|
system_public_prop(shell_prop)
|
|
|
|
system_public_prop(system_radio_prop)
|
|
|
|
system_public_prop(test_harness_prop)
|
|
|
|
system_public_prop(theme_prop)
|
|
|
|
system_public_prop(use_memfd_prop)
|
|
|
|
system_public_prop(vold_prop)
|
|
|
|
')
|
|
|
|
|
2017-10-19 09:54:49 +02:00
|
|
|
type vendor_default_prop, property_type;
|
|
|
|
|
2019-09-09 12:46:15 +02:00
|
|
|
typeattribute log_prop log_property_type;
|
|
|
|
typeattribute log_tag_prop log_property_type;
|
|
|
|
typeattribute wifi_log_prop log_property_type;
|
|
|
|
|
2015-12-02 01:58:27 +01:00
|
|
|
allow property_type tmpfs:filesystem associate;
|
2016-12-14 00:59:33 +01:00
|
|
|
|
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
|
2019-09-26 08:14:55 +02:00
|
|
|
treble_sysprop_neverallow(`
|
2019-09-09 12:46:15 +02:00
|
|
|
|
|
|
|
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
|
2019-09-26 08:14:55 +02:00
|
|
|
# neverallow domain {
|
2019-09-09 12:46:15 +02:00
|
|
|
# property_type
|
|
|
|
# -system_property_type
|
|
|
|
# -product_property_type
|
|
|
|
# -vendor_property_type
|
|
|
|
# }:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow { domain -coredomain } {
|
|
|
|
system_property_type
|
2019-12-03 02:49:42 +01:00
|
|
|
system_internal_property_type
|
2019-09-09 12:46:15 +02:00
|
|
|
-system_restricted_property_type
|
|
|
|
-system_public_property_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow { domain -coredomain } {
|
|
|
|
system_property_type
|
|
|
|
-system_public_property_type
|
|
|
|
}:property_service set;
|
|
|
|
|
2019-12-03 02:49:42 +01:00
|
|
|
# init is in coredomain, but should be able to read/write all props.
|
|
|
|
# dumpstate is also in coredomain, but should be able to read all props.
|
|
|
|
neverallow { coredomain -init -dumpstate } {
|
2019-09-09 12:46:15 +02:00
|
|
|
vendor_property_type
|
2019-12-03 02:49:42 +01:00
|
|
|
vendor_internal_property_type
|
2019-09-09 12:46:15 +02:00
|
|
|
-vendor_restricted_property_type
|
|
|
|
-vendor_public_property_type
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
2019-12-03 02:49:42 +01:00
|
|
|
neverallow { coredomain -init } {
|
2019-09-09 12:46:15 +02:00
|
|
|
vendor_property_type
|
|
|
|
-vendor_public_property_type
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
')
|
|
|
|
|
2018-10-10 18:02:12 +02:00
|
|
|
# There is no need to perform ioctl or advisory locking operations on
|
|
|
|
# property files. If this neverallow is being triggered, it is
|
|
|
|
# likely that the policy is using r_file_perms directly instead of
|
|
|
|
# the get_prop() macro.
|
|
|
|
neverallow domain property_type:file { ioctl lock };
