# Properties used only in /system system_internal_prop(adbd_prop) system_internal_prop(device_config_storage_native_boot_prop) system_internal_prop(device_config_sys_traced_prop) system_internal_prop(device_config_window_manager_native_boot_prop) system_internal_prop(device_config_configuration_prop) system_internal_prop(fastbootd_protocol_prop) system_internal_prop(gsid_prop) system_internal_prop(init_perf_lsm_hooks_prop) system_internal_prop(init_service_status_private_prop) system_internal_prop(init_svc_debug_prop) system_internal_prop(last_boot_reason_prop) system_internal_prop(localization_prop) system_internal_prop(netd_stable_secret_prop) system_internal_prop(pm_prop) system_internal_prop(system_adbd_prop) system_internal_prop(traced_perf_enabled_prop) system_internal_prop(userspace_reboot_log_prop) system_internal_prop(userspace_reboot_test_prop) ### ### Neverallow rules ### treble_sysprop_neverallow(` # TODO(b/131162102): uncomment these after assigning ownership attributes to all properties # neverallow domain { # property_type # -system_property_type # -product_property_type # -vendor_property_type # }:file no_rw_file_perms; neverallow { domain -coredomain } { system_property_type system_internal_property_type -system_restricted_property_type -system_public_property_type }:file no_rw_file_perms; neverallow { domain -coredomain } { system_property_type -system_public_property_type }:property_service set; # init is in coredomain, but should be able to read/write all props. # dumpstate is also in coredomain, but should be able to read all props. neverallow { coredomain -init -dumpstate } { vendor_property_type vendor_internal_property_type -vendor_restricted_property_type -vendor_public_property_type }:file no_rw_file_perms; neverallow { coredomain -init } { vendor_property_type -vendor_public_property_type }:property_service set; ') # There is no need to perform ioctl or advisory locking operations on # property files. If this neverallow is being triggered, it is # likely that the policy is using r_file_perms directly instead of # the get_prop() macro. neverallow domain property_type:file { ioctl lock }; neverallow * { core_property_type -audio_prop -config_prop -cppreopt_prop -dalvik_prop -debuggerd_prop -debug_prop -default_prop -dhcp_prop -dumpstate_prop -fingerprint_prop -logd_prop -net_radio_prop -nfc_prop -ota_prop -pan_result_prop -persist_debug_prop -powerctl_prop -radio_prop -restorecon_prop -shell_prop -system_prop -usb_prop -vold_prop }:file no_rw_file_perms; # sigstop property is only used for debugging; should only be set by su which is permissive # for userdebug/eng neverallow { domain -init -vendor_init } ctl_sigstop_prop:property_service set; # Don't audit legacy ctl. property handling. We only want the newer permission check to appear # in the audit log dontaudit domain { ctl_bootanim_prop ctl_bugreport_prop ctl_console_prop ctl_default_prop ctl_dumpstate_prop ctl_fuse_prop ctl_mdnsd_prop ctl_rildaemon_prop }:property_service set; neverallow { domain -init } init_svc_debug_prop:property_service set; neverallow { domain -init -dumpstate userdebug_or_eng(`-su') } init_svc_debug_prop:file no_rw_file_perms; compatible_property_only(` # Prevent properties from being set neverallow { domain -coredomain -appdomain -vendor_init } { core_property_type extended_core_property_type exported_config_prop exported_default_prop exported_dumpstate_prop exported_system_prop exported2_default_prop exported2_system_prop exported3_default_prop exported3_system_prop usb_control_prop -nfc_prop -powerctl_prop -radio_prop }:property_service set; neverallow { domain -coredomain -appdomain -hal_nfc_server } { nfc_prop }:property_service set; neverallow { domain -coredomain -appdomain -hal_telephony_server -vendor_init } { exported3_radio_prop }:property_service set; neverallow { domain -coredomain -appdomain -hal_telephony_server } { radio_prop }:property_service set; neverallow { domain -coredomain -bluetooth -hal_bluetooth_server } { bluetooth_prop }:property_service set; neverallow { domain -coredomain -bluetooth -hal_bluetooth_server -vendor_init } { exported_bluetooth_prop }:property_service set; neverallow { domain -coredomain -hal_camera_server -cameraserver -vendor_init } { exported_camera_prop }:property_service set; neverallow { domain -coredomain -hal_wifi_server -wificond } { wifi_prop }:property_service set; neverallow { domain -init -dumpstate -hal_wifi_server -wificond -vendor_init } { wifi_hal_prop }:property_service set; # Prevent properties from being read neverallow { domain -coredomain -appdomain -vendor_init } { core_property_type dalvik_config_prop extended_core_property_type exported2_system_prop exported3_default_prop exported3_system_prop systemsound_config_prop -debug_prop -logd_prop -nfc_prop -powerctl_prop -radio_prop }:file no_rw_file_perms; neverallow { domain -coredomain -appdomain -hal_nfc_server } { nfc_prop }:file no_rw_file_perms; neverallow { domain -coredomain -appdomain -hal_telephony_server } { radio_prop }:file no_rw_file_perms; neverallow { domain -coredomain -bluetooth -hal_bluetooth_server } { bluetooth_prop }:file no_rw_file_perms; neverallow { domain -coredomain -hal_wifi_server -wificond } { wifi_prop }:file no_rw_file_perms; ') compatible_property_only(` # Neverallow coredomain to set vendor properties neverallow { coredomain -init -system_writes_vendor_properties_violators } { property_type -system_property_type -extended_core_property_type }:property_service set; ') neverallow { -coredomain -vendor_init } { ffs_config_prop ffs_control_prop }:file no_rw_file_perms; neverallow { -init -system_server } { userspace_reboot_log_prop }:property_service set; neverallow { # Only allow init and system_server to set system_adbd_prop -init -system_server } { system_adbd_prop }:property_service set; neverallow { # Only allow init and adbd to set adbd_prop -init -adbd } { adbd_prop }:property_service set; neverallow { # Only allow init and shell to set userspace_reboot_test_prop -init -shell } { userspace_reboot_test_prop }:property_service set; neverallow { -init -system_server -vendor_init } { surfaceflinger_color_prop }:property_service set; neverallow { -init } { libc_debug_prop }:property_service set; neverallow { -init -system_server -vendor_init } zram_control_prop:property_service set; neverallow { -init -system_server -vendor_init } dalvik_runtime_prop:property_service set; neverallow { -coredomain -vendor_init } { usb_config_prop usb_control_prop }:property_service set; neverallow { -init -system_server } { provisioned_prop retaildemo_prop }:property_service set; neverallow { -coredomain -vendor_init } { provisioned_prop retaildemo_prop }:file no_rw_file_perms; neverallow { -init } { init_service_status_private_prop init_service_status_prop }:property_service set; neverallow { -init -radio -appdomain -hal_telephony_server not_compatible_property(`-vendor_init') } telephony_status_prop:property_service set; neverallow { -init -vendor_init } { graphics_config_prop }:property_service set; neverallow { -coredomain -appdomain -vendor_init } packagemanager_config_prop:file no_rw_file_perms; neverallow { -coredomain -vendor_init } keyguard_config_prop:file no_rw_file_perms; neverallow { -init } { localization_prop }:property_service set; neverallow { -init -vendor_init -dumpstate -system_app } oem_unlock_prop:file no_rw_file_perms; neverallow { -coredomain -vendor_init } storagemanager_config_prop:file no_rw_file_perms; neverallow { -init -vendor_init -dumpstate -appdomain } sendbug_config_prop:file no_rw_file_perms;