Move system property rules to private

public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)

private/adbd.te

@@ -90,6 +90,9 @@ set_prop(adbd, exported_ffs_prop)
 # Set service.adb.tls.port, persist.adb.wifi. properties
 set_prop(adbd, adbd_prop)
 
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
+
 # Access device logging gating property
 get_prop(adbd, device_logging_prop)
 

private/apexd.te

@@ -155,3 +155,7 @@ neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:f
 
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
+
+# only apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+neverallow { domain -apexd -init } apexd_prop:property_service set;

private/asan_extract.te

@@ -3,6 +3,9 @@
 # Technically not a daemon but we do want the transition from init domain to
 # asan_extract to occur.
 with_asan(`
-typeattribute asan_extract coredomain;
-init_daemon_domain(asan_extract)
+  typeattribute asan_extract coredomain;
+  init_daemon_domain(asan_extract)
+
+  # We need to signal a reboot when done.
+  set_prop(asan_extract, powerctl_prop)
 ')

private/bootanim.te

@@ -4,3 +4,6 @@ init_daemon_domain(bootanim)
 
 # b/68864350
 dontaudit bootanim unlabeled:dir search;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)

private/bootstat.te

@@ -1,3 +1,33 @@
 typeattribute bootstat coredomain;
 
 init_daemon_domain(bootstat)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+neverallow {
+  domain
+  -bootanim
+  -bootstat
+  -dumpstate
+  -init
+  -recovery
+  -shell
+  -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+  domain
+  -bootstat
+  -init
+  -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;

private/charger.te

@@ -1 +1,10 @@
 typeattribute charger coredomain;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
+
+get_prop(charger, charger_prop)

private/dhcp.te

@@ -2,3 +2,6 @@ typeattribute dhcp coredomain;
 
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)

private/domain.te

@@ -369,3 +369,10 @@ neverallow {
 # This property is being removed. Remove remaining access.
 neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
 neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;

private/dumpstate.te

@@ -50,6 +50,17 @@ allow dumpstate proc_net_tcp_udp:file r_file_perms;
 # For comminucating with the system process to do confirmation ui.
 binder_call(dumpstate, incidentcompanion_service)
 
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
 # For dumping dynamic partition information.
 set_prop(dumpstate, lpdumpd_prop)
 binder_call(dumpstate, lpdumpd)

private/fastbootd.te

@@ -1 +1,25 @@
 typeattribute fastbootd coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+  # Reboot the device
+  set_prop(fastbootd, powerctl_prop)
+
+  # Read serial number of the device from system properties
+  get_prop(fastbootd, serialno_prop)
+
+  # Set sys.usb.ffs.ready.
+  set_prop(fastbootd, ffs_prop)
+  set_prop(fastbootd, exported_ffs_prop)
+
+  userdebug_or_eng(`
+    get_prop(fastbootd, persistent_properties_ready_prop)
+  ')
+
+  set_prop(fastbootd, gsid_prop)
+
+  # Determine allocation scheme (whether B partitions needs to be
+  # at the second half of super.
+  get_prop(fastbootd, virtual_ab_prop)
+')

private/flags_health_check.te

@@ -1,3 +1,27 @@
 typeattribute flags_health_check coredomain;
 
 init_daemon_domain(flags_health_check)
+
+set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
+
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;

private/gatekeeperd.te

@@ -1,3 +1,6 @@
 typeattribute gatekeeperd coredomain;
 
 init_daemon_domain(gatekeeperd)
+
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)

private/healthd.te

@@ -4,3 +4,10 @@ init_daemon_domain(healthd)
 
 # Allow healthd to serve health HAL
 hal_server_domain(healthd, hal_health)
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)

private/hwservicemanager.te

@@ -6,3 +6,4 @@ add_hwservice(hwservicemanager, hidl_manager_hwservice)
 add_hwservice(hwservicemanager, hidl_token_hwservice)
 
 set_prop(hwservicemanager, ctl_interface_start_prop)
+set_prop(hwservicemanager, hwservicemanager_prop)

private/lmkd.te

@@ -1,3 +1,6 @@
 typeattribute lmkd coredomain;
 
 init_daemon_domain(lmkd)
+
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)

private/logd.te

@@ -2,6 +2,9 @@ typeattribute logd coredomain;
 
 init_daemon_domain(logd)
 
