From 55e5c9b5131e9754d9cd14f44a2078ada053fb5f Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 4 Mar 2020 17:20:35 +0900 Subject: [PATCH] Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8) --- private/adbd.te | 3 + private/apexd.te | 4 + private/asan_extract.te | 7 +- private/bootanim.te | 3 + private/bootstat.te | 30 ++++ private/charger.te | 9 + private/dhcp.te | 3 + private/domain.te | 7 + private/dumpstate.te | 11 ++ private/fastbootd.te | 24 +++ private/flags_health_check.te | 24 +++ private/gatekeeperd.te | 3 + private/healthd.te | 7 + private/hwservicemanager.te | 1 + private/lmkd.te | 3 + private/logd.te | 3 + private/mediaextractor.te | 2 + private/mediaserver.te | 2 + private/mediaswcodec.te | 1 + private/netd.te | 13 ++ private/property.te | 321 +++++++++++++++++++++++++++++++++ private/radio.te | 10 ++ private/recovery.te | 23 +++ private/shell.te | 50 ++++++ private/traceur_app.te | 5 + private/ueventd.te | 4 + private/uncrypt.te | 3 + private/update_engine.te | 6 + private/update_verifier.te | 6 + private/usbd.te | 3 + private/vold.te | 10 ++ private/wificond.te | 6 + public/adbd.te | 3 - public/apexd.te | 4 - public/asan_extract.te | 3 - public/bootanim.te | 4 - public/bootstat.te | 31 ---- public/charger.te | 9 - public/dhcp.te | 3 - public/domain.te | 7 - public/dumpstate.te | 10 -- public/fastbootd.te | 16 -- public/flags_health_check.te | 24 --- public/gatekeeperd.te | 3 - public/healthd.te | 7 - public/hwservicemanager.te | 2 - public/lmkd.te | 3 - public/logd.te | 3 - public/mediaextractor.te | 2 - public/mediaserver.te | 2 - public/mediaswcodec.te | 2 - public/netd.te | 13 -- public/property.te | 326 +--------------------------------- public/radio.te | 10 -- public/recovery.te | 18 -- public/shell.te | 48 ----- public/traceur_app.te | 5 - public/ueventd.te | 4 - public/uncrypt.te | 3 - public/update_engine.te | 6 - public/update_verifier.te | 6 - public/usbd.te | 3 - public/vold.te | 10 -- public/wificond.te | 5 - 64 files changed, 609 insertions(+), 593 deletions(-) create mode 100644 private/property.te diff --git a/private/adbd.te b/private/adbd.te index 89fa1f9e2..f7504df07 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -90,6 +90,9 @@ set_prop(adbd, exported_ffs_prop) # Set service.adb.tls.port, persist.adb.wifi. properties set_prop(adbd, adbd_prop) +# Allow adbd start/stop mdnsd via ctl.start +set_prop(adbd, ctl_mdnsd_prop) + # Access device logging gating property get_prop(adbd, device_logging_prop) diff --git a/private/apexd.te b/private/apexd.te index 9e702dd91..c03790cd2 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -155,3 +155,7 @@ neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:f neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms; neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms; + +# only apexd can set apexd sysprop +set_prop(apexd, apexd_prop) +neverallow { domain -apexd -init } apexd_prop:property_service set; diff --git a/private/asan_extract.te b/private/asan_extract.te index 1c20d78ec..69bcd5010 100644 --- a/private/asan_extract.te +++ b/private/asan_extract.te @@ -3,6 +3,9 @@ # Technically not a daemon but we do want the transition from init domain to # asan_extract to occur. with_asan(` -typeattribute asan_extract coredomain; -init_daemon_domain(asan_extract) + typeattribute asan_extract coredomain; + init_daemon_domain(asan_extract) + + # We need to signal a reboot when done. + set_prop(asan_extract, powerctl_prop) ') diff --git a/private/bootanim.te b/private/bootanim.te index 20ff1934b..fd95e4173 100644 --- a/private/bootanim.te +++ b/private/bootanim.te @@ -4,3 +4,6 @@ init_daemon_domain(bootanim) # b/68864350 dontaudit bootanim unlabeled:dir search; + +# Read ro.boot.bootreason b/30654343 +get_prop(bootanim, bootloader_boot_reason_prop) diff --git a/private/bootstat.te b/private/bootstat.te index 806144cf6..da3179b1e 100644 --- a/private/bootstat.te +++ b/private/bootstat.te @@ -1,3 +1,33 @@ typeattribute bootstat coredomain; init_daemon_domain(bootstat) + +# Collect metrics on boot time created by init +get_prop(bootstat, boottime_prop) + +# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty) +set_prop(bootstat, bootloader_boot_reason_prop) +set_prop(bootstat, system_boot_reason_prop) +set_prop(bootstat, last_boot_reason_prop) + +neverallow { + domain + -bootanim + -bootstat + -dumpstate + -init + -recovery + -shell + -system_server +} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms; +# ... and refine, as these components should not set the last boot reason +neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms; + +neverallow { + domain + -bootstat + -init + -system_server +} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set; +# ... and refine ... for a ro propertly no less ... keep this _tight_ +neverallow system_server bootloader_boot_reason_prop:property_service set; diff --git a/private/charger.te b/private/charger.te index 65109deff..13d1b14f9 100644 --- a/private/charger.te +++ b/private/charger.te @@ -1 +1,10 @@ typeattribute charger coredomain; + +# charger needs to tell init to continue the boot +# process when running in charger mode. +set_prop(charger, system_prop) +set_prop(charger, exported_system_prop) +set_prop(charger, exported2_system_prop) +set_prop(charger, exported3_system_prop) + +get_prop(charger, charger_prop) diff --git a/private/dhcp.te b/private/dhcp.te index b2f8ac7c7..8ec9111d6 100644 --- a/private/dhcp.te +++ b/private/dhcp.te @@ -2,3 +2,6 @@ typeattribute dhcp coredomain; init_daemon_domain(dhcp) type_transition dhcp system_data_file:{ dir file } dhcp_data_file; + +set_prop(dhcp, dhcp_prop) +set_prop(dhcp, pan_result_prop) diff --git a/private/domain.te b/private/domain.te index 3f5bbaad5..adb0218b3 100644 --- a/private/domain.te +++ b/private/domain.te @@ -369,3 +369,10 @@ neverallow { # This property is being removed. Remove remaining access. neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set; neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read; + +# Only core domains are allowed to access package_manager properties +neverallow { domain -init -system_server } pm_prop:property_service set; +neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; + +# Do not allow reading the last boot timestamp from system properties +neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; diff --git a/private/dumpstate.te b/private/dumpstate.te index 72e508e86..0eff540e4 100644 --- a/private/dumpstate.te +++ b/private/dumpstate.te @@ -50,6 +50,17 @@ allow dumpstate proc_net_tcp_udp:file r_file_perms; # For comminucating with the system process to do confirmation ui. binder_call(dumpstate, incidentcompanion_service) +# Set properties. +# dumpstate_prop is used to share state with the Shell app. +set_prop(dumpstate, dumpstate_prop) +set_prop(dumpstate, exported_dumpstate_prop) + +# dumpstate_options_prop is used to pass extra command-line args. +set_prop(dumpstate, dumpstate_options_prop) + +# Allow dumpstate to kill vendor dumpstate service by init +set_prop(dumpstate, ctl_dumpstate_prop) + # For dumping dynamic partition information. set_prop(dumpstate, lpdumpd_prop) binder_call(dumpstate, lpdumpd) diff --git