28dd9a1d53
These neverallow rules are to prevent properties from crossing treble boundary. As attributes like internal / restricted / public has been landed, the neverallow rules are changed to use attributes to avoid endless manual maintaining of the list. Bug: 148181222 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0ba930f6c78852e785858fb069faf4f984643e34
565 lines
16 KiB
Text
565 lines
16 KiB
Text
# Properties used only in /system
|
|
system_internal_prop(apexd_prop)
|
|
system_internal_prop(bootloader_boot_reason_prop)
|
|
system_internal_prop(device_config_activity_manager_native_boot_prop)
|
|
system_internal_prop(device_config_boot_count_prop)
|
|
system_internal_prop(device_config_input_native_boot_prop)
|
|
system_internal_prop(device_config_media_native_prop)
|
|
system_internal_prop(device_config_netd_native_prop)
|
|
system_internal_prop(device_config_reset_performed_prop)
|
|
system_internal_prop(device_config_runtime_native_boot_prop)
|
|
system_internal_prop(device_config_runtime_native_prop)
|
|
system_internal_prop(device_config_storage_native_boot_prop)
|
|
system_internal_prop(device_config_sys_traced_prop)
|
|
system_internal_prop(device_config_window_manager_native_boot_prop)
|
|
system_internal_prop(firstboot_prop)
|
|
system_internal_prop(gsid_prop)
|
|
system_internal_prop(init_perf_lsm_hooks_prop)
|
|
system_internal_prop(init_svc_debug_prop)
|
|
system_internal_prop(last_boot_reason_prop)
|
|
system_internal_prop(netd_stable_secret_prop)
|
|
system_internal_prop(pm_prop)
|
|
system_internal_prop(userspace_reboot_prop)
|
|
|
|
compatible_property_only(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
system_internal_prop(boottime_prop)
|
|
system_internal_prop(bpf_progs_loaded_prop)
|
|
system_internal_prop(charger_prop)
|
|
system_internal_prop(cold_boot_done_prop)
|
|
system_internal_prop(ctl_adbd_prop)
|
|
system_internal_prop(ctl_apexd_prop)
|
|
system_internal_prop(ctl_bootanim_prop)
|
|
system_internal_prop(ctl_bugreport_prop)
|
|
system_internal_prop(ctl_console_prop)
|
|
system_internal_prop(ctl_dumpstate_prop)
|
|
system_internal_prop(ctl_fuse_prop)
|
|
system_internal_prop(ctl_gsid_prop)
|
|
system_internal_prop(ctl_interface_restart_prop)
|
|
system_internal_prop(ctl_interface_stop_prop)
|
|
system_internal_prop(ctl_mdnsd_prop)
|
|
system_internal_prop(ctl_restart_prop)
|
|
system_internal_prop(ctl_rildaemon_prop)
|
|
system_internal_prop(ctl_sigstop_prop)
|
|
system_internal_prop(dynamic_system_prop)
|
|
system_internal_prop(heapprofd_enabled_prop)
|
|
system_internal_prop(llkd_prop)
|
|
system_internal_prop(lpdumpd_prop)
|
|
system_internal_prop(mmc_prop)
|
|
system_internal_prop(mock_ota_prop)
|
|
system_internal_prop(net_dns_prop)
|
|
system_internal_prop(overlay_prop)
|
|
system_internal_prop(persistent_properties_ready_prop)
|
|
system_internal_prop(safemode_prop)
|
|
system_internal_prop(system_lmk_prop)
|
|
system_internal_prop(system_trace_prop)
|
|
system_internal_prop(test_boot_reason_prop)
|
|
system_internal_prop(time_prop)
|
|
system_internal_prop(traced_enabled_prop)
|
|
system_internal_prop(traced_lazy_prop)
|
|
system_internal_prop(virtual_ab_prop)
|
|
')
|
|
|
|
# Properties which can't be written outside system
|
|
|
|
# Properties used by binder caches
|
|
system_restricted_prop(binder_cache_bluetooth_server_prop)
|
|
system_restricted_prop(binder_cache_system_server_prop)
|
|
system_restricted_prop(linker_prop)
|
|
system_restricted_prop(module_sdkextensions_prop)
|
|
system_restricted_prop(nnapi_ext_deny_product_prop)
|
|
system_restricted_prop(restorecon_prop)
|
|