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
 # logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
 neverallow logd {

private/mediaextractor.te

@@ -5,3 +5,5 @@ tmpfs_domain(mediaextractor)
 allow mediaextractor appdomain_tmpfs:file { getattr map read write };
 allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
 allow mediaextractor system_server_tmpfs:file { getattr map read write };
+
+get_prop(mediaextractor, device_config_media_native_prop)

private/mediaserver.te

@@ -12,3 +12,5 @@ hal_client_domain(mediaserver, hal_omx)
 hal_client_domain(mediaserver, hal_codec2)
 
 allow mediaserver mediatranscoding_service:service_manager find;
+
+set_prop(mediaserver, audio_prop)

private/mediaswcodec.te

@@ -2,3 +2,4 @@ typeattribute mediaswcodec coredomain;
 
 init_daemon_domain(mediaswcodec)
 
+get_prop(mediaswcodec, device_config_media_native_prop)

private/netd.te

@@ -17,7 +17,12 @@ allow netd bpfloader:bpf { prog_run map_read map_write };
 # TODO: Remove this permission when 4.9 kernel is deprecated.
 allow netd self:key_socket create;
 
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
 get_prop(netd, bpf_progs_loaded_prop)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
 
 # Allow netd to write to statsd.
 unix_socket_send(netd, statsdw, statsd)
@@ -28,3 +33,11 @@ binder_call(netd, network_stack)
 # Allow netd to send dump info to dumpstate
 allow netd dumpstate:fd use;
 allow netd dumpstate:fifo_file { getattr write };
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;

private/property.te

@@ -0,0 +1,321 @@
+###
+### Neverallow rules
+###
+
+treble_sysprop_neverallow(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow domain {
+#   property_type
+#   -system_property_type
+#   -product_property_type
+#   -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+  system_property_type
+  system_internal_property_type
+  -system_restricted_property_type
+  -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+  system_property_type
+  -system_public_property_type
+}:property_service set;
+
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
+  vendor_property_type
+  vendor_internal_property_type
+  -vendor_restricted_property_type
+  -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { coredomain -init } {
+  vendor_property_type
+  -vendor_public_property_type
+}:property_service set;
+
+')
+
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
+neverallow * {
+  core_property_type
+  -audio_prop
+  -config_prop
+  -cppreopt_prop
+  -dalvik_prop
+  -debuggerd_prop
+  -debug_prop
+  -default_prop
+  -dhcp_prop
+  -dumpstate_prop
+  -ffs_prop
+  -fingerprint_prop
+  -logd_prop
+  -net_radio_prop
+  -nfc_prop
+  -ota_prop
+  -pan_result_prop
+  -persist_debug_prop
+  -powerctl_prop
+  -radio_prop
+  -restorecon_prop
+  -shell_prop
+  -system_prop
+  -system_radio_prop
+  -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+  domain
+  -init
+  -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+  ctl_bootanim_prop
+  ctl_bugreport_prop
+  ctl_console_prop
+  ctl_default_prop
+  ctl_dumpstate_prop
+  ctl_fuse_prop
+  ctl_mdnsd_prop
+  ctl_rildaemon_prop
+}:property_service set;
+
+neverallow {
+  domain
+  -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -dumpstate
+  userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+# Prevent properties from being set
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -vendor_init
+  } {
+    core_property_type
+    extended_core_property_type
+    exported_config_prop
+    exported_dalvik_prop
+    exported_default_prop
+    exported_dumpstate_prop
+    exported_ffs_prop
+    exported_fingerprint_prop
+    exported_system_prop
+    exported_system_radio_prop
+    exported_vold_prop
+    exported2_config_prop
+    exported2_default_prop
+    exported2_system_prop
+    exported2_vold_prop
+    exported3_default_prop
+    exported3_system_prop
+    -nfc_prop
+    -powerctl_prop
+    -radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_nfc_server
+  } {
+    nfc_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+    -vendor_init
+  } {
+    exported_radio_prop
+    exported3_radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+  } {
+    exported2_radio_prop
+    radio_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth_server
+  } {
+    bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth_server
+    -vendor_init
+  } {
+    exported_bluetooth_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_camera_server
+    -cameraserver
+    -vendor_init
+  } {
+    exported_camera_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi_server
+    -wificond
+  } {
+    wifi_prop
+  }:property_service set;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi_server
+    -wificond
+    -vendor_init
+  } {
+    exported_wifi_prop
+  }:property_service set;
+
+# Prevent properties from being read
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -vendor_init
+  } {
+    core_property_type
+    extended_core_property_type
+    exported_dalvik_prop
+    exported_ffs_prop
+    exported_system_radio_prop
+    exported2_config_prop
+    exported2_system_prop
+    exported2_vold_prop
+    exported3_default_prop
+    exported3_system_prop
+    -debug_prop
+    -logd_prop
+    -nfc_prop
+    -powerctl_prop
+    -radio_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_nfc_server
+  } {
+    nfc_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -hal_telephony_server
+  } {
+    radio_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -bluetooth
+    -hal_bluetooth_server
+  } {
+    bluetooth_prop
+  }:file no_rw_file_perms;
+
+  neverallow {
+    domain
+    -coredomain
+    -hal_wifi_server
+    -wificond
+  } {
+    wifi_prop
+  }:file no_rw_file_perms;
+')
+
+compatible_property_only(`
+  # Neverallow coredomain to set vendor properties
+  neverallow {
+    coredomain
+    -init
+    -system_writes_vendor_properties_violators
+  } {
+    property_type
+    -system_property_type
+    -extended_core_property_type
+  }:property_service set;
+')
+
+neverallow {
+  -init
+  -system_server
+} {
+  userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+  # Only allow init and system_server to set system_adbd_prop
+  -init
+  -system_server
+} {
+  system_adbd_prop
+}:property_service set;
+
+neverallow {
+  # Only allow init and adbd to set adbd_prop
+  -init
+  -adbd
+} {
+  adbd_prop
+}:property_service set;
+
+neverallow {
+  # Only allow init and shell to set userspace_reboot_test_prop
+  -init
+  -shell
+} {
+  userspace_reboot_test_prop
+}:property_service set;