a/private/fastbootd.te b/private/fastbootd.te index 29a9157e6..49994b76b 100644 --- a/private/fastbootd.te +++ b/private/fastbootd.te @@ -1 +1,25 @@ typeattribute fastbootd coredomain; + +# The allow rules are only included in the recovery policy. +# Otherwise fastbootd is only allowed the domain rules. +recovery_only(` + # Reboot the device + set_prop(fastbootd, powerctl_prop) + + # Read serial number of the device from system properties + get_prop(fastbootd, serialno_prop) + + # Set sys.usb.ffs.ready. + set_prop(fastbootd, ffs_prop) + set_prop(fastbootd, exported_ffs_prop) + + userdebug_or_eng(` + get_prop(fastbootd, persistent_properties_ready_prop) + ') + + set_prop(fastbootd, gsid_prop) + + # Determine allocation scheme (whether B partitions needs to be + # at the second half of super. + get_prop(fastbootd, virtual_ab_prop) +') diff --git a/private/flags_health_check.te b/private/flags_health_check.te index fb41aff79..18dde091b 100644 --- a/private/flags_health_check.te +++ b/private/flags_health_check.te @@ -1,3 +1,27 @@ typeattribute flags_health_check coredomain; init_daemon_domain(flags_health_check) + +set_prop(flags_health_check, device_config_boot_count_prop) +set_prop(flags_health_check, device_config_reset_performed_prop) +set_prop(flags_health_check, device_config_runtime_native_boot_prop) +set_prop(flags_health_check, device_config_runtime_native_prop) +set_prop(flags_health_check, device_config_input_native_boot_prop) +set_prop(flags_health_check, device_config_netd_native_prop) +set_prop(flags_health_check, device_config_activity_manager_native_boot_prop) +set_prop(flags_health_check, device_config_media_native_prop) +set_prop(flags_health_check, device_config_storage_native_boot_prop) +set_prop(flags_health_check, device_config_sys_traced_prop) +set_prop(flags_health_check, device_config_window_manager_native_boot_prop) +set_prop(flags_health_check, device_config_configuration_prop) + +# system property device_config_boot_count_prop is used for deciding when to perform server +# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a +# wrong timing, trigger server configurable flag related disaster recovery, which will override +# server configured values of all flags with default values. +neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set; + +# system property device_config_reset_performed_prop is used for indicating whether server +# configurable flags have been reset during booting. Mistakenly modified by unrelated components can +# cause bad server configurable flags synced back to device. +neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set; diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te index 5e4d0a2e9..2fb88a3bb 100644 --- a/private/gatekeeperd.te +++ b/private/gatekeeperd.te @@ -1,3 +1,6 @@ typeattribute gatekeeperd coredomain; init_daemon_domain(gatekeeperd) + +# For checking whether GSI is running +get_prop(gatekeeperd, gsid_prop) diff --git a/private/healthd.te b/private/healthd.te index 20d079173..921d33ff9 100644 --- a/private/healthd.te +++ b/private/healthd.te @@ -4,3 +4,10 @@ init_daemon_domain(healthd) # Allow healthd to serve health HAL hal_server_domain(healthd, hal_health) + +# Healthd needs to tell init to continue the boot +# process when running in charger mode. +set_prop(healthd, system_prop) +set_prop(healthd, exported_system_prop) +set_prop(healthd, exported2_system_prop) +set_prop(healthd, exported3_system_prop) diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te index 0705cc711..e1fde43f2 100644 --- a/private/hwservicemanager.te +++ b/private/hwservicemanager.te @@ -6,3 +6,4 @@ add_hwservice(hwservicemanager, hidl_manager_hwservice) add_hwservice(hwservicemanager, hidl_token_hwservice) set_prop(hwservicemanager, ctl_interface_start_prop) +set_prop(hwservicemanager, hwservicemanager_prop) diff --git a/private/lmkd.te b/private/lmkd.te index a07ce879c..724605138 100644 --- a/private/lmkd.te +++ b/private/lmkd.te @@ -1,3 +1,6 @@ typeattribute lmkd coredomain; init_daemon_domain(lmkd) + +# Set sys.lmk.* properties. +set_prop(lmkd, system_lmk_prop) diff --git a/private/logd.te b/private/logd.te index ca92e2061..7112c4f83 100644 --- a/private/logd.te +++ b/private/logd.te @@ -2,6 +2,9 @@ typeattribute logd coredomain; init_daemon_domain(logd) +# Access device logging gating property +get_prop(logd, device_logging_prop) + # logd is not allowed to write anywhere other than /data/misc/logd, and then # only on userdebug or eng builds neverallow logd { diff --git a/private/mediaextractor.te b/private/mediaextractor.te index 2e654d689..7f626c440 100644 --- a/private/mediaextractor.te +++ b/private/mediaextractor.te @@ -5,3 +5,5 @@ tmpfs_domain(mediaextractor) allow mediaextractor appdomain_tmpfs:file { getattr map read write }; allow mediaextractor mediaserver_tmpfs:file { getattr map read write }; allow mediaextractor system_server_tmpfs:file { getattr map read write }; + +get_prop(mediaextractor, device_config_media_native_prop) diff --git a/private/mediaserver.te b/private/mediaserver.te index c55e54a94..32dfc0052 100644 --- a/private/mediaserver.te +++ b/private/mediaserver.te @@ -12,3 +12,5 @@ hal_client_domain(mediaserver, hal_omx) hal_client_domain(mediaserver, hal_codec2) allow mediaserver mediatranscoding_service:service_manager find; + +set_prop(mediaserver, audio_prop) diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te index 50f569875..cef802d3d 100644 --- a/private/mediaswcodec.te +++ b/private/mediaswcodec.te @@ -2,3 +2,4 @@ typeattribute mediaswcodec coredomain; init_daemon_domain(mediaswcodec) +get_prop(mediaswcodec, device_config_media_native_prop) diff --git a/private/netd.te b/private/netd.te index 41473b73d..27663d3a3 100644 --- a/private/netd.te +++ b/private/netd.te @@ -17,7 +17,12 @@ allow netd bpfloader:bpf { prog_run map_read map_write }; # TODO: Remove this permission when 4.9 kernel is deprecated. allow netd self:key_socket create; +set_prop(netd, ctl_mdnsd_prop) +set_prop(netd, netd_stable_secret_prop) + get_prop(netd, bpf_progs_loaded_prop) +get_prop(netd, hwservicemanager_prop) +get_prop(netd, device_config_netd_native_prop) # Allow netd to write to statsd. unix_socket_send(netd, statsdw, statsd) @@ -28,3 +33,11 @@ binder_call(netd, network_stack) # Allow netd to send dump info to dumpstate allow netd dumpstate:fd use; allow netd dumpstate:fifo_file { getattr write }; + +# persist.netd.stable_secret contains RFC 7217 secret key which should never be +# leaked to other processes. Make sure it never leaks. +neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms; + +# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, +# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. +neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; diff --git a/private/property.te b/private/property.te new file mode 100644 index 000000000..be865f1c4 --- /dev/null +++ b/private/property.te @@ -0,0 +1,321 @@ +### +### Neverallow rules +### + +treble_sysprop_neverallow(` + +# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties +# neverallow domain { +# property_type +# -system_property_type +# -product_property_type +# -vendor_property_type +# }:file