tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/property.te
Neil Fuller bbb00fa4cf Add new type for system settings metadata 
Add a new selinux type for a system property used to hold metadata about
the time zone setting system property. Although system settings are
world readable, the associated metadata only needs to be readable by the
system server (currently).

Bug: 236612872
Test: treehugger
Change-Id: Iac1bc3301a049534ea5f69edf27cd85443e6a92e
2022-09-27 16:06:57 +00:00

680 lines
13 KiB
Text
Raw Blame History

# Properties used only in /system
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_statsd_native_prop)
system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_storage_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(keystore_crash_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(timezone_metadata_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(log_file_logger_prop)
###
### Neverallow rules
###
treble_sysprop_neverallow(`
enforce_sysprop_owner(`
neverallow domain {
property_type
-system_property_type
-product_property_type
-vendor_property_type
}:file no_rw_file_perms;
')
neverallow { domain -coredomain } {
system_property_type
system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
neverallow { domain -coredomain } {
system_property_type
-system_public_property_type
}:property_service set;
# init is in coredomain, but should be able to read/write all props.
# dumpstate is also in coredomain, but should be able to read all props.
neverallow { coredomain -init -dumpstate } {
vendor_property_type
vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
')
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
# the get_prop() macro.
neverallow domain property_type:file { ioctl lock };
neverallow * {
core_property_type
-audio_prop
-config_prop
-cppreopt_prop
-dalvik_prop
-debuggerd_prop
-debug_prop
-dhcp_prop
-dumpstate_prop
-fingerprint_prop
-logd_prop
-net_radio_prop
-nfc_prop
-ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
-radio_prop
-restorecon_prop
-shell_prop
-system_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
# sigstop property is only used for debugging; should only be set by su which is permissive
# for userdebug/eng
neverallow {
domain
-init
-vendor_init
} ctl_sigstop_prop:property_service set;
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
ctl_bootanim_prop
ctl_bugreport_prop
ctl_console_prop
ctl_default_prop
ctl_dumpstate_prop
ctl_fuse_prop
ctl_mdnsd_prop
ctl_rildaemon_prop
}:property_service set;
neverallow {
domain
-init
-extra_free_kbytes
} init_storage_prop:property_service set;
neverallow {
domain
-init
} init_svc_debug_prop:property_service set;
neverallow {
domain
-init
-dumpstate
userdebug_or_eng(`-su')
} init_svc_debug_prop:file no_rw_file_perms;
compatible_property_only(`
# Prevent properties from being set
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} {
core_property_type
extended_core_property_type
exported_config_prop
exported_default_prop
exported_dumpstate_prop
exported_system_prop
exported3_system_prop
usb_control_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_nfc_server
} {
nfc_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
-vendor_init
} {
radio_control_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
} {
radio_prop
}:property_service set;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
} {
bluetooth_prop
}:property_service set;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
-vendor_init
} {
exported_bluetooth_prop
}:property_service set;
neverallow {
domain
-coredomain
-hal_camera_server
-cameraserver
-vendor_init
} {
exported_camera_prop
}:property_service set;
neverallow {
domain
-coredomain
-hal_wifi_server
-wificond
} {
wifi_prop
}:property_service set;
neverallow {
domain
-init
-dumpstate
-hal_wifi_server
-wificond
-vendor_init
} {
wifi_hal_prop
}:property_service set;
# Prevent properties from being read
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} {
core_property_type
dalvik_config_prop
extended_core_property_type
exported3_system_prop
systemsound_config_prop
-debug_prop
-logd_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-appdomain
-hal_nfc_server
} {
nfc_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
} {
radio_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
} {
bluetooth_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-hal_wifi_server
-wificond
} {
wifi_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-vendor_init
} {
suspend_prop
}:property_service set;
')
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
coredomain
-init
-system_writes_vendor_properties_violators
} {
property_type
-system_property_type
-extended_core_property_type
}:property_service set;
')
neverallow {
domain
-coredomain
-vendor_init
} {
ffs_config_prop
ffs_control_prop
}:file no_rw_file_perms;
neverallow {
domain
-init
-system_server
} {
userspace_reboot_log_prop
}:property_service set;
neverallow {
# Only allow init and system_server to set system_adbd_prop
domain
-init
-system_server
} {
system_adbd_prop
}:property_service set;
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
domain
-init
-vendor_init
-adbd
-system_server
} {
adbd_config_prop
}:property_service set;
neverallow {
# Only allow init and adbd to set adbd_prop
domain
-init
-adbd
} {
adbd_prop
}:property_service set;
neverallow {
# Only allow init to set apexd_payload_metadata_prop
domain
-init
} {
apexd_payload_metadata_prop
}:property_service set;
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
-shell
} {
userspace_reboot_test_prop
}:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} {
surfaceflinger_color_prop
}:property_service set;
neverallow {
domain
-init
} {
libc_debug_prop
}:property_service set;
# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
# shell access can control the settings on their device. Allow system apps to
# set MTE props, so Developer Options can set them.
neverallow {
domain
-init
-shell
-system_app
} {
arm64_memtag_prop
gwp_asan_prop
}:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
domain
-coredomain
-vendor_init
} {
usb_config_prop
usb_control_prop
}:property_service set;
neverallow {
domain
-init
-system_server
} {
provisioned_prop
retaildemo_prop
}:property_service set;
neverallow {
domain
-coredomain
-vendor_init
} {
provisioned_prop
retaildemo_prop
}:file no_rw_file_perms;
neverallow {
domain
-init
} {
init_service_status_private_prop
init_service_status_prop
}:property_service set;
neverallow {
domain
-init
-radio
-appdomain
-hal_telephony_server
not_compatible_property(`-vendor_init')
} telephony_status_prop:property_service set;
neverallow {
domain
-init
-vendor_init
} {
graphics_config_prop
}:property_service set;
neverallow {
domain
-init
-surfaceflinger
} {
surfaceflinger_display_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
domain
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
} {
localization_prop
}:property_service set;
neverallow {
domain
-init
-vendor_init
-dumpstate
-system_app
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
domain
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
-vendor_init
-dumpstate
-appdomain
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
-vendor_init
-dumpstate
-appdomain
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
domain
-init
-dumpstate
-hal_dumpstate_server
not_compatible_property(`-vendor_init')
} hal_dumpstate_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
lower_kptr_restrict_prop
}:property_service set;
neverallow {
domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
domain
-init
} verity_status_prop:property_service set;
neverallow {
domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
domain
-init
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
neverallow {
domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
domain
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
neverallow {
domain
-init
} default_prop:property_service set;
# Only one of system_property_type and vendor_property_type can be assigned.
# Property types having both attributes won't be accessible from anywhere.
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
# Only init and the remote provisioner can set the ro.remote_provisioning.* props
domain
-init
-remote_prov_app
} remote_prov_prop:property_service set;
neverallow {
# Only allow init and shell to set rollback_test_prop
domain
-init
-shell
} rollback_test_prop:property_service set;
neverallow {
domain
-init
-apexd
} ctl_apex_load_prop:property_service set;
neverallow {
domain
-coredomain
-init
-dumpstate
-apexd
} ctl_apex_load_prop:file no_rw_file_perms;
neverallow {
domain
-init
-apexd
} apex_ready_prop:property_service set;
neverallow {
domain
-coredomain
-dumpstate
-apexd
-vendor_init
} apex_ready_prop:file no_rw_file_perms;
neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
domain
-init
-dumpstate
-profcollectd
} profcollectd_node_id_prop:file r_file_perms;
neverallow {
domain
-init
} log_file_logger_prop:property_service set;
Reference in a new issue View git blame Copy permalink