private/radio.te

@@ -4,6 +4,16 @@ app_domain(radio)
 
 read_runtime_log_tags(radio)
 
+# Property service
+set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
+set_prop(radio, net_radio_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
 # Telephony code contains time / time zone detection logic so it reads the associated properties.
 get_prop(radio, time_prop)
 

private/recovery.te

@@ -1 +1,24 @@
 typeattribute recovery coredomain;
+
+# The allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+  # Reboot the device
+  set_prop(recovery, powerctl_prop)
+
+  # Read serial number of the device from system properties
+  get_prop(recovery, serialno_prop)
+
+  # Set sys.usb.ffs.ready when starting minadbd for sideload.
+  set_prop(recovery, ffs_prop)
+  set_prop(recovery, exported_ffs_prop)
+
+  # Set sys.usb.config when switching into fastboot.
+  set_prop(recovery, system_radio_prop)
+  set_prop(recovery, exported_system_radio_prop)
+
+  # Read ro.boot.bootreason
+  get_prop(recovery, bootloader_boot_reason_prop)
+
+  set_prop(recovery, gsid_prop)
+')

private/shell.te

@@ -1,3 +1,4 @@
+
 typeattribute shell coredomain;
 
 # allow shell input injection
@@ -90,3 +91,52 @@ allow shell simpleperf_exec:file rx_file_perms;
 # not the whole system.
 allow shell self:perf_event { open read write kernel };
 neverallow shell self:perf_event ~{ open read write kernel };
+
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
+# property.
+set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
+userdebug_or_eng(`set_prop(shell, persist_debug_prop)')

private/traceur_app.te

@@ -20,3 +20,8 @@ allow traceur_app perfetto_exec:file rx_file_perms;
 unix_socket_connect(traceur_app, traced_consumer, traced)
 
 dontaudit traceur_app debugfs_tracing_debug:file audit_access;
+
+# Allow Traceur to enable traced if necessary.
+set_prop(traceur_app, traced_enabled_prop)
+
+set_prop(traceur_app, debug_prop)

private/ueventd.te

@@ -1,3 +1,7 @@
 typeattribute ueventd coredomain;
 