no_rw_file_perms; + +neverallow { domain -coredomain } { + system_property_type + system_internal_property_type + -system_restricted_property_type + -system_public_property_type +}:file no_rw_file_perms; + +neverallow { domain -coredomain } { + system_property_type + -system_public_property_type +}:property_service set; + +# init is in coredomain, but should be able to read/write all props. +# dumpstate is also in coredomain, but should be able to read all props. +neverallow { coredomain -init -dumpstate } { + vendor_property_type + vendor_internal_property_type + -vendor_restricted_property_type + -vendor_public_property_type +}:file no_rw_file_perms; + +neverallow { coredomain -init } { + vendor_property_type + -vendor_public_property_type +}:property_service set; + +') + +# There is no need to perform ioctl or advisory locking operations on +# property files. If this neverallow is being triggered, it is +# likely that the policy is using r_file_perms directly instead of +# the get_prop() macro. +neverallow domain property_type:file { ioctl lock }; + +neverallow * { + core_property_type + -audio_prop + -config_prop + -cppreopt_prop + -dalvik_prop + -debuggerd_prop + -debug_prop + -default_prop + -dhcp_prop + -dumpstate_prop + -ffs_prop + -fingerprint_prop + -logd_prop + -net_radio_prop + -nfc_prop + -ota_prop + -pan_result_prop + -persist_debug_prop + -powerctl_prop + -radio_prop + -restorecon_prop + -shell_prop + -system_prop + -system_radio_prop + -vold_prop +}:file no_rw_file_perms; + +# sigstop property is only used for debugging; should only be set by su which is permissive +# for userdebug/eng +neverallow { + domain + -init + -vendor_init +} ctl_sigstop_prop:property_service set; + +# Don't audit legacy ctl. property handling. We only want the newer permission check to appear +# in the audit log +dontaudit domain { + ctl_bootanim_prop + ctl_bugreport_prop + ctl_console_prop + ctl_default_prop + ctl_dumpstate_prop + ctl_fuse_prop + ctl_mdnsd_prop + ctl_rildaemon_prop +}:property_service set; + +neverallow { + domain + -init +} init_svc_debug_prop:property_service set; + +neverallow { + domain + -init + -dumpstate + userdebug_or_eng(`-su') +} init_svc_debug_prop:file no_rw_file_perms; + +compatible_property_only(` +# Prevent properties from being set + neverallow { + domain + -coredomain + -appdomain + -vendor_init + } { + core_property_type + extended_core_property_type + exported_config_prop + exported_dalvik_prop + exported_default_prop + exported_dumpstate_prop + exported_ffs_prop + exported_fingerprint_prop + exported_system_prop + exported_system_radio_prop + exported_vold_prop + exported2_config_prop + exported2_default_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_system_prop + -nfc_prop + -powerctl_prop + -radio_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_nfc_server + } { + nfc_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + -vendor_init + } { + exported_radio_prop + exported3_radio_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + } { + exported2_radio_prop + radio_prop + }:property_service set; + + neverallow { + domain + -coredomain + -bluetooth + -hal_bluetooth_server + } { + bluetooth_prop + }:property_service set; + + neverallow { + domain + -coredomain + -bluetooth + -hal_bluetooth_server + -vendor_init + } { + exported_bluetooth_prop + }:property_service set; + + neverallow { + domain + -coredomain + -hal_camera_server + -cameraserver + -vendor_init + } { + exported_camera_prop + }:property_service set; + + neverallow { + domain + -coredomain + -hal_wifi_server + -wificond + } { + wifi_prop + }:property_service set; + + neverallow { + domain + -coredomain + -hal_wifi_server + -wificond + -vendor_init + } { + exported_wifi_prop + }:property_service set; + +# Prevent properties from being read + neverallow { + domain + -coredomain + -appdomain + -vendor_init + } { + core_property_type + extended_core_property_type + exported_dalvik_prop + exported_ffs_prop + exported_system_radio_prop + exported2_config_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_system_prop + -debug_prop + -logd_prop + -nfc_prop + -powerctl_prop + -radio_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -appdomain + -hal_nfc_server + } { + nfc_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + } { + radio_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -bluetooth + -hal_bluetooth_server + } { + bluetooth_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -hal_wifi_server + -wificond + } { + wifi_prop + }:file no_rw_file_perms; +') + +compatible_property_only(` + # Neverallow coredomain to set vendor properties + neverallow { + coredomain + -init + -system_writes_vendor_properties_violators + } { + property_type + -system_property_type + -extended_core_property_type + }:property_service set; +') + +neverallow { + -init + -system_server +} { + userspace_reboot_log_prop +}:property_service set; + +neverallow { + # Only allow init and system_server to set system_adbd_prop + -init + -system_server +} { + system_adbd_prop +}:property_service set; + +neverallow { + # Only allow init and adbd to set adbd_prop + -init + -adbd +} { + adbd_prop +}:property_service set; + +neverallow { + # Only allow init and shell to set userspace_reboot_test_prop + -init + -shell +} { + userspace_reboot_test_prop +}:property_service set; diff --git a/private/radio.te b/private/radio.te index 17a4fdd7b..9b2e9dbdd 100644 --- a/private/radio.te +++ b/private/radio.te @@ -4,6 +4,16 @@ app_domain(radio) read_runtime_log_tags(radio) +# Property service +set_prop(radio, radio_prop) +set_prop(radio, exported_radio_prop) +set_prop(radio, exported2_radio_prop) +set_prop(radio, exported3_radio_prop) +set_prop(radio, net_radio_prop) + +# ctl interface +set_prop(radio, ctl_rildaemon_prop) + # Telephony code contains time / time zone detection logic so it reads the associated properties. get_prop(radio, time_prop) diff --git a/private/recovery.te b/private/recovery.te index 2a7fdc7e1..eee1698e2 100644 --- a/private/recovery.te +++ b/private/recovery.te @@ -1 +1,24 @@ typeattribute recovery coredomain; + +# The allow rules are only included in the recovery policy. +# Otherwise recovery is only allowed the domain rules. +recovery_only(` + # Reboot the device + set_prop(recovery, powerctl_prop) + + # Read serial number of the device from system properties + get_prop(recovery, serialno_prop) + + # Set sys.usb.ffs.ready when starting minadbd for sideload. + set_prop(recovery, ffs_prop) + set_prop(recovery, exported_ffs_prop) + + # Set sys.usb.config when switching into fastboot. + set_prop(recovery, system_radio_prop) + set_prop(recovery, exported_system_radio_prop) + + # Read ro.boot.bootreason + get_prop(recovery, bootloader_boot_reason_prop) + + set_prop(recovery, gsid_prop) +') diff --git a/private/shell.te b/private/shell.te index 76ff0734d..63757ebba 100644 --- a/private/shell.te +++ b/private/shell.te @@ -1,3 +1,4 @@ + typeattribute shell coredomain; # allow shell input injection @@ -90,3 +91,52 @@ allow shell simpleperf_exec:file rx_file_perms; # not the whole system. allow shell self:perf_event { open read write kernel }; neverallow shell self:perf_event ~{ open read write kernel }; + +# Set properties. +set_prop(shell, shell_prop) +set_prop(shell, ctl_bugreport_prop) +set_prop(shell, ctl_dumpstate_prop) +set_prop(shell, dumpstate_prop) +set_prop(shell, exported_dumpstate_prop) +set_prop(shell, debug_prop) +set_prop(shell, powerctl_prop) +set_prop(shell, log_tag_prop) +set_prop(shell, wifi_log_prop) +# Allow shell to start/stop traced via the persist.traced.enable +# property (which also takes care of /data/misc initialization). +set_prop(shell, traced_enabled_prop) +# adjust is_loggable properties +userdebug_or_eng(`set_prop(shell, log_prop)') +# logpersist script +userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') +# Allow shell to start/stop heapprofd via the persist.heapprofd.enable +# property. +set_prop(shell, heapprofd_enabled_prop) +# Allow shell to start/stop traced_perf via the persist.traced_perf.enable +# property. +set_prop(shell, traced_perf_enabled_prop) +# Allow shell to start/stop gsid via ctl.start|stop|restart gsid. +set_prop(shell, ctl_gsid_prop) +# Allow shell to enable Dynamic System Update +set_prop(shell, dynamic_system_prop) +# Allow shell to mock an OTA using persist.pm.mock-upgrade +set_prop(shell, mock_ota_prop) + +# Read device's serial number from system properties +get_prop(shell, serialno_prop) + +# Allow shell to read the vendor security patch level for CTS +get_prop(shell, vendor_security_patch_level_prop) + +# Read state of logging-related properties +get_prop(shell, device_logging_prop) + +# Read state of boot reason properties +get_prop(shell, bootloader_boot_reason_prop) +get_prop(shell, last_boot_reason_prop) +get_prop(shell, system_boot_reason_prop) + +# Allow reading the outcome of perf_event_open LSM support test for CTS. +get_prop(shell, init_perf_lsm_hooks_prop) + +userdebug_or_eng(`set_prop(shell, persist_debug_prop)') diff --git a/private/traceur_app.te b/private/traceur_app.te index 94841df10..b7e58ba40 100644 --- a/private/traceur_app.te +++ b/private/traceur_app.te @@ -20,3 +20,8 @@ allow traceur_app perfetto_exec:file rx_file_perms; unix_socket_connect(traceur_app, traced_consumer, traced) dontaudit traceur_app debugfs_tracing_debug:file audit_access; + +# Allow Traceur to enable traced if necessary. +set_prop(traceur_app, traced_enabled_prop) + +set_prop(traceur_app, debug_prop) diff --git a/private/ueventd.te b/private/ueventd.te index 1bd67735e..8bcdbf95a 100644 --- a/private/ueventd.te +++ b/private/ueventd.te @@ -1,3 +1,7 @@ typeattribute ueventd coredomain; tmpfs_domain(ueventd) + +# ueventd can set properties, particularly it sets ro.cold_boot_done to signal +# to init that cold boot has completed. +set_prop(ueventd, cold_boot_done_prop) diff --git a/private/uncrypt.te b/private/uncrypt.te index e4e9224d9..1a94cd1e5 100644 --- a/private/uncrypt.te +++ b/private/uncrypt.te @@ -1,3 +1,6 @@ typeattribute uncrypt coredomain; init_daemon_domain(uncrypt) + +# Set a property to reboot the device. +set_prop(uncrypt, powerctl_prop) diff --git a/private/update_engine.te b/private/update_engine.te index e4e700919..a76ab49e1 100644 --- a/private/update_engine.te +++ b/private/update_engine.te @@ -5,3 +5,9 @@ init_daemon_domain(update_engine); # Allow to talk to gsid. allow update_engine gsi_service:service_manager find; binder_call(update_engine, gsid) + +# Allow to start gsid service. +set_prop(update_engine, ctl_gsid_prop) + +# Allow to set the OTA related properties, e.g. ota.warm_reset. +set_prop(update_engine, ota_prop) diff --git a/private/update_verifier.te b/private/update_verifier.te index 1b934d980..5e1b27bf8 100644 --- a/private/update_verifier.te +++ b/private/update_verifier.te @@ -1,3 +1,9 @@ typeattribute update_verifier coredomain; init_daemon_domain(update_verifier) + +# Allow update_verifier to reboot the device. +set_prop(update_verifier, powerctl_prop) + +# Allow to set the OTA related properties e.g. ota.warm_reset. +set_prop(update_verifier, ota_prop) diff --git a/private/usbd.te b/private/usbd.te index 13a0ad7a6..42f23244e 100644 --- a/private/usbd.te +++ b/private/usbd.te @@ -10,3 +10,6 @@ get_prop(usbd, system_prop) # start adbd during boot if adb is enabled set_prop(usbd, ctl_default_prop) + +# Start/stop adbd via ctl.start adbd +set_prop(usbd, ctl_adbd_prop) diff --git a/private/vold.te b/private/vold.te index dea24a576..19d74b1f9 100644 --- a/private/vold.te +++ b/private/vold.te @@ -17,3 +17,13 @@ domain_trans(vold, fsck_exec, fsck_untrusted); # from accidentally writing when the mount point isn't present. type_transition vold storage_file:dir storage_stub_file; type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; + +# Property Service +set_prop(vold, vold_prop) +set_prop(vold, exported_vold_prop) +set_prop(vold, exported2_vold_prop) +set_prop(vold, powerctl_prop) +set_prop(vold, ctl_fuse_prop) +set_prop(vold, restorecon_prop) +set_prop(vold, ota_prop) +set_prop(vold, boottime_prop) diff --git a/private/wificond.te b/private/wificond.te index cc7644745..7bffabafe 100644 --- a/private/wificond.te +++ b/private/wificond.te @@ -1,4 +1,10 @@ typeattribute wificond coredomain; +set_prop(wificond, exported_wifi_prop) +set_prop(wificond, wifi_prop) +set_prop(wificond, ctl_default_prop) + +get_prop(wificond, hwservicemanager_prop) + init_daemon_domain(wificond) hal_client_domain(wificond, hal_wifi_offload) diff --git a/public/adbd.te b/public/adbd.te index 4a1f63388..68a176ca6 100644 --- a/public/adbd.te +++ b/public/adbd.te @@ -6,6 +6,3 @@ type adbd_exec, exec_type, file_type, system_file_type; # Only init is allowed to enter the adbd domain via exec() neverallow { domain -init } adbd:process transition; neverallow * adbd:process dyntransition; - -# Allow adbd start/stop mdnsd via ctl.start -set_prop(adbd, ctl_mdnsd_prop) diff --git a/public/apexd.te b/public/apexd.te index 93c257f5f..429791f57 100644 --- a/public/apexd.te +++ b/public/apexd.te @@ -4,12 +4,8 @@ type apexd_exec, exec_type, file_type, system_file_type; binder_use(apexd) add_service(apexd, apex_service) -set_prop(apexd, apexd_prop) neverallow { domain -init -apexd -system_server } apex_service:service_manager find; neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call; neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace; - -# only apexd can set apexd sysprop -neverallow { domain -apexd -init } apexd_prop:property_service set; diff --git a/public/asan_extract.te b/public/asan_extract.te index 15c5a09fd..22da8c152 100644 --- a/public/asan_extract.te +++ b/public/asan_extract.te @@ -30,7 +30,4 @@ with_asan(` # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser). allow asan_extract system_data_file:file execute; - - # We need to signal a reboot when done. - set_prop(asan_extract, powerctl_prop) ') diff --git a/public/bootanim.te b/public/bootanim.te index e8cb98bbc..eb3eba59f 100644 --- a/public/bootanim.te +++ b/public/bootanim.te @@ -36,7 +36,3 @@ allow bootanim proc_meminfo:file r_file_perms; # System file accesses. allow bootanim system_file:dir r_dir_perms; - -# Read ro.boot.bootreason b/30654343 -get_prop(bootanim, bootloader_boot_reason_prop) - diff --git a/public/bootstat.te b/public/bootstat.te index 6143a7d2b..5079c28f1 100644 --- a/public/bootstat.te +++ b/public/bootstat.te @@ -8,13 +8,6 @@ read_runtime_log_tags(bootstat) allow bootstat bootstat_data_file:dir rw_dir_perms; allow bootstat bootstat_data_file:file create_file_perms; -# Collect metrics on boot time created by init -get_prop(bootstat, boottime_prop) - -# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty) -set_prop(bootstat, bootloader_boot_reason_prop) -set_prop(bootstat, system_boot_reason_prop) -set_prop(bootstat, last_boot_reason_prop) allow bootstat metadata_file:dir search; allow bootstat metadata_bootstat_file:dir rw_dir_perms; allow bootstat metadata_bootstat_file:file create_file_perms; @@ -32,30 +25,6 @@ read_logd(bootstat) # Allow bootstat write to statsd. unix_socket_send(bootstat, statsdw, statsd) -# ToDo: end - -neverallow { - domain - -bootanim - -bootstat - -dumpstate - -init - -recovery - -shell - -system_server -} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms; -# ... and refine, as these components should not set the last boot reason -neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms; - -neverallow { - domain - -bootstat - -init - -system_server -} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set; -# ... and refine ... for a ro propertly no less ... keep this _tight_ -neverallow system_server bootloader_boot_reason_prop:property_service set; - neverallow { domain -bootstat diff --git a/public/charger.te b/public/charger.te index 4b341ead3..f57853a90 100644 --- a/public/charger.te +++ b/public/charger.te @@ -36,13 +36,4 @@ allow charger input_device:chr_file r_file_perms; allow charger tty_device:chr_file rw_file_perms; allow charger proc_sysrq:file rw_file_perms; -# charger needs to tell init to continue the boot -# process when running in charger mode. -set_prop(charger, system_prop) -set_prop(charger, exported_system_prop) -set_prop(charger, exported2_system_prop) -set_prop(charger, exported3_system_prop) - -get_prop(charger, charger_prop) - hal_client_domain(charger, hal_health) diff --git a/public/dhcp.te b/public/dhcp.te index 4f2369d2d..67fd0389e 100644 --- a/public/dhcp.te +++ b/public/dhcp.te @@ -17,9 +17,6 @@ allow dhcp toolbox_exec:file rx_file_perms; # For /proc/sys/net/ipv4/conf/*/promote_secondaries allow dhcp proc_net_type:file write; -set_prop(dhcp, dhcp_prop) -set_prop(dhcp, pan_result_prop) - allow dhcp dhcp_data_file:dir create_dir_perms; allow dhcp dhcp_data_file:file create_file_perms; diff --git a/public/domain.te b/public/domain.te index 1b7d4fb64..03f1d28d7 100644 --- a/public/domain.te +++ b/public/domain.te @@ -533,10 +533,6 @@ compatible_property_only(` neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; ') -# Only core domains are allowed to access package_manager properties -neverallow { domain -init -system_server } pm_prop:property_service set; -neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; - compatible_property_only(` neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; @@ -562,9 +558,6 @@ neverallow { -vendor_init } serialno_prop:file r_file_perms; -# Do not allow reading the last boot timestamp from system properties -neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms; - neverallow { domain -init diff --git a/public/dumpstate.te b/public/dumpstate.te index 1e895e440..5f27d32f8 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -258,13 +258,6 @@ allow dumpstate hwservicemanager:hwservice_manager list; allow dumpstate devpts:chr_file rw_file_perms; -# Set properties. -# dumpstate_prop is used to share state with the Shell app. -set_prop(dumpstate, dumpstate_prop) -set_prop(dumpstate, exported_dumpstate_prop) -# dumpstate_options_prop is used to pass extra command-line args. -set_prop(dumpstate, dumpstate_options_prop) - # Read any system properties get_prop(dumpstate, property_type) @@ -329,9 +322,6 @@ binder_call(dumpstate, hal_rebootescrow_server) allow hal_rebootescrow_server dumpstate:fifo_file write; allow hal_rebootescrow_server dumpstate:fd use; -# Allow dumpstate to kill vendor dumpstate service by init -set_prop(dumpstate, ctl_dumpstate_prop) - #Access /data/misc/snapshotctl_log allow dumpstate snapshotctl_log_data_file:dir r_dir_perms; allow dumpstate snapshotctl_log_data_file:file r_file_perms; diff --git a/public/fastbootd.te b/public/fastbootd.te index a0152d40a..bb18637fc 100644 --- a/public/fastbootd.te +++ b/public/fastbootd.te @@ -23,22 +23,12 @@ recovery_only(` allow fastbootd device:dir r_dir_perms; - # Reboot the device - set_prop(fastbootd, powerctl_prop) - - # Read serial number of the device from system properties - get_prop(fastbootd, serialno_prop) - # For dev/block/by-name dir allow fastbootd block_device:dir r_dir_perms; # Needed for DM_DEV_CREATE ioctl call allow fastbootd self:capability sys_admin; - # Set sys.usb.ffs.ready. - set_prop(fastbootd, ffs_prop) - set_prop(fastbootd, exported_ffs_prop) - unix_socket_connect(fastbootd, recovery, recovery) # Required for flashing @@ -106,18 +96,12 @@ recovery_only(` }:{ file lnk_file } unlink; allow fastbootd tmpfs:dir rw_dir_perms; allow fastbootd labeledfs:filesystem { mount unmount }; - get_prop(fastbootd, persistent_properties_ready_prop) ') # Allow using libfiemap/gsid directly (no binder in recovery). - set_prop(fastbootd, gsid_prop) allow fastbootd gsi_metadata_file:dir search; allow fastbootd ota_metadata_file:dir rw_dir_perms; allow fastbootd ota_metadata_file:file create_file_perms; - - # Determine allocation scheme (whether B partitions needs to be - # at the second half of super. - get_prop(fastbootd, virtual_ab_prop) ') ### diff --git a/public/flags_health_check.te b/public/flags_health_check.te index 6315d44e4..25a776813 100644 --- a/public/flags_health_check.te +++ b/public/flags_health_check.te @@ -2,33 +2,9 @@ type flags_health_check, domain, coredomain; type flags_health_check_exec, system_file_type, exec_type, file_type; -set_prop(flags_health_check, device_config_boot_count_prop) -set_prop(flags_health_check, device_config_reset_performed_prop) -set_prop(flags_health_check, device_config_runtime_native_boot_prop) -set_prop(flags_health_check, device_config_runtime_native_prop) -set_prop(flags_health_check, device_config_input_native_boot_prop) -set_prop(flags_health_check, device_config_netd_native_prop) -set_prop(flags_health_check, device_config_activity_manager_native_boot_prop) -set_prop(flags_health_check, device_config_media_native_prop) -set_prop(flags_health_check, device_config_storage_native_boot_prop) -set_prop(flags_health_check, device_config_sys_traced_prop) -set_prop(flags_health_check, device_config_window_manager_native_boot_prop) -set_prop(flags_health_check, device_config_configuration_prop) - allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms; allow flags_health_check server_configurable_flags_data_file:file create_file_perms; -# system property device_config_boot_count_prop is used for deciding when to perform server -# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a -# wrong timing, trigger server configurable flag related disaster recovery, which will override -# server configured values of all flags with default values. -neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set; - -# system