diff --git a/private/charger.te b/private/charger.te index 693fd3ab9..8be113ffb 100644 --- a/private/charger.te +++ b/private/charger.te @@ -15,6 +15,7 @@ get_prop(charger, recovery_config_prop) compatible_property_only(` neverallow { + domain -init -dumpstate -charger @@ -22,6 +23,7 @@ compatible_property_only(` ') neverallow { + domain -init -dumpstate -vendor_init diff --git a/private/init.te b/private/init.te index 4e8289a58..c652603a3 100644 --- a/private/init.te +++ b/private/init.te @@ -70,19 +70,19 @@ neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set; # Only init can write vts.native_server.on set_prop(init, vts_status_prop) -neverallow { -init } vts_status_prop:property_service set; +neverallow { domain -init } vts_status_prop:property_service set; # Only init can write normal ro.boot. properties -neverallow { -init } bootloader_prop:property_service set; +neverallow { domain -init } bootloader_prop:property_service set; # Only init can write hal.instrumentation.enable -neverallow { -init } hal_instrumentation_prop:property_service set; +neverallow { domain -init } hal_instrumentation_prop:property_service set; # Only init can write ro.property_service.version -neverallow { -init } property_service_version_prop:property_service set; +neverallow { domain -init } property_service_version_prop:property_service set; # Only init can set keystore.boot_level -neverallow { -init } keystore_listen_prop:property_service set; +neverallow { domain -init } keystore_listen_prop:property_service set; # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing. allow init debugfs_bootreceiver_tracing:file w_file_perms; diff --git a/private/lmkd.te b/private/lmkd.te index 1e7bbdeaa..fef3a899f 100644 --- a/private/lmkd.te +++ b/private/lmkd.te @@ -8,4 +8,4 @@ set_prop(lmkd, system_lmk_prop) # Set lmkd.* properties. set_prop(lmkd, lmkd_prop) -neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set; +neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set; diff --git a/private/property.te b/private/property.te index 88f3ec0e4..f177631bc 100644 --- a/private/property.te +++ b/private/property.te @@ -317,6 +317,7 @@ compatible_property_only(` ') neverallow { + domain -coredomain -vendor_init } { @@ -325,6 +326,7 @@ neverallow { }:file no_rw_file_perms; neverallow { + domain -init -system_server } { @@ -333,6 +335,7 @@ neverallow { neverallow { # Only allow init and system_server to set system_adbd_prop + domain -init -system_server } { @@ -341,6 +344,7 @@ neverallow { # Let (vendor_)init, adbd, and system_server set service.adb.tcp.port neverallow { + domain -init -vendor_init -adbd @@ -351,6 +355,7 @@ neverallow { neverallow { # Only allow init and adbd to set adbd_prop + domain -init -adbd } { @@ -359,6 +364,7 @@ neverallow { neverallow { # Only allow init and shell to set userspace_reboot_test_prop + domain -init -shell } { @@ -366,6 +372,7 @@ neverallow { }:property_service set; neverallow { + domain -init -system_server -vendor_init @@ -374,6 +381,7 @@ neverallow { }:property_service set; neverallow { + domain -init } { libc_debug_prop @@ -382,6 +390,7 @@ neverallow { # Allow the shell to set MTE props, so that non-root users with adb shell # access can control the settings on their device. neverallow { + domain -init -shell } { @@ -389,18 +398,21 @@ neverallow { }:property_service set; neverallow { + domain -init -system_server -vendor_init } zram_control_prop:property_service set; neverallow { + domain -init -system_server -vendor_init } dalvik_runtime_prop:property_service set; neverallow { + domain -coredomain -vendor_init } { @@ -409,6 +421,7 @@ neverallow { }:property_service set; neverallow { + domain -init -system_server } { @@ -417,6 +430,7 @@ neverallow { }:property_service set; neverallow { + domain -coredomain -vendor_init } { @@ -425,6 +439,7 @@ neverallow { }:file no_rw_file_perms; neverallow { + domain -init } { init_service_status_private_prop @@ -432,6 +447,7 @@ neverallow { }:property_service set; neverallow { + domain -init -radio -appdomain @@ -440,6 +456,7 @@ neverallow { } telephony_status_prop:property_service set; neverallow { + domain -init -vendor_init } { @@ -447,6 +464,7 @@ neverallow { }:property_service set; neverallow { + domain -init -surfaceflinger } { @@ -454,23 +472,27 @@ neverallow { }:property_service set; neverallow { + domain -coredomain -appdomain -vendor_init } packagemanager_config_prop:file no_rw_file_perms; neverallow { + domain -coredomain -vendor_init } keyguard_config_prop:file no_rw_file_perms; neverallow { + domain -init } { localization_prop }:property_service set; neverallow { + domain -init -vendor_init -dumpstate @@ -478,11 +500,13 @@ neverallow { } oem_unlock_prop:file no_rw_file_perms; neverallow { + domain -coredomain -vendor_init } storagemanager_config_prop:file no_rw_file_perms; neverallow { + domain -init -vendor_init -dumpstate @@ -490,6 +514,7 @@ neverallow { } sendbug_config_prop:file no_rw_file_perms; neverallow { + domain -init -vendor_init -dumpstate @@ -497,6 +522,7 @@ neverallow { } camera_calibration_prop:file no_rw_file_perms; neverallow { + domain -init -dumpstate -hal_dumpstate_server @@ -504,6 +530,7 @@ neverallow { } hal_dumpstate_config_prop:file no_rw_file_perms; neverallow { + domain -init userdebug_or_eng(`-traced_probes') userdebug_or_eng(`-traced_perf') @@ -513,6 +540,7 @@ neverallow { # TODO Remove this property when Keystore 2.0 migration is complete b/171563717 neverallow { + domain -init -dumpstate -system_app @@ -521,36 +549,43 @@ neverallow { } keystore2_enable_prop:file no_rw_file_perms; neverallow { + domain -init } zygote_wrap_prop:property_service set; neverallow { + domain -init } verity_status_prop:property_service set; neverallow { + domain -init } setupwizard_prop:property_service set; # ro.product.property_source_order is useless after initialization of ro.product.* props. # So making it accessible only from init and vendor_init. neverallow { + domain -init -dumpstate -vendor_init } build_config_prop:file no_rw_file_perms; neverallow { + domain -init -shell } sqlite_log_prop:property_service set; neverallow { + domain -coredomain -appdomain } sqlite_log_prop:file no_rw_file_perms; neverallow { + domain -init } default_prop:property_service set; @@ -560,6 +595,7 @@ neverallow domain system_and_vendor_property_type:{file property_service} *; neverallow { # Only allow init and shell to set rollback_test_prop + domain -init -shell } rollback_test_prop:property_service set; diff --git a/private/system_server.te b/private/system_server.te index 05a6e486e..e84c6eeaa 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1324,6 +1324,7 @@ neverallow { domain -init -system_server } socket_hook_prop:property_service set neverallow { domain -init -system_server } boot_status_prop:property_service set; neverallow { + domain -init -vendor_init -dumpstate diff --git a/private/tombstoned.te b/private/tombstoned.te index ca9a0aa4b..b6dfd1e4d 100644 --- a/private/tombstoned.te +++ b/private/tombstoned.te @@ -5,6 +5,7 @@ init_daemon_domain(tombstoned) get_prop(tombstoned, tombstone_config_prop) neverallow { + domain -init -vendor_init -dumpstate diff --git a/public/system_server.te b/public/system_server.te index 09421cc14..edefadfb0 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -10,6 +10,7 @@ get_prop(system_server, power_debug_prop) set_prop(system_server, power_debug_prop) neverallow { + domain -init -vendor_init -system_server