 tmpfs_domain(ueventd)
+
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)

private/uncrypt.te

@@ -1,3 +1,6 @@
 typeattribute uncrypt coredomain;
 
 init_daemon_domain(uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)

private/update_engine.te

@@ -5,3 +5,9 @@ init_daemon_domain(update_engine);
 # Allow to talk to gsid.
 allow update_engine gsi_service:service_manager find;
 binder_call(update_engine, gsid)
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)

private/update_verifier.te

@@ -1,3 +1,9 @@
 typeattribute update_verifier coredomain;
 
 init_daemon_domain(update_verifier)
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)

private/usbd.te

@@ -10,3 +10,6 @@ get_prop(usbd, system_prop)
 
 # start adbd during boot if adb is enabled
 set_prop(usbd, ctl_default_prop)
+
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)

private/vold.te

@@ -17,3 +17,13 @@ domain_trans(vold, fsck_exec, fsck_untrusted);
 # from accidentally writing when the mount point isn't present.
 type_transition vold storage_file:dir storage_stub_file;
 type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
+
+# Property Service
+set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)

private/wificond.te

@@ -1,4 +1,10 @@
 typeattribute wificond coredomain;
 
+set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+get_prop(wificond, hwservicemanager_prop)
+
 init_daemon_domain(wificond)
 hal_client_domain(wificond, hal_wifi_offload)

public/adbd.te

@@ -6,6 +6,3 @@ type adbd_exec, exec_type, file_type, system_file_type;
 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;
 neverallow * adbd:process dyntransition;
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)

public/apexd.te

@@ -4,12 +4,8 @@ type apexd_exec, exec_type, file_type, system_file_type;
 
 binder_use(apexd)
 add_service(apexd, apex_service)
-set_prop(apexd, apexd_prop)
 
 neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
 neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
 
 neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
-
-# only apexd can set apexd sysprop
-neverallow { domain -apexd -init } apexd_prop:property_service set;

public/asan_extract.te

@@ -30,7 +30,4 @@ with_asan(`
 
   # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
   allow asan_extract system_data_file:file execute;
-
-  # We need to signal a reboot when done.
-  set_prop(asan_extract, powerctl_prop)
 ')

public/bootanim.te

@@ -36,7 +36,3 @@ allow bootanim proc_meminfo:file r_file_perms;
 
 # System file accesses.
 allow bootanim system_file:dir r_dir_perms;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-

public/bootstat.te

@@ -8,13 +8,6 @@ read_runtime_log_tags(bootstat)
 allow bootstat bootstat_data_file:dir rw_dir_perms;
 allow bootstat bootstat_data_file:file create_file_perms;
 
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
 allow bootstat metadata_file:dir search;
 allow bootstat metadata_bootstat_file:dir rw_dir_perms;
 allow bootstat metadata_bootstat_file:file create_file_perms;
@@ -32,30 +25,6 @@ read_logd(bootstat)
 # Allow bootstat write to statsd.
 unix_socket_send(bootstat, statsdw, statsd)
 
-# ToDo: end
-
-neverallow {
-  domain
-  -bootanim
-  -bootstat
-  -dumpstate
-  -init
-  -recovery
-  -shell
-  -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
-  domain
-  -bootstat
-  -init
-  -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
-
 neverallow {
   domain
   -bootstat

public/charger.te

@@ -36,13 +36,4 @@ allow charger input_device:chr_file r_file_perms;
 allow charger tty_device:chr_file rw_file_perms;
 allow charger proc_sysrq:file rw_file_perms;
 
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported2_system_prop)
-set_prop(charger, exported3_system_prop)
-
-get_prop(charger, charger_prop)
-
 hal_client_domain(charger, hal_health)

public/dhcp.te

@@ -17,9 +17,6 @@ allow dhcp toolbox_exec:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net_type:file write;
 
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
-
 allow dhcp dhcp_data_file:dir create_dir_perms;
 allow dhcp dhcp_data_file:file create_file_perms;
 

public/domain.te

@@ -533,10 +533,6 @@ compatible_property_only(`
     neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
 ')
 
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
 compatible_property_only(`
     neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
     neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
@@ -562,9 +558,6 @@ neverallow {
   -vendor_init
 } serialno_prop:file r_file_perms;
 