property device_config_reset_performed_prop is used for indicating whether server -# configurable flags have been reset during booting. Mistakenly modified by unrelated components can -# cause bad server configurable flags synced back to device. -neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set; - # server_configurable_flags_data_file is used for storing whether server configurable flags which # have been reset during current booting. Mistakenly modified by unrelated components can # cause bad server configurable flags synced back to device. diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te index dc46d0789..e1739c273 100644 --- a/public/gatekeeperd.te +++ b/public/gatekeeperd.te @@ -35,7 +35,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms; # For hardware properties retrieval allow gatekeeperd hardware_properties_service:service_manager find; -# For checking whether GSI is running -get_prop(gatekeeperd, gsid_prop) - r_dir_file(gatekeeperd, cgroup) diff --git a/public/healthd.te b/public/healthd.te index 7ea23e1c3..867384640 100644 --- a/public/healthd.te +++ b/public/healthd.te @@ -47,10 +47,3 @@ allow healthd input_device:chr_file r_file_perms; allow healthd tty_device:chr_file rw_file_perms; allow healthd ashmem_device:chr_file execute; allow healthd proc_sysrq:file rw_file_perms; - -# Healthd needs to tell init to continue the boot -# process when running in charger mode. -set_prop(healthd, system_prop) -set_prop(healthd, exported_system_prop) -set_prop(healthd, exported2_system_prop) -set_prop(healthd, exported3_system_prop) diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te index 7f0381564..7ec187233 100644 --- a/public/hwservicemanager.te +++ b/public/hwservicemanager.te @@ -10,8 +10,6 @@ type hwservicemanager_exec, system_file_type, exec_type, file_type; # to do this is granted in the hwbinder_use macro. allow hwservicemanager self:binder set_context_mgr; -set_prop(hwservicemanager, hwservicemanager_prop) - # Scan through /system/lib64/hw looking for installed HALs allow hwservicemanager system_file:dir r_dir_perms; diff --git a/public/lmkd.te b/public/lmkd.te index b852f4418..7c1e7411e 100644 --- a/public/lmkd.te +++ b/public/lmkd.te @@ -36,9 +36,6 @@ allow lmkd self:global_capability_class_set sys_nice; allow lmkd proc_zoneinfo:file r_file_perms; allow lmkd proc_vmstat:file r_file_perms; -# Set sys.lmk.* properties. -set_prop(lmkd, system_lmk_prop) - # live lock watchdog process allowed to look through /proc/ allow lmkd domain:dir { search open read }; allow lmkd domain:file { open read }; diff --git a/public/logd.te b/public/logd.te index 57e29d940..f8dd1640d 100644 --- a/public/logd.te +++ b/public/logd.te @@ -23,9 +23,6 @@ userdebug_or_eng(` ') allow logd runtime_event_log_tags_file:file rw_file_perms; -# Access device logging gating property -get_prop(logd, device_logging_prop) - r_dir_file(logd, domain) allow logd kernel:system syslog_mod; diff --git a/public/mediaextractor.te b/public/mediaextractor.te index 4bedb0f06..4bee4f824 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -37,8 +37,6 @@ allow mediaextractor ringtone_file:file { read getattr }; # scan extractor library directory to dynamically load extractors allow mediaextractor system_file:dir { read open }; -get_prop(mediaextractor, device_config_media_native_prop) - ### ### neverallow rules ### diff --git a/public/mediaserver.te b/public/mediaserver.te index 02a0eb072..832eaa3ac 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -34,8 +34,6 @@ allow mediaserver gpu_device:chr_file rw_file_perms; allow mediaserver video_device:dir r_dir_perms; allow mediaserver video_device:chr_file rw_file_perms; -set_prop(mediaserver, audio_prop) - # Read resources from open apk files passed over Binder. allow mediaserver apk_data_file:file { read getattr }; allow mediaserver asec_apk_file:file { read getattr }; diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te index 2acdeeadd..992baabae 100644 --- a/public/mediaswcodec.te +++ b/public/mediaswcodec.te @@ -11,8 +11,6 @@ hal_client_domain(mediaswcodec, hal_omx) hal_client_domain(mediaswcodec, hal_allocator) hal_client_domain(mediaswcodec, hal_graphics_allocator) -get_prop(mediaswcodec, device_config_media_native_prop) - crash_dump_fallback(mediaswcodec) # mediaswcodec_server should never execute any executable without a diff --git a/public/netd.te b/public/netd.te index 8005406d6..a020a573f 100644 --- a/public/netd.te +++ b/public/netd.te @@ -81,9 +81,6 @@ allow netd system_file:file lock; # Allow netd to spawn dnsmasq in it's own domain allow netd dnsmasq:process signal; -set_prop(netd, ctl_mdnsd_prop) -set_prop(netd, netd_stable_secret_prop) - # Allow netd to publish a binder service and make binder calls. binder_use(netd) add_service(netd, netd_service) @@ -113,8 +110,6 @@ allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write n # Allow netd to register as hal server. add_hwservice(netd, system_net_netd_hwservice) hwbinder_use(netd) -get_prop(netd, hwservicemanager_prop) -get_prop(netd, device_config_netd_native_prop) ### ### Neverallow rules @@ -157,14 +152,6 @@ neverallow { neverallow { appdomain -network_stack } netd:binder call; neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call; -# persist.netd.stable_secret contains RFC 7217 secret key which should never be -# leaked to other processes. Make sure it never leaks. -neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms; - -# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, -# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. -neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; - # If an already existing file is opened with O_CREATE, the kernel might generate # a false report of a create denial. Silence these denials and make sure that # inappropriate permissions are not granted. diff --git a/public/property.te b/public/property.te index 67a1fbeac..afc5c1eef 100644 --- a/public/property.te +++ b/public/property.te @@ -1,4 +1,8 @@ # Properties used only in /system +# +# DO NOT ADD system_internal_prop here. +# Instead, add to private/property.te. +# TODO(b/150331497): move these to private/property.te system_internal_prop(apexd_prop) system_internal_prop(bootloader_boot_reason_prop) system_internal_prop(device_config_activity_manager_native_boot_prop) @@ -243,54 +247,6 @@ typeattribute wifi_log_prop log_property_type; allow property_type tmpfs:filesystem associate; -### -### Neverallow rules -### - -treble_sysprop_neverallow(` - -# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties -# neverallow domain { -# property_type -# -system_property_type -# -product_property_type -# -vendor_property_type -# }:file no_rw_file_perms; - -neverallow { domain -coredomain } { - system_property_type - system_internal_property_type - -system_restricted_property_type - -system_public_property_type -}:file no_rw_file_perms; - -neverallow { domain -coredomain } { - system_property_type - -system_public_property_type -}:property_service set; - -# init is in coredomain, but should be able to read/write all props. -# dumpstate is also in coredomain, but should be able to read all props. -neverallow { coredomain -init -dumpstate } { - vendor_property_type - vendor_internal_property_type - -vendor_restricted_property_type - -vendor_public_property_type -}:file no_rw_file_perms; - -neverallow { coredomain -init } { - vendor_property_type - -vendor_public_property_type -}:property_service set; - -') - -# There is no need to perform ioctl or advisory locking operations on -# property files. If this neverallow is being triggered, it is -# likely that the policy is using r_file_perms directly instead of -# the get_prop() macro. -neverallow domain property_type:file { ioctl lock }; - # core_property_type should not be used for new properties or # device specific properties. Properties with this attribute # are readable to everyone, which is overly broad and should @@ -322,277 +278,3 @@ typeattribute shell_prop core_property_type; typeattribute system_prop core_property_type; typeattribute system_radio_prop core_property_type; typeattribute vold_prop core_property_type; - -neverallow * { - core_property_type - -audio_prop - -config_prop - -cppreopt_prop - -dalvik_prop - -debuggerd_prop - -debug_prop - -default_prop - -dhcp_prop - -dumpstate_prop - -ffs_prop - -fingerprint_prop - -logd_prop - -net_radio_prop - -nfc_prop - -ota_prop - -pan_result_prop - -persist_debug_prop - -powerctl_prop - -radio_prop - -restorecon_prop - -shell_prop - -system_prop - -system_radio_prop - -vold_prop -}:file no_rw_file_perms; - -# sigstop property is only used for debugging; should only be set by su which is permissive -# for userdebug/eng -neverallow { - domain - -init - -vendor_init -} ctl_sigstop_prop:property_service set; - -# Don't audit legacy ctl. property handling. We only want the newer permission check to appear -# in the audit log -dontaudit domain { - ctl_bootanim_prop - ctl_bugreport_prop - ctl_console_prop - ctl_default_prop - ctl_dumpstate_prop - ctl_fuse_prop - ctl_mdnsd_prop - ctl_rildaemon_prop -}:property_service set; - -neverallow { - domain - -init -} init_svc_debug_prop:property_service set; - -neverallow { - domain - -init - -dumpstate - userdebug_or_eng(`-su') -} init_svc_debug_prop:file no_rw_file_perms; - -compatible_property_only(` -# Prevent properties from being set - neverallow { - domain - -coredomain - -appdomain - -vendor_init - } { - core_property_type - extended_core_property_type - exported_config_prop - exported_dalvik_prop - exported_default_prop - exported_dumpstate_prop - exported_ffs_prop - exported_fingerprint_prop - exported_system_prop - exported_system_radio_prop - exported_vold_prop - exported2_config_prop - exported2_default_prop - exported2_system_prop - exported2_vold_prop - exported3_default_prop - exported3_system_prop - -nfc_prop - -powerctl_prop - -radio_prop - }:property_service set; - - neverallow { - domain - -coredomain - -appdomain - -hal_nfc_server - } { - nfc_prop - }:property_service set; - - neverallow { - domain - -coredomain - -appdomain - -hal_telephony_server - -vendor_init - } { - exported_radio_prop - exported3_radio_prop - }:property_service set; - - neverallow { - domain - -coredomain - -appdomain - -hal_telephony_server - } { - exported2_radio_prop - radio_prop - }:property_service set; - - neverallow { - domain - -coredomain - -bluetooth - -hal_bluetooth_server - } { - bluetooth_prop - }:property_service set; - - neverallow { - domain - -coredomain - -bluetooth - -hal_bluetooth_server - -vendor_init - } { - exported_bluetooth_prop - }:property_service set; - - neverallow { - domain - -coredomain - -hal_camera_server - -cameraserver - -vendor_init - } { - exported_camera_prop - }:property_service set; - - neverallow { - domain - -coredomain - -hal_wifi_server - -wificond - } { - wifi_prop - }:property_service set; - - neverallow { - domain - -coredomain - -hal_wifi_server - -wificond - -vendor_init - } { - exported_wifi_prop - }:property_service set; - -# Prevent properties from being read - neverallow { - domain - -coredomain - -appdomain - -vendor_init - } { - core_property_type - extended_core_property_type - exported_dalvik_prop - exported_ffs_prop - exported_system_radio_prop - exported2_config_prop - exported2_system_prop - exported2_vold_prop - exported3_default_prop - exported3_system_prop - -debug_prop - -logd_prop - -nfc_prop - -powerctl_prop - -radio_prop - }:file no_rw_file_perms; - - neverallow { - domain - -coredomain - -appdomain - -hal_nfc_server - } { - nfc_prop - }:file no_rw_file_perms; - - neverallow { - domain - -coredomain - -appdomain - -hal_telephony_server - } { - radio_prop - }:file no_rw_file_perms; - - neverallow { - domain - -coredomain - -bluetooth - -hal_bluetooth_server - } { - bluetooth_prop - }:file no_rw_file_perms; - - neverallow { - domain - -coredomain - -hal_wifi_server - -wificond - } { - wifi_prop - }:file no_rw_file_perms; -') - -compatible_property_only(` - # Neverallow coredomain to set vendor properties - neverallow { - coredomain - -init - -system_writes_vendor_properties_violators - } { - property_type - -system_property_type - -extended_core_property_type - }:property_service set; -') - -neverallow { - -init - -system_server -} { - userspace_reboot_log_prop -}:property_service set; - -neverallow { - # Only allow init and system_server to set system_adbd_prop - -init - -system_server -} { - system_adbd_prop -}:property_service set; - -neverallow { - # Only allow init and adbd to set adbd_prop - -init - -adbd -} { - adbd_prop -}:property_service set; - -neverallow { - # Only allow init and shell to set userspace_reboot_test_prop - -init - -shell -} { - userspace_reboot_test_prop -}:property_service set; diff --git a/public/radio.te b/public/radio.te index 34eaf83d0..6ec008610 100644 --- a/public/radio.te +++ b/public/radio.te @@ -16,16 +16,6 @@ allow radio radio_data_file:notdevfile_class_set create_file_perms; allow radio net_data_file:dir search; allow radio net_data_file:file r_file_perms; -# Property service -set_prop(radio, radio_prop) -set_prop(radio, exported_radio_prop) -set_prop(radio, exported2_radio_prop) -set_prop(radio, exported3_radio_prop) -set_prop(radio, net_radio_prop) - -# ctl interface -set_prop(radio, ctl_rildaemon_prop) - add_service(radio, radio_service) allow radio audioserver_service:service_manager find; allow radio cameraserver_service:service_manager find; diff --git a/public/recovery.te b/public/recovery.te index 3bac03dd6..aceba01c4 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -108,23 +108,6 @@ recovery_only(` # Read files on /oem. r_dir_file(recovery, oemfs); - # Reboot the device - set_prop(recovery, powerctl_prop) - - # Read serial number of the device from system properties - get_prop(recovery, serialno_prop) - - # Set sys.usb.ffs.ready when starting minadbd for sideload. - set_prop(recovery, ffs_prop) - set_prop(recovery, exported_ffs_prop) - - # Set sys.usb.config when switching into fastboot. - set_prop(recovery, system_radio_prop) - set_prop(recovery, exported_system_radio_prop) - - # Read ro.boot.bootreason - get_prop(recovery, bootloader_boot_reason_prop) - # Use setfscreatecon() to label files for OTA updates. allow recovery self:process setfscreate; @@ -144,7 +127,6 @@ recovery_only(` allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; # Allow