|
|
|
|
|
2016-12-14 00:59:33 +01:00
|
|
|
# core_property_type should not be used for new properties or
|
|
|
|
# device specific properties. Properties with this attribute
|
|
|
|
# are readable to everyone, which is overly broad and should
|
|
|
|
# be avoided.
|
|
|
|
# New properties should have appropriate read / write access
|
|
|
|
# control rules written.
|
|
|
|
|
2019-09-09 12:46:15 +02:00
|
|
|
typeattribute audio_prop core_property_type;
|
|
|
|
typeattribute config_prop core_property_type;
|
|
|
|
typeattribute cppreopt_prop core_property_type;
|
|
|
|
typeattribute dalvik_prop core_property_type;
|
|
|
|
typeattribute debuggerd_prop core_property_type;
|
|
|
|
typeattribute debug_prop core_property_type;
|
|
|
|
typeattribute default_prop core_property_type;
|
|
|
|
typeattribute dhcp_prop core_property_type;
|
|
|
|
typeattribute dumpstate_prop core_property_type;
|
|
|
|
typeattribute ffs_prop core_property_type;
|
|
|
|
typeattribute fingerprint_prop core_property_type;
|
|
|
|
typeattribute logd_prop core_property_type;
|
|
|
|
typeattribute net_radio_prop core_property_type;
|
|
|
|
typeattribute nfc_prop core_property_type;
|
2019-11-14 23:18:40 +01:00
|
|
|
typeattribute ota_prop core_property_type;
|
2019-09-09 12:46:15 +02:00
|
|
|
typeattribute pan_result_prop core_property_type;
|
|
|
|
typeattribute persist_debug_prop core_property_type;
|
|
|
|
typeattribute powerctl_prop core_property_type;
|
|
|
|
typeattribute radio_prop core_property_type;
|
|
|
|
typeattribute restorecon_prop core_property_type;
|
|
|
|
typeattribute shell_prop core_property_type;
|
|
|
|
typeattribute system_prop core_property_type;
|
|
|
|
typeattribute system_radio_prop core_property_type;
|
|
|
|
typeattribute vold_prop core_property_type;
|
|
|
|
|
2016-12-14 00:59:33 +01:00
|
|
|
neverallow * {
|
|
|
|
core_property_type
|
|
|
|
-audio_prop
|
|
|
|
-config_prop
|
|
|
|
-cppreopt_prop
|
|
|
|
-dalvik_prop
|
|
|
|
-debuggerd_prop
|
|
|
|
-debug_prop
|
|
|
|
-default_prop
|
|
|
|
-dhcp_prop
|
|
|
|
-dumpstate_prop
|
|
|
|
-ffs_prop
|
|
|
|
-fingerprint_prop
|
|
|
|
-logd_prop
|
|
|
|
-net_radio_prop
|
|
|
|
-nfc_prop
|
2019-11-14 23:18:40 +01:00
|
|
|
-ota_prop
|
2016-12-14 00:59:33 +01:00
|
|
|
-pan_result_prop
|
|
|
|
-persist_debug_prop
|
|
|
|
-powerctl_prop
|
|
|
|
-radio_prop
|
|
|
|
-restorecon_prop
|
|
|
|
-shell_prop
|
|
|
|
-system_prop
|
|
|
|
-system_radio_prop
|
|
|
|
-vold_prop
|
|
|
|
}:file no_rw_file_perms;
|
2017-10-19 09:54:49 +02:00
|
|
|
|
Finer grained permissions for ctl. properties
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
2018-05-04 02:00:16 +02:00
|
|
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
|
|
|
# for userdebug/eng
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} ctl_sigstop_prop:property_service set;
|
|
|
|
|
|
|
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
|
|
|
# in the audit log
|
|
|
|
dontaudit domain {
|
|
|
|
ctl_bootanim_prop
|
|
|
|
ctl_bugreport_prop
|
|
|
|
ctl_console_prop
|
|
|
|
ctl_default_prop
|
|
|
|
ctl_dumpstate_prop
|
|
|
|
ctl_fuse_prop
|
|
|
|
ctl_mdnsd_prop
|
|
|
|
ctl_rildaemon_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2019-07-25 20:29:17 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
} init_svc_debug_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-dumpstate
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
} init_svc_debug_prop:file no_rw_file_perms;
|
|
|
|
|
2017-10-19 09:54:49 +02:00
|
|
|
compatible_property_only(`
|
2018-01-24 20:20:35 +01:00
|
|
|
# Prevent properties from being set
|
2017-10-19 09:54:49 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
core_property_type
|
2018-05-30 10:38:09 +02:00
|
|
|
extended_core_property_type
|
2017-10-19 09:54:49 +02:00
|
|
|
exported_config_prop
|
|
|
|
exported_dalvik_prop
|
|
|
|
exported_default_prop
|
|
|
|
exported_dumpstate_prop
|
|
|
|
exported_ffs_prop
|
2018-01-12 02:19:48 +01:00
|
|
|
exported_fingerprint_prop
|
2017-10-19 09:54:49 +02:00
|
|
|
exported_system_prop
|
|
|
|
exported_system_radio_prop
|
|
|
|
exported_vold_prop
|
|
|
|
exported2_config_prop
|
|
|
|
exported2_default_prop
|
|
|
|
exported2_system_prop
|
|
|
|
exported2_vold_prop
|
|
|
|
exported3_default_prop
|
|
|
|
exported3_system_prop
|
2018-01-24 20:20:35 +01:00
|
|
|
-nfc_prop
|
|
|
|
-powerctl_prop
|
|
|
|
-radio_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
2018-01-30 09:23:58 +01:00
|
|
|
-hal_nfc_server
|
2018-01-24 20:20:35 +01:00
|
|
|
} {
|