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
 neverallow {
   domain
   -init

public/dumpstate.te

@@ -258,13 +258,6 @@ allow dumpstate hwservicemanager:hwservice_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
 
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
 # Read any system properties
 get_prop(dumpstate, property_type)
 
@@ -329,9 +322,6 @@ binder_call(dumpstate, hal_rebootescrow_server)
 allow hal_rebootescrow_server dumpstate:fifo_file write;
 allow hal_rebootescrow_server dumpstate:fd use;
 
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
-
 #Access /data/misc/snapshotctl_log
 allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
 allow dumpstate snapshotctl_log_data_file:file r_file_perms;

public/fastbootd.te

@@ -23,22 +23,12 @@ recovery_only(`
 
   allow fastbootd device:dir r_dir_perms;
 
-  # Reboot the device
-  set_prop(fastbootd, powerctl_prop)
-
-  # Read serial number of the device from system properties
-  get_prop(fastbootd, serialno_prop)
-
   # For dev/block/by-name dir
   allow fastbootd block_device:dir r_dir_perms;
 
   # Needed for DM_DEV_CREATE ioctl call
   allow fastbootd self:capability sys_admin;
 
-  # Set sys.usb.ffs.ready.
-  set_prop(fastbootd, ffs_prop)
-  set_prop(fastbootd, exported_ffs_prop)
-
   unix_socket_connect(fastbootd, recovery, recovery)
 
   # Required for flashing
@@ -106,18 +96,12 @@ recovery_only(`
     }:{ file lnk_file } unlink;
     allow fastbootd tmpfs:dir rw_dir_perms;
     allow fastbootd labeledfs:filesystem { mount unmount };
-    get_prop(fastbootd, persistent_properties_ready_prop)
   ')
 
   # Allow using libfiemap/gsid directly (no binder in recovery).
-  set_prop(fastbootd, gsid_prop)
   allow fastbootd gsi_metadata_file:dir search;
   allow fastbootd ota_metadata_file:dir rw_dir_perms;
   allow fastbootd ota_metadata_file:file create_file_perms;
-
-  # Determine allocation scheme (whether B partitions needs to be
-  # at the second half of super.
-  get_prop(fastbootd, virtual_ab_prop)
 ')
 
 ###

public/flags_health_check.te

@@ -2,33 +2,9 @@
 type flags_health_check, domain, coredomain;
 type flags_health_check_exec, system_file_type, exec_type, file_type;
 
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-
 allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
 allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
 
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
-
 # server_configurable_flags_data_file is used for storing whether server configurable flags which
 # have been reset during current booting. Mistakenly modified by unrelated components can
 # cause bad server configurable flags synced back to device.

public/gatekeeperd.te

@@ -35,7 +35,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 # For hardware properties retrieval
 allow gatekeeperd hardware_properties_service:service_manager find;
 
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
-
 r_dir_file(gatekeeperd, cgroup)

public/healthd.te

@@ -47,10 +47,3 @@ allow healthd input_device:chr_file r_file_perms;
 allow healthd tty_device:chr_file rw_file_perms;
 allow healthd ashmem_device:chr_file execute;
 allow healthd proc_sysrq:file rw_file_perms;
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported2_system_prop)
-set_prop(healthd, exported3_system_prop)

public/hwservicemanager.te

@@ -10,8 +10,6 @@ type hwservicemanager_exec, system_file_type, exec_type, file_type;
 # to do this is granted in the hwbinder_use macro.
 allow hwservicemanager self:binder set_context_mgr;
 
-set_prop(hwservicemanager, hwservicemanager_prop)
-
 # Scan through /system/lib64/hw looking for installed HALs
 allow hwservicemanager system_file:dir r_dir_perms;
 

public/lmkd.te

@@ -36,9 +36,6 @@ allow lmkd self:global_capability_class_set sys_nice;
 allow lmkd proc_zoneinfo:file r_file_perms;
 allow lmkd proc_vmstat:file r_file_perms;
 
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
 # live lock watchdog process allowed to look through /proc/
 allow lmkd domain:dir { search open read };
 allow lmkd domain:file { open read };

public/logd.te

@@ -23,9 +23,6 @@ userdebug_or_eng(`
 ')
 allow logd runtime_event_log_tags_file:file rw_file_perms;
 