using libfiemap/gsid directly (no binder in recovery). - set_prop(recovery, gsid_prop) allow recovery gsi_metadata_file:dir search; allow recovery ota_metadata_file:dir rw_dir_perms; allow recovery ota_metadata_file:file create_file_perms; diff --git a/public/shell.te b/public/shell.te index 79d5c89b3..712307f10 100644 --- a/public/shell.te +++ b/public/shell.te @@ -58,60 +58,12 @@ allow shell zygote_exec:file rx_file_perms; r_dir_file(shell, apk_data_file) -# Set properties. -set_prop(shell, shell_prop) -set_prop(shell, ctl_bugreport_prop) -set_prop(shell, ctl_dumpstate_prop) -set_prop(shell, dumpstate_prop) -set_prop(shell, exported_dumpstate_prop) -set_prop(shell, debug_prop) -set_prop(shell, powerctl_prop) -set_prop(shell, log_tag_prop) -set_prop(shell, wifi_log_prop) -# Allow shell to start/stop traced via the persist.traced.enable -# property (which also takes care of /data/misc initialization). -set_prop(shell, traced_enabled_prop) -# adjust is_loggable properties -userdebug_or_eng(`set_prop(shell, log_prop)') -# logpersist script -userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') -# Allow shell to start/stop heapprofd via the persist.heapprofd.enable -# property. -set_prop(shell, heapprofd_enabled_prop) -# Allow shell to start/stop traced_perf via the persist.traced_perf.enable -# property. -set_prop(shell, traced_perf_enabled_prop) -# Allow shell to start/stop gsid via ctl.start|stop|restart gsid. -set_prop(shell, ctl_gsid_prop) -# Allow shell to enable Dynamic System Update -set_prop(shell, dynamic_system_prop) -# Allow shell to mock an OTA using persist.pm.mock-upgrade -set_prop(shell, mock_ota_prop) - userdebug_or_eng(` # "systrace --boot" support - allow boottrace service to run allow shell boottrace_data_file:dir rw_dir_perms; allow shell boottrace_data_file:file create_file_perms; - set_prop(shell, persist_debug_prop) ') -# Read device's serial number from system properties -get_prop(shell, serialno_prop) - -# Allow shell to read the vendor security patch level for CTS -get_prop(shell, vendor_security_patch_level_prop) - -# Read state of logging-related properties -get_prop(shell, device_logging_prop) - -# Read state of boot reason properties -get_prop(shell, bootloader_boot_reason_prop) -get_prop(shell, last_boot_reason_prop) -get_prop(shell, system_boot_reason_prop) - -# Allow reading the outcome of perf_event_open LSM support test for CTS. -get_prop(shell, init_perf_lsm_hooks_prop) - # allow shell access to services allow shell servicemanager:service_manager list; # don't allow shell to access GateKeeper service diff --git a/public/traceur_app.te b/public/traceur_app.te index 7e2cc84a0..ce9b844d5 100644 --- a/public/traceur_app.te +++ b/public/traceur_app.te @@ -3,11 +3,6 @@ type traceur_app, domain; allow traceur_app servicemanager:service_manager list; allow traceur_app hwservicemanager:hwservice_manager list; -# Allow Traceur to enable traced if necessary. -set_prop(traceur_app, traced_enabled_prop) - -set_prop(traceur_app, debug_prop) - allow traceur_app { service_manager_type -apex_service diff --git a/public/ueventd.te b/public/ueventd.te index fc503b890..1d750804c 100644 --- a/public/ueventd.te +++ b/public/ueventd.te @@ -59,10 +59,6 @@ allow ueventd kernel:key search; allow ueventd system_bootstrap_lib_file:dir r_dir_perms; allow ueventd system_bootstrap_lib_file:file { execute read open getattr map }; -# ueventd can set properties, particularly it sets ro.cold_boot_done to signal -# to init that cold boot has completed. -set_prop(ueventd, cold_boot_done_prop) - # Allow ueventd to run shell scripts from vendor allow ueventd vendor_shell_exec:file execute; diff --git a/public/uncrypt.te b/public/uncrypt.te index 28dc3f209..75765f33e 100644 --- a/public/uncrypt.te +++ b/public/uncrypt.te @@ -22,9 +22,6 @@ allow uncrypt ota_package_file:file r_file_perms; # Write to /dev/socket/uncrypt unix_socket_connect(uncrypt, uncrypt, uncrypt) -# Set a property to reboot the device. -set_prop(uncrypt, powerctl_prop) - # Raw writes to block device allow uncrypt self:global_capability_class_set sys_rawio; allow uncrypt misc_block_device:blk_file w_file_perms; diff --git a/public/update_engine.te b/public/update_engine.te index 078e494d9..ba2f3cf04 100644 --- a/public/update_engine.te +++ b/public/update_engine.te @@ -63,12 +63,6 @@ allow update_engine proc_misc:file r_file_perms; # read directories on /system and /vendor allow update_engine system_file:dir r_dir_perms; -# Allow to start gsid service. -set_prop(update_engine, ctl_gsid_prop) - -# Allow to set the OTA related properties, e.g. ota.warm_reset. -set_prop(update_engine, ota_prop) - # update_engine tries to determine the parent path for all devices (e.g. # /dev/block/by-name) by reading the default fstab and looking for the misc # device. ReadDefaultFstab() checks whether a GSI is running by checking diff --git a/public/update_verifier.te b/public/update_verifier.te index f881aeb6b..68b43f089 100644 --- a/public/update_verifier.te +++ b/public/update_verifier.te @@ -24,12 +24,6 @@ allow update_verifier dm_device:blk_file r_file_perms; # Write to kernel message. allow update_verifier kmsg_device:chr_file { getattr w_file_perms }; -# Allow update_verifier to reboot the device. -set_prop(update_verifier, powerctl_prop) - -# Allow to set the OTA related properties e.g. ota.warm_reset. -set_prop(update_verifier, ota_prop) - # Use Boot Control HAL hal_client_domain(update_verifier, hal_bootctl) diff --git a/public/usbd.te b/public/usbd.te index 991e7be5f..6f349541b 100644 --- a/public/usbd.te +++ b/public/usbd.te @@ -1,5 +1,2 @@ type usbd, domain; type usbd_exec, system_file_type, exec_type, file_type; - -# Start/stop adbd via ctl.start adbd -set_prop(usbd, ctl_adbd_prop) diff --git a/public/vold.te b/public/vold.te index e17113da0..1f274fa75 100644 --- a/public/vold.te +++ b/public/vold.te @@ -196,16 +196,6 @@ allow vold system_data_file:file read; # Set scheduling policy of kernel processes allow vold kernel:process setsched; -# Property Service -set_prop(vold, vold_prop) -set_prop(vold, exported_vold_prop) -set_prop(vold, exported2_vold_prop) -set_prop(vold, powerctl_prop) -set_prop(vold, ctl_fuse_prop) -set_prop(vold, restorecon_prop) -set_prop(vold, ota_prop) -set_prop(vold, boottime_prop) - # ASEC allow vold asec_image_file:file create_file_perms; allow vold asec_image_file:dir rw_dir_perms; diff --git a/public/wificond.te b/public/wificond.te index af295113d..a36afb166 100644 --- a/public/wificond.te +++ b/public/wificond.te @@ -8,10 +8,6 @@ binder_call(wificond, keystore) add_service(wificond, wificond_service) -set_prop(wificond, exported_wifi_prop) -set_prop(wificond, wifi_prop) -set_prop(wificond, ctl_default_prop) - # create sockets to set interfaces up and down allow wificond self:udp_socket create_socket_perms; # setting interface state up/down is a privileged ioctl @@ -33,7 +29,6 @@ allow wificond dumpstate:fifo_file write; #### Offer the Wifi Keystore HwBinder service ### hwbinder_use(wificond) -get_prop(wificond, hwservicemanager_prop) typeattribute wificond wifi_keystore_service_server; add_hwservice(wificond, system_wifi_keystore_hwservice)