system_restricted_prop(system_boot_reason_prop)
|
|
system_restricted_prop(system_jvmti_agent_prop)
|
|
system_restricted_prop(userspace_reboot_exported_prop)
|
|
|
|
compatible_property_only(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
system_restricted_prop(config_prop)
|
|
system_restricted_prop(cppreopt_prop)
|
|
system_restricted_prop(dalvik_prop)
|
|
system_restricted_prop(debuggerd_prop)
|
|
system_restricted_prop(default_prop)
|
|
system_restricted_prop(device_logging_prop)
|
|
system_restricted_prop(dhcp_prop)
|
|
system_restricted_prop(dumpstate_prop)
|
|
system_restricted_prop(exported2_default_prop)
|
|
system_restricted_prop(exported3_system_prop)
|
|
system_restricted_prop(exported_dumpstate_prop)
|
|
system_restricted_prop(exported_fingerprint_prop)
|
|
system_restricted_prop(exported_secure_prop)
|
|
system_restricted_prop(exported_vold_prop)
|
|
system_restricted_prop(ffs_prop)
|
|
system_restricted_prop(fingerprint_prop)
|
|
system_restricted_prop(heapprofd_prop)
|
|
system_restricted_prop(net_radio_prop)
|
|
system_restricted_prop(pan_result_prop)
|
|
system_restricted_prop(persist_debug_prop)
|
|
system_restricted_prop(shell_prop)
|
|
system_restricted_prop(system_radio_prop)
|
|
system_restricted_prop(test_harness_prop)
|
|
system_restricted_prop(theme_prop)
|
|
system_restricted_prop(use_memfd_prop)
|
|
system_restricted_prop(vold_prop)
|
|
')
|
|
|
|
# Properties with no restrictions
|
|
system_public_prop(audio_prop)
|
|
system_public_prop(apk_verity_prop)
|
|
system_public_prop(bluetooth_a2dp_offload_prop)
|
|
system_public_prop(bluetooth_audio_hal_prop)
|
|
system_public_prop(bluetooth_prop)
|
|
system_public_prop(cpu_variant_prop)
|
|
system_public_prop(ctl_default_prop)
|
|
system_public_prop(ctl_interface_start_prop)
|
|
system_public_prop(ctl_start_prop)
|
|
system_public_prop(ctl_stop_prop)
|
|
system_public_prop(debug_prop)
|
|
system_public_prop(dumpstate_options_prop)
|
|
system_public_prop(exported_system_prop)
|
|
system_public_prop(exported2_config_prop)
|
|
system_public_prop(exported2_radio_prop)
|
|
system_public_prop(exported2_system_prop)
|
|
system_public_prop(exported2_vold_prop)
|
|
system_public_prop(exported3_default_prop)
|
|
system_public_prop(exported3_radio_prop)
|
|
system_public_prop(exported_audio_prop)
|
|
system_public_prop(exported_bluetooth_prop)
|
|
system_public_prop(exported_camera_prop)
|
|
system_public_prop(exported_config_prop)
|
|
system_public_prop(exported_dalvik_prop)
|
|
system_public_prop(exported_default_prop)
|
|
system_public_prop(exported_ffs_prop)
|
|
system_public_prop(exported_overlay_prop)
|
|
system_public_prop(exported_pm_prop)
|
|
system_public_prop(exported_radio_prop)
|
|
system_public_prop(exported_system_radio_prop)
|
|
system_public_prop(exported_wifi_prop)
|
|
system_public_prop(sota_prop)
|
|
system_public_prop(hwservicemanager_prop)
|
|
system_public_prop(logd_prop)
|
|
system_public_prop(logpersistd_logging_prop)
|
|
system_public_prop(log_prop)
|
|
system_public_prop(log_tag_prop)
|
|
system_public_prop(lowpan_prop)
|
|
system_public_prop(nfc_prop)
|
|
system_public_prop(ota_prop)
|
|
system_public_prop(powerctl_prop)
|
|
system_public_prop(radio_prop)
|
|
system_public_prop(serialno_prop)
|
|
system_public_prop(system_prop)
|
|
system_public_prop(userspace_reboot_config_prop)
|
|
system_public_prop(vehicle_hal_prop)
|
|
system_public_prop(vendor_security_patch_level_prop)
|
|
system_public_prop(vndk_prop)
|
|
system_public_prop(wifi_log_prop)
|
|
system_public_prop(wifi_prop)
|
|
|
|
# Properties used in default HAL implementations
|
|
vendor_internal_prop(rebootescrow_hal_prop)