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
 r_dir_file(logd, domain)
 
 allow logd kernel:system syslog_mod;

public/mediaextractor.te

@@ -37,8 +37,6 @@ allow mediaextractor ringtone_file:file { read getattr };
 # scan extractor library directory to dynamically load extractors
 allow mediaextractor system_file:dir { read open };
 
-get_prop(mediaextractor, device_config_media_native_prop)
-
 ###
 ### neverallow rules
 ###

public/mediaserver.te

@@ -34,8 +34,6 @@ allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 
-set_prop(mediaserver, audio_prop)
-
 # Read resources from open apk files passed over Binder.
 allow mediaserver apk_data_file:file { read getattr };
 allow mediaserver asec_apk_file:file { read getattr };

public/mediaswcodec.te

@@ -11,8 +11,6 @@ hal_client_domain(mediaswcodec, hal_omx)
 hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
-get_prop(mediaswcodec, device_config_media_native_prop)
-
 crash_dump_fallback(mediaswcodec)
 
 # mediaswcodec_server should never execute any executable without a

public/netd.te

@@ -81,9 +81,6 @@ allow netd system_file:file lock;
 # Allow netd to spawn dnsmasq in it's own domain
 allow netd dnsmasq:process signal;
 
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
 add_service(netd, netd_service)
@@ -113,8 +110,6 @@ allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write n
 # Allow netd to register as hal server.
 add_hwservice(netd, system_net_netd_hwservice)
 hwbinder_use(netd)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
 
 ###
 ### Neverallow rules
@@ -157,14 +152,6 @@ neverallow {
 neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
 
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
-
 # If an already existing file is opened with O_CREATE, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
 # inappropriate permissions are not granted.

public/property.te

@@ -1,4 +1,8 @@
 # Properties used only in /system
+#
+# DO NOT ADD system_internal_prop here.
+# Instead, add to private/property.te.
+# TODO(b/150331497): move these to private/property.te
 system_internal_prop(apexd_prop)
 system_internal_prop(bootloader_boot_reason_prop)
 system_internal_prop(device_config_activity_manager_native_boot_prop)
@@ -243,54 +247,6 @@ typeattribute wifi_log_prop log_property_type;
 
 allow property_type tmpfs:filesystem associate;
 