|
|
|
nfc_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
2018-03-12 18:12:09 +01:00
|
|
|
-hal_telephony_server
|
2018-01-24 20:20:35 +01:00
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
exported_radio_prop
|
2018-03-27 06:41:47 +02:00
|
|
|
exported3_radio_prop
|
2018-04-18 04:24:15 +02:00
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_telephony_server
|
|
|
|
} {
|
|
|
|
exported2_radio_prop
|
2018-01-24 20:20:35 +01:00
|
|
|
radio_prop
|
|
|
|
}:property_service set;
|
2017-10-19 09:54:49 +02:00
|
|
|
|
2018-04-18 04:24:15 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-bluetooth
|
2018-05-23 16:21:32 +02:00
|
|
|
-hal_bluetooth_server
|
2018-04-18 04:24:15 +02:00
|
|
|
} {
|
|
|
|
bluetooth_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-bluetooth
|
2018-05-23 16:21:32 +02:00
|
|
|
-hal_bluetooth_server
|
2018-04-18 04:24:15 +02:00
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
exported_bluetooth_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2020-01-06 13:25:00 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-hal_camera_server
|
|
|
|
-cameraserver
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
exported_camera_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2018-04-18 04:24:15 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
2018-05-23 16:21:32 +02:00
|
|
|
-hal_wifi_server
|
2018-04-18 04:24:15 +02:00
|
|
|
-wificond
|
|
|
|
} {
|
|
|
|
wifi_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
2018-05-23 16:21:32 +02:00
|
|
|
-hal_wifi_server
|
2018-04-18 04:24:15 +02:00
|
|
|
-wificond
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
exported_wifi_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
2018-01-24 20:20:35 +01:00
|
|
|
# Prevent properties from being read
|
2017-10-19 09:54:49 +02:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
core_property_type
|
2018-05-30 10:38:09 +02:00
|
|
|
extended_core_property_type
|
2017-10-19 09:54:49 +02:00
|
|
|
exported_dalvik_prop
|
|
|
|
exported_ffs_prop
|
|
|
|
exported_system_radio_prop
|
|
|
|
exported2_config_prop
|
|
|
|
exported2_system_prop
|
|
|
|
exported2_vold_prop
|
|
|
|
exported3_default_prop
|
|
|
|
exported3_system_prop
|
|
|
|
-debug_prop
|
|
|
|
-logd_prop
|
|
|
|
-nfc_prop
|
|
|
|
-powerctl_prop
|
|
|
|
-radio_prop
|
|
|
|
}:file no_rw_file_perms;
|
2018-01-30 03:18:47 +01:00
|
|
|
|
2018-01-30 09:23:58 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
|
|
|
-hal_nfc_server
|
|
|
|
} {
|
|
|
|
nfc_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
2018-01-30 03:18:47 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-appdomain
|
2018-03-12 18:12:09 +01:00
|
|
|
-hal_telephony_server
|
2018-01-30 03:18:47 +01:00
|
|
|
} {
|
|
|
|
radio_prop
|
|
|
|
}:file no_rw_file_perms;
|
2018-04-18 04:24:15 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
|
|
|
-bluetooth
|
2018-05-23 16:21:32 +02:00
|
|
|
-hal_bluetooth_server
|
2018-04-18 04:24:15 +02:00
|
|
|
} {
|
|
|
|
bluetooth_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-coredomain
|
2018-05-23 16:21:32 +02:00
|
|
|
-hal_wifi_server
|
2018-04-18 04:24:15 +02:00
|
|
|
-wificond
|
|
|
|
} {
|
|
|
|
wifi_prop
|
|
|
|
}:file no_rw_file_perms;
|
2017-10-19 09:54:49 +02:00
|
|
|
')
|
2018-06-01 18:36:51 +02:00
|
|
|
|
|
|
|
compatible_property_only(`
|
|
|
|
# Neverallow coredomain to set vendor properties
|
|
|
|
neverallow {
|
|
|
|
coredomain
|
|
|
|
-init
|
|
|
|
-system_writes_vendor_properties_violators
|
|
|
|
} {
|
|
|
|
property_type
|
2020-01-28 06:43:57 +01:00
|
|
|
-system_property_type
|
2018-06-01 18:36:51 +02:00
|
|
|
-extended_core_property_type
|
|
|
|
}:property_service set;
|
|
|
|
')
|
2020-02-07 01:10:29 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} {
|
|
|
|
userspace_reboot_log_prop
|
|
|
|
}:property_service set;
|
2020-02-12 19:18:10 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
# Only allow init and system_server to set system_adbd_prop
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} {
|
|
|
|
system_adbd_prop
|
|
|
|
}:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
# Only allow init and adbd to set adbd_prop
|
|
|
|
-init
|
|
|
|
-adbd
|
|
|
|
} {
|
|
|
|
adbd_prop
|
|
|
|
}:property_service set;
|
2020-03-12 15:45:00 +01:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
# Only allow init and shell to set userspace_reboot_test_prop
|
|
|
|
-init
|
|
|
|
-shell
|
|
|
|
} {
|
|
|
|
userspace_reboot_test_prop
|
|
|
|
}:property_service set;
|