55e5c9b513
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
321 lines
6 KiB
Text
321 lines
6 KiB
Text
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
treble_sysprop_neverallow(`
|
|
|
|
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
|
|
# neverallow domain {
|
|
# property_type
|
|
# -system_property_type
|
|
# -product_property_type
|
|
# -vendor_property_type
|
|
# }:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
system_internal_property_type
|
|
-system_restricted_property_type
|
|
-system_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
-system_public_property_type
|
|
}:property_service set;
|
|
|
|
# init is in coredomain, but should be able to read/write all props.
|
|
# dumpstate is also in coredomain, but should be able to read all props.
|
|
neverallow { coredomain -init -dumpstate } {
|
|
vendor_property_type
|
|
vendor_internal_property_type
|
|
-vendor_restricted_property_type
|
|
-vendor_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { coredomain -init } {
|
|
vendor_property_type
|
|
-vendor_public_property_type
|
|
}:property_service set;
|
|
|
|
')
|
|
|
|
# There is no need to perform ioctl or advisory locking operations on
|
|
# property files. If this neverallow is being triggered, it is
|
|
# likely that the policy is using r_file_perms directly instead of
|
|
# the get_prop() macro.
|
|
neverallow domain property_type:file { ioctl lock };
|
|
|
|
neverallow * {
|
|
core_property_type
|
|
-audio_prop
|
|
-config_prop
|
|
-cppreopt_prop
|
|
-dalvik_prop
|
|
-debuggerd_prop
|
|
-debug_prop
|
|
-default_prop
|
|
-dhcp_prop
|
|
-dumpstate_prop
|
|
-ffs_prop
|
|
-fingerprint_prop
|
|
-logd_prop
|
|
-net_radio_prop
|
|
-nfc_prop
|
|
-ota_prop
|
|
-pan_result_prop
|
|
-persist_debug_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
-restorecon_prop
|
|
-shell_prop
|
|
-system_prop
|
|
-system_radio_prop
|
|
-vold_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
|
# for userdebug/eng
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
} ctl_sigstop_prop:property_service set;
|
|
|
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
|
# in the audit log
|
|
dontaudit domain {
|
|
ctl_bootanim_prop
|
|
ctl_bugreport_prop
|
|
ctl_console_prop
|
|
ctl_default_prop
|
|
ctl_dumpstate_prop
|
|
ctl_fuse_prop
|
|
ctl_mdnsd_prop
|
|
ctl_rildaemon_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
} init_svc_debug_prop:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-dumpstate
|
|
userdebug_or_eng(`-su')
|
|
} init_svc_debug_prop:file no_rw_file_perms;
|
|
|
|
compatible_property_only(`
|
|
# Prevent properties from being set
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_config_prop
|
|
exported_dalvik_prop
|
|
exported_default_prop
|
|
exported_dumpstate_prop
|
|
exported_ffs_prop
|
|
exported_fingerprint_prop
|
|
exported_system_prop
|
|
exported_system_radio_prop
|
|
exported_vold_prop
|
|
exported2_config_prop
|
|
exported2_default_prop
|
|
exported2_system_prop
|
|
exported2_vold_prop
|
|
exported3_default_prop
|
|
exported3_system_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
-vendor_init
|
|
} {
|
|
exported_radio_prop
|
|
exported3_radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
exported2_radio_prop
|
|
radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
-vendor_init
|
|
} {
|
|
exported_bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_camera_server
|
|
-cameraserver
|
|
-vendor_init
|
|
} {
|
|
exported_camera_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
-vendor_init
|
|
} {
|
|
exported_wifi_prop
|
|
}:property_service set;
|
|
|
|
# Prevent properties from being read
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_dalvik_prop
|
|
exported_ffs_prop
|
|
exported_system_radio_prop
|
|
exported2_config_prop
|
|
exported2_system_prop
|
|
exported2_vold_prop
|
|
exported3_default_prop
|
|
exported3_system_prop
|
|
-debug_prop
|
|
-logd_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:file no_rw_file_perms;
|
|
')
|
|
|
|
compatible_property_only(`
|
|
# Neverallow coredomain to set vendor properties
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-system_writes_vendor_properties_violators
|
|
} {
|
|
property_type
|
|
-system_property_type
|
|
-extended_core_property_type
|
|
}:property_service set;
|
|
')
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
} {
|
|
userspace_reboot_log_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and system_server to set system_adbd_prop
|
|
-init
|
|
-system_server
|
|
} {
|
|
system_adbd_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and adbd to set adbd_prop
|
|
-init
|
|
-adbd
|
|
} {
|
|
adbd_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and shell to set userspace_reboot_test_prop
|
|
-init
|
|
-shell
|
|
} {
|
|
userspace_reboot_test_prop
|
|
}:property_service set;
|