-###
-### Neverallow rules
-###
-
-treble_sysprop_neverallow(`
-
-# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow domain {
-#   property_type
-#   -system_property_type
-#   -product_property_type
-#   -vendor_property_type
-# }:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
-  system_property_type
-  system_internal_property_type
-  -system_restricted_property_type
-  -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
-  system_property_type
-  -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
-  vendor_property_type
-  vendor_internal_property_type
-  -vendor_restricted_property_type
-  -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
-  vendor_property_type
-  -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
 # core_property_type should not be used for new properties or
 # device specific properties. Properties with this attribute
 # are readable to everyone, which is overly broad and should
@@ -322,277 +278,3 @@ typeattribute shell_prop         core_property_type;
 typeattribute system_prop        core_property_type;
 typeattribute system_radio_prop  core_property_type;
 typeattribute vold_prop          core_property_type;
-
-neverallow * {
-  core_property_type
-  -audio_prop
-  -config_prop
-  -cppreopt_prop
-  -dalvik_prop
-  -debuggerd_prop
-  -debug_prop
-  -default_prop
-  -dhcp_prop
-  -dumpstate_prop
-  -ffs_prop
-  -fingerprint_prop
-  -logd_prop
-  -net_radio_prop
-  -nfc_prop
-  -ota_prop
-  -pan_result_prop
-  -persist_debug_prop
-  -powerctl_prop
-  -radio_prop
-  -restorecon_prop
-  -shell_prop
-  -system_prop
-  -system_radio_prop
-  -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
-neverallow {
-  domain
-  -init
-  -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
-  ctl_bootanim_prop
-  ctl_bugreport_prop
-  ctl_console_prop
-  ctl_default_prop
-  ctl_dumpstate_prop
-  ctl_fuse_prop
-  ctl_mdnsd_prop
-  ctl_rildaemon_prop
-}:property_service set;
-
-neverallow {
-  domain
-  -init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
-  domain
-  -init
-  -dumpstate
-  userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -vendor_init
-  } {
-    core_property_type
-    extended_core_property_type
-    exported_config_prop
-    exported_dalvik_prop
-    exported_default_prop
-    exported_dumpstate_prop
-    exported_ffs_prop
-    exported_fingerprint_prop
-    exported_system_prop
-    exported_system_radio_prop
-    exported_vold_prop
-    exported2_config_prop
-    exported2_default_prop
-    exported2_system_prop
-    exported2_vold_prop
-    exported3_default_prop
-    exported3_system_prop
-    -nfc_prop
-    -powerctl_prop
-    -radio_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -hal_nfc_server
-  } {
-    nfc_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -hal_telephony_server
-    -vendor_init
-  } {
-    exported_radio_prop
-    exported3_radio_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -hal_telephony_server
-  } {
-    exported2_radio_prop
-    radio_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -bluetooth
-    -hal_bluetooth_server
-  } {
-    bluetooth_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -bluetooth
-    -hal_bluetooth_server
-    -vendor_init
-  } {
-    exported_bluetooth_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -hal_camera_server
-    -cameraserver
-    -vendor_init
-  } {
-    exported_camera_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -hal_wifi_server
-    -wificond
-  } {
-    wifi_prop
-  }:property_service set;
-
-  neverallow {
-    domain
-    -coredomain
-    -hal_wifi_server
-    -wificond
-    -vendor_init
-  } {
-    exported_wifi_prop
-  }:property_service set;
-
-# Prevent properties from being read
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -vendor_init
-  } {
-    core_property_type
-    extended_core_property_type
-    exported_dalvik_prop
-    exported_ffs_prop
-    exported_system_radio_prop
-    exported2_config_prop
-    exported2_system_prop
-    exported2_vold_prop
-    exported3_default_prop
-    exported3_system_prop
-    -debug_prop
-    -logd_prop
-    -nfc_prop
-    -powerctl_prop
-    -radio_prop
-  }:file no_rw_file_perms;
-
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -hal_nfc_server
-  } {
-    nfc_prop
-  }:file no_rw_file_perms;
-
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -hal_telephony_server
-  } {
-    radio_prop
-  }:file no_rw_file_perms;
-
-  neverallow {
-    domain
-    -coredomain
-    -bluetooth
-    -hal_bluetooth_server
-  } {
-    bluetooth_prop
-  }:file no_rw_file_perms;
-
-  neverallow {
-    domain
-    -coredomain
-    -hal_wifi_server
-    -wificond
-  } {
-    wifi_prop
-  }:file no_rw_file_perms;
-')
-
-compatible_property_only(`
-  # Neverallow coredomain to set vendor properties
-  neverallow {
-    coredomain
-    -init
-    -system_writes_vendor_properties_violators
-  } {
-    property_type
-    -system_property_type
-    -extended_core_property_type
-  }:property_service set;
-')
-
-neverallow {
-  -init
-  -system_server
-} {
-  userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
-  # Only allow init and system_server to set system_adbd_prop
-  -init
-  -system_server
-} {
-  system_adbd_prop
-}:property_service set;
-
-neverallow {
-  # Only allow init and adbd to set adbd_prop
-  -init
-  -adbd
-} {
-  adbd_prop
-}:property_service set;
-
-neverallow {
-  # Only allow init and shell to set userspace_reboot_test_prop
-  -init
-  -shell
-} {
-  userspace_reboot_test_prop
-}:property_service set;

public/radio.te

@@ -16,16 +16,6 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms;
 allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;
 
-# Property service
-set_prop(radio, radio_prop)
-set_prop(radio, exported_radio_prop)
-set_prop(radio, exported2_radio_prop)
-set_prop(radio, exported3_radio_prop)
-set_prop(radio, net_radio_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
 add_service(radio, radio_service)
 allow radio audioserver_service:service_manager find;
 allow radio cameraserver_service:service_manager find;

public/recovery.te

@@ -108,23 +108,6 @@ recovery_only(`
   # Read files on /oem.
   r_dir_file(recovery, oemfs);
 
