platform_system_sepolicy/microdroid/system/private/property.te

system_restricted_prop(boot_status_prop)

# Declare ART properties for CompOS
system_public_prop(dalvik_config_prop)
system_public_prop(dalvik_dynamic_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(non_existing_prop)

typeattribute dalvik_config_prop         dalvik_config_prop_type;
typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;

# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
# in the audit log
dontaudit domain {
  ctl_console_prop
  ctl_default_prop
  ctl_fuse_prop
}:property_service set;

###
### Neverallow rules
###

# microdroid_manager_roothash_prop can only be set by microdroid_manager
# and read by apkdmverity
neverallow {
    domain
    -init
    -microdroid_manager
} microdroid_manager_roothash_prop:property_service set;

neverallow {
    domain
    -init
    -microdroid_manager
    -apkdmverity
} microdroid_manager_roothash_prop:file no_rw_file_perms;

# apexd_payload_metadata_prop can only set by init
neverallow {
  domain
  -init
} apexd_payload_metadata_prop:property_service set;

# Only microdroid_manager and init can set the microdroid_config_prop sysprops
neverallow {
    domain
    -init
    -microdroid_manager
} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;

neverallow {
    domain
    -init
    -microdroid_manager
} {microdroid_lifecycle_prop}:file no_rw_file_perms;

neverallow {
    domain
    -init
    -microdroid_manager
    -crash_dump
} {microdroid_config_prop}:file no_rw_file_perms;

neverallow {
    domain
    -init
} non_existing_prop:property_service set;