|
|
|
|
# Properties which are public for devices launching with Android O or earlier
|
|
# This should not be used for any new properties.
|
|
not_compatible_property(`
|
|
# DO NOT ADD ANY PROPERTIES HERE
|
|
system_public_prop(boottime_prop)
|
|
system_public_prop(bpf_progs_loaded_prop)
|
|
system_public_prop(charger_prop)
|
|
system_public_prop(cold_boot_done_prop)
|
|
system_public_prop(ctl_adbd_prop)
|
|
system_public_prop(ctl_apexd_prop)
|
|
system_public_prop(ctl_bootanim_prop)
|
|
system_public_prop(ctl_bugreport_prop)
|
|
system_public_prop(ctl_console_prop)
|
|
system_public_prop(ctl_dumpstate_prop)
|
|
system_public_prop(ctl_fuse_prop)
|
|
system_public_prop(ctl_gsid_prop)
|
|
system_public_prop(ctl_interface_restart_prop)
|
|
system_public_prop(ctl_interface_stop_prop)
|
|
system_public_prop(ctl_mdnsd_prop)
|
|
system_public_prop(ctl_restart_prop)
|
|
system_public_prop(ctl_rildaemon_prop)
|
|
system_public_prop(ctl_sigstop_prop)
|
|
system_public_prop(dynamic_system_prop)
|
|
system_public_prop(heapprofd_enabled_prop)
|
|
system_public_prop(llkd_prop)
|
|
system_public_prop(lpdumpd_prop)
|
|
system_public_prop(mmc_prop)
|
|
system_public_prop(mock_ota_prop)
|
|
system_public_prop(net_dns_prop)
|
|
system_public_prop(overlay_prop)
|
|
system_public_prop(persistent_properties_ready_prop)
|
|
system_public_prop(safemode_prop)
|
|
system_public_prop(system_lmk_prop)
|
|
system_public_prop(system_trace_prop)
|
|
system_public_prop(test_boot_reason_prop)
|
|
system_public_prop(time_prop)
|
|
system_public_prop(traced_enabled_prop)
|
|
system_public_prop(traced_lazy_prop)
|
|
system_public_prop(virtual_ab_prop)
|
|
|
|
system_public_prop(config_prop)
|
|
system_public_prop(cppreopt_prop)
|
|
system_public_prop(dalvik_prop)
|
|
system_public_prop(debuggerd_prop)
|
|
system_public_prop(default_prop)
|
|
system_public_prop(device_logging_prop)
|
|
system_public_prop(dhcp_prop)
|
|
system_public_prop(dumpstate_prop)
|
|
system_public_prop(exported2_default_prop)
|
|
system_public_prop(exported3_system_prop)
|
|
system_public_prop(exported_dumpstate_prop)
|
|
system_public_prop(exported_fingerprint_prop)
|
|
system_public_prop(exported_secure_prop)
|
|
system_public_prop(exported_vold_prop)
|
|
system_public_prop(ffs_prop)
|
|
system_public_prop(fingerprint_prop)
|
|
system_public_prop(heapprofd_prop)
|
|
system_public_prop(net_radio_prop)
|
|
system_public_prop(pan_result_prop)
|
|
system_public_prop(persist_debug_prop)
|
|
system_public_prop(shell_prop)
|
|
system_public_prop(system_radio_prop)
|
|
system_public_prop(test_harness_prop)
|
|
system_public_prop(theme_prop)
|
|
system_public_prop(use_memfd_prop)
|
|
system_public_prop(vold_prop)
|
|
')
|
|
|
|
type vendor_default_prop, property_type;
|
|
|
|
typeattribute log_prop log_property_type;
|
|
typeattribute log_tag_prop log_property_type;
|
|
typeattribute wifi_log_prop log_property_type;
|
|
|
|
allow property_type tmpfs:filesystem associate;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
treble_sysprop_neverallow(`
|
|
|
|
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
|
|
# neverallow domain {
|
|
# property_type
|
|
# -system_property_type
|
|
# -product_property_type
|
|
# -vendor_property_type
|
|
# }:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
system_internal_property_type
|
|
-system_restricted_property_type
|
|
-system_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
-system_public_property_type
|
|
}:property_service set;
|
|
|
|
# init is in coredomain, but should be able to read/write all props.
|
|
# dumpstate is also in coredomain, but should be able to read all props.
|
|
neverallow { coredomain -init -dumpstate } {
|
|
vendor_property_type
|
|
vendor_internal_property_type
|
|
-vendor_restricted_property_type
|
|
-vendor_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { coredomain -init } {
|
|
vendor_property_type
|
|
-vendor_public_property_type
|
|
}:property_service set;
|
|
|
|
')
|
|
|
|
# There is no need to perform ioctl or advisory locking operations on
|
|
# property files. If this neverallow is being triggered, it is
|
|
# likely that the policy is using r_file_perms directly instead of
|
|
# the get_prop() macro.
|
|
neverallow domain property_type:file { ioctl lock };
