neverallow coredomain from writing vendor properties

System properties can be abused to get around Treble requirements of having a clean system/vendor split. This CL seeks to prevent that by neverallowing coredomain from writing vendor properties. Bug: 78598545 Test: build 2017/2018 Pixels Test: build aosp_arm64 Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
2018-05-01 15:15:16 -07:00 · 2018-05-01 15:15:16 -07:00 · cdb1624c27
commit cdb1624c27
parent 4c2e89baf8
4 changed files with 198 additions and 0 deletions
--- a/prebuilts/api/28.0/public/attributes
+++ b/prebuilts/api/28.0/public/attributes
@ -166,6 +166,12 @@ expandattribute data_between_core_and_vendor_violators false;
 attribute system_executes_vendor_violators;
 expandattribute system_executes_vendor_violators false;
 # All system domains which violate the requirement of not writing vendor
 # properties.
 # TODO(b/78598545): Remove this once there are no violations
 attribute system_writes_vendor_properties_violators;
 expandattribute system_writes_vendor_properties_violators false;
 # hwservices that are accessible from untrusted applications
 # WARNING: Use of this attribute should be avoided unless
 # absolutely necessary.  It is a temporary allowance to aid the
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@ -279,3 +279,96 @@ compatible_property_only(`
    wifi_prop
  }:file no_rw_file_perms;
 ')
 compatible_property_only(`
  # Neverallow coredomain to set vendor properties
  neverallow {
    coredomain
    -init
    -system_writes_vendor_properties_violators
  } {
    property_type
    -audio_prop
    -bluetooth_a2dp_offload_prop
    -bluetooth_prop
    -bootloader_boot_reason_prop
    -boottime_prop
    -config_prop
    -cppreopt_prop
    -ctl_bootanim_prop
    -ctl_bugreport_prop
    -ctl_console_prop
    -ctl_default_prop
    -ctl_dumpstate_prop
    -ctl_fuse_prop
    -ctl_mdnsd_prop
    -ctl_rildaemon_prop
    -dalvik_prop
    -debug_prop
    -debuggerd_prop
    -default_prop
    -device_logging_prop
    -dhcp_prop
    -dumpstate_options_prop
    -dumpstate_prop
    -exported2_config_prop
    -exported2_default_prop
    -exported2_radio_prop
    -exported2_system_prop
    -exported2_vold_prop
    -exported3_default_prop
    -exported3_radio_prop
    -exported3_system_prop
    -exported_bluetooth_prop
    -exported_config_prop
    -exported_dalvik_prop
    -exported_default_prop
    -exported_dumpstate_prop
    -exported_ffs_prop
    -exported_fingerprint_prop
    -exported_overlay_prop
    -exported_pm_prop
    -exported_radio_prop
    -exported_secure_prop
    -exported_system_prop
    -exported_system_radio_prop
    -exported_vold_prop
    -exported_wifi_prop
    -ffs_prop
    -fingerprint_prop
    -firstboot_prop
    -hwservicemanager_prop
    -last_boot_reason_prop
    -log_prop
    -log_tag_prop
    -logd_prop
    -logpersistd_logging_prop
    -lowpan_prop
    -mmc_prop
    -net_dns_prop
    -net_radio_prop
    -netd_stable_secret_prop
    -nfc_prop
    -overlay_prop
    -pan_result_prop
    -persist_debug_prop
    -persistent_properties_ready_prop
    -pm_prop
    -powerctl_prop
    -radio_prop
    -restorecon_prop
    -safemode_prop
    -serialno_prop
    -shell_prop
    -system_boot_reason_prop
    -system_prop
    -system_radio_prop
    -test_boot_reason_prop
    -traced_enabled_prop
    -vendor_default_prop
    -vendor_security_patch_level_prop
    -vold_prop
    -wifi_log_prop
    -wifi_prop
  }:property_service set;
 ')
--- a/public/attributes
+++ b/public/attributes
@ -166,6 +166,12 @@ expandattribute data_between_core_and_vendor_violators false;
 attribute system_executes_vendor_violators;
 expandattribute system_executes_vendor_violators false;
 # All system domains which violate the requirement of not writing vendor
 # properties.
 # TODO(b/78598545): Remove this once there are no violations
 attribute system_writes_vendor_properties_violators;
 expandattribute system_writes_vendor_properties_violators false;
 # hwservices that are accessible from untrusted applications
 # WARNING: Use of this attribute should be avoided unless
 # absolutely necessary.  It is a temporary allowance to aid the
--- a/public/property.te
+++ b/public/property.te
@ -279,3 +279,96 @@ compatible_property_only(`
    wifi_prop
  }:file no_rw_file_perms;
 ')
 compatible_property_only(`
  # Neverallow coredomain to set vendor properties
  neverallow {
    coredomain
    -init
    -system_writes_vendor_properties_violators
  } {
    property_type
    -audio_prop
    -bluetooth_a2dp_offload_prop
    -bluetooth_prop
    -bootloader_boot_reason_prop
    -boottime_prop
    -config_prop
    -cppreopt_prop
    -ctl_bootanim_prop
    -ctl_bugreport_prop
    -ctl_console_prop
    -ctl_default_prop
    -ctl_dumpstate_prop
    -ctl_fuse_prop
    -ctl_mdnsd_prop
    -ctl_rildaemon_prop
    -dalvik_prop
    -debug_prop
    -debuggerd_prop
    -default_prop
    -device_logging_prop
    -dhcp_prop
    -dumpstate_options_prop
    -dumpstate_prop
    -exported2_config_prop
    -exported2_default_prop
    -exported2_radio_prop
    -exported2_system_prop
    -exported2_vold_prop
    -exported3_default_prop
    -exported3_radio_prop
    -exported3_system_prop
    -exported_bluetooth_prop
    -exported_config_prop
    -exported_dalvik_prop
    -exported_default_prop
    -exported_dumpstate_prop
    -exported_ffs_prop
    -exported_fingerprint_prop
    -exported_overlay_prop
    -exported_pm_prop
    -exported_radio_prop
    -exported_secure_prop
    -exported_system_prop
    -exported_system_radio_prop
    -exported_vold_prop
    -exported_wifi_prop
    -ffs_prop
    -fingerprint_prop
    -firstboot_prop
    -hwservicemanager_prop
    -last_boot_reason_prop
    -log_prop
    -log_tag_prop
    -logd_prop
    -logpersistd_logging_prop
    -lowpan_prop
    -mmc_prop
    -net_dns_prop
    -net_radio_prop
    -netd_stable_secret_prop
    -nfc_prop
    -overlay_prop
    -pan_result_prop
    -persist_debug_prop
    -persistent_properties_ready_prop
    -pm_prop
    -powerctl_prop
    -radio_prop
    -restorecon_prop
    -safemode_prop
    -serialno_prop
    -shell_prop
    -system_boot_reason_prop
    -system_prop
    -system_radio_prop
    -test_boot_reason_prop
    -traced_enabled_prop
    -vendor_default_prop
    -vendor_security_patch_level_prop
    -vold_prop
    -wifi_log_prop
    -wifi_prop
  }:property_service set;
 ')