-  # Reboot the device
-  set_prop(recovery, powerctl_prop)
-
-  # Read serial number of the device from system properties
-  get_prop(recovery, serialno_prop)
-
-  # Set sys.usb.ffs.ready when starting minadbd for sideload.
-  set_prop(recovery, ffs_prop)
-  set_prop(recovery, exported_ffs_prop)
-
-  # Set sys.usb.config when switching into fastboot.
-  set_prop(recovery, system_radio_prop)
-  set_prop(recovery, exported_system_radio_prop)
-
-  # Read ro.boot.bootreason
-  get_prop(recovery, bootloader_boot_reason_prop)
-
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
 
@@ -144,7 +127,6 @@ recovery_only(`
   allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
 
   # Allow using libfiemap/gsid directly (no binder in recovery).
-  set_prop(recovery, gsid_prop)
   allow recovery gsi_metadata_file:dir search;
   allow recovery ota_metadata_file:dir rw_dir_perms;
   allow recovery ota_metadata_file:file create_file_perms;

public/shell.te

@@ -58,60 +58,12 @@ allow shell zygote_exec:file rx_file_perms;
 
 r_dir_file(shell, apk_data_file)
 
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
 userdebug_or_eng(`
   # "systrace --boot" support - allow boottrace service to run
   allow shell boottrace_data_file:dir rw_dir_perms;
   allow shell boottrace_data_file:file create_file_perms;
-  set_prop(shell, persist_debug_prop)
 ')
 
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service

public/traceur_app.te

@@ -3,11 +3,6 @@ type traceur_app, domain;
 allow traceur_app servicemanager:service_manager list;
 allow traceur_app hwservicemanager:hwservice_manager list;
 
-# Allow Traceur to enable traced if necessary.
-set_prop(traceur_app, traced_enabled_prop)
-
-set_prop(traceur_app, debug_prop)
-
 allow traceur_app {
   service_manager_type
   -apex_service

public/ueventd.te

@@ -59,10 +59,6 @@ allow ueventd kernel:key search;
 allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
 allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
 
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
-
 # Allow ueventd to run shell scripts from vendor
 allow ueventd vendor_shell_exec:file execute;
 

public/uncrypt.te

@@ -22,9 +22,6 @@ allow uncrypt ota_package_file:file r_file_perms;
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
 
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
-
 # Raw writes to block device
 allow uncrypt self:global_capability_class_set sys_rawio;
 allow uncrypt misc_block_device:blk_file w_file_perms;

public/update_engine.te

@@ -63,12 +63,6 @@ allow update_engine proc_misc:file r_file_perms;
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
 
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
 # update_engine tries to determine the parent path for all devices (e.g.
 # /dev/block/by-name) by reading the default fstab and looking for the misc
 # device. ReadDefaultFstab() checks whether a GSI is running by checking

public/update_verifier.te

@@ -24,12 +24,6 @@ allow update_verifier dm_device:blk_file r_file_perms;
 # Write to kernel message.
 allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
 
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
-
 # Use Boot Control HAL
 hal_client_domain(update_verifier, hal_bootctl)
 

public/usbd.te

@@ -1,5 +1,2 @@
 type usbd, domain;
 type usbd_exec, system_file_type, exec_type, file_type;
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)

public/vold.te

@@ -196,16 +196,6 @@ allow vold system_data_file:file read;
 # Set scheduling policy of kernel processes
 allow vold kernel:process setsched;
 
-# Property Service
-set_prop(vold, vold_prop)
-set_prop(vold, exported_vold_prop)
-set_prop(vold, exported2_vold_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;

public/wificond.te

@@ -8,10 +8,6 @@ binder_call(wificond, keystore)
 
 add_service(wificond, wificond_service)
 
-set_prop(wificond, exported_wifi_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
 # create sockets to set interfaces up and down
 allow wificond self:udp_socket create_socket_perms;
 # setting interface state up/down is a privileged ioctl
@@ -33,7 +29,6 @@ allow wificond dumpstate:fifo_file write;
 
 #### Offer the Wifi Keystore HwBinder service ###
 hwbinder_use(wificond)
-get_prop(wificond, hwservicemanager_prop)
 typeattribute wificond wifi_keystore_service_server;
 add_hwservice(wificond, system_wifi_keystore_hwservice)