|
|
|
|
# core_property_type should not be used for new properties or
|
|
# device specific properties. Properties with this attribute
|
|
# are readable to everyone, which is overly broad and should
|
|
# be avoided.
|
|
# New properties should have appropriate read / write access
|
|
# control rules written.
|
|
|
|
typeattribute audio_prop core_property_type;
|
|
typeattribute config_prop core_property_type;
|
|
typeattribute cppreopt_prop core_property_type;
|
|
typeattribute dalvik_prop core_property_type;
|
|
typeattribute debuggerd_prop core_property_type;
|
|
typeattribute debug_prop core_property_type;
|
|
typeattribute default_prop core_property_type;
|
|
typeattribute dhcp_prop core_property_type;
|
|
typeattribute dumpstate_prop core_property_type;
|
|
typeattribute ffs_prop core_property_type;
|
|
typeattribute fingerprint_prop core_property_type;
|
|
typeattribute logd_prop core_property_type;
|
|
typeattribute net_radio_prop core_property_type;
|
|
typeattribute nfc_prop core_property_type;
|
|
typeattribute ota_prop core_property_type;
|
|
typeattribute pan_result_prop core_property_type;
|
|
typeattribute persist_debug_prop core_property_type;
|
|
typeattribute powerctl_prop core_property_type;
|
|
typeattribute radio_prop core_property_type;
|
|
typeattribute restorecon_prop core_property_type;
|
|
typeattribute shell_prop core_property_type;
|
|
typeattribute system_prop core_property_type;
|
|
typeattribute system_radio_prop core_property_type;
|
|
typeattribute vold_prop core_property_type;
|
|
|
|
neverallow * {
|
|
core_property_type
|
|
-audio_prop
|
|
-config_prop
|
|
-cppreopt_prop
|
|
-dalvik_prop
|
|
-debuggerd_prop
|
|
-debug_prop
|
|
-default_prop
|
|
-dhcp_prop
|
|
-dumpstate_prop
|
|
-ffs_prop
|
|
-fingerprint_prop
|
|
-logd_prop
|
|
-net_radio_prop
|
|
-nfc_prop
|
|
-ota_prop
|
|
-pan_result_prop
|
|
-persist_debug_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
-restorecon_prop
|
|
-shell_prop
|
|
-system_prop
|
|
-system_radio_prop
|
|
-vold_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
|
# for userdebug/eng
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
} ctl_sigstop_prop:property_service set;
|
|
|
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
|
# in the audit log
|
|
dontaudit domain {
|
|
ctl_bootanim_prop
|
|
ctl_bugreport_prop
|
|
ctl_console_prop
|
|
ctl_default_prop
|
|
ctl_dumpstate_prop
|
|
ctl_fuse_prop
|
|
ctl_mdnsd_prop
|
|
ctl_rildaemon_prop
|
|
}:property_service set;
|
|
|
|
# Do now allow to modify linker properties except shell and init
|
|
neverallow {
|
|
domain
|
|
-init
|
|
userdebug_or_eng(`-shell')
|
|
} linker_prop:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
} init_svc_debug_prop:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-dumpstate
|
|
userdebug_or_eng(`-su')
|
|
} init_svc_debug_prop:file no_rw_file_perms;
|
|
|
|
compatible_property_only(`
|
|
# Prevent properties from being set
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_config_prop
|
|
exported_dalvik_prop
|
|
exported_default_prop
|
|
exported_dumpstate_prop
|
|
exported_ffs_prop
|
|
exported_fingerprint_prop
|
|
exported_system_prop
|
|
exported_system_radio_prop
|
|
exported_vold_prop
|
|
exported2_config_prop
|
|
exported2_default_prop
|
|
exported2_system_prop
|
|
exported2_vold_prop
|
|
exported3_default_prop
|
|
exported3_system_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
-vendor_init
|
|
} {
|
|
exported_radio_prop
|
|
exported3_radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
exported2_radio_prop
|
|
radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
-vendor_init
|
|
} {
|
|
exported_bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_camera_server
|
|
-cameraserver
|
|
-vendor_init
|
|
} {
|
|
exported_camera_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
-vendor_init
|
|
} {
|
|
exported_wifi_prop
|
|
}:property_service set;
|
|
|
|
# Prevent properties from being read
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_dalvik_prop
|
|
exported_ffs_prop
|
|
exported_system_radio_prop
|
|
exported2_config_prop
|
|
exported2_system_prop
|
|
exported2_vold_prop
|
|
exported3_default_prop
|
|
exported3_system_prop
|
|
-debug_prop
|
|
-logd_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:file no_rw_file_perms;
|
|
')
|
|
|
|
compatible_property_only(`
|
|
# Neverallow coredomain to set vendor properties
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-system_writes_vendor_properties_violators
|
|
} {
|
|
property_type
|
|
-system_property_type
|
|
-extended_core_property_type
|
|
}:property_service set;
|
|
')
|