684d25b75a
hal_dumpstate gets optimized away by the policy compiler causing a CTS failure: neverallow { -init -dumpstate -hal_dumpstate -vendor_init } hal_dumpstate_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }; Warning! Type or attribute hal_dumpstate used in neverallow undefined in policy being checked Fixes: 166168257 Test: build policy Change-Id: Ia7437b8297794502d496e9bd9998dddfdcb747ef
455 lines
8.3 KiB
Text
455 lines
8.3 KiB
Text
# Properties used only in /system
|
|
system_internal_prop(adbd_prop)
|
|
system_internal_prop(device_config_storage_native_boot_prop)
|
|
system_internal_prop(device_config_sys_traced_prop)
|
|
system_internal_prop(device_config_window_manager_native_boot_prop)
|
|
system_internal_prop(device_config_configuration_prop)
|
|
system_internal_prop(fastbootd_protocol_prop)
|
|
system_internal_prop(gsid_prop)
|
|
system_internal_prop(init_perf_lsm_hooks_prop)
|
|
system_internal_prop(init_service_status_private_prop)
|
|
system_internal_prop(init_svc_debug_prop)
|
|
system_internal_prop(last_boot_reason_prop)
|
|
system_internal_prop(localization_prop)
|
|
system_internal_prop(netd_stable_secret_prop)
|
|
system_internal_prop(pm_prop)
|
|
system_internal_prop(system_adbd_prop)
|
|
system_internal_prop(traced_perf_enabled_prop)
|
|
system_internal_prop(userspace_reboot_log_prop)
|
|
system_internal_prop(userspace_reboot_test_prop)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
treble_sysprop_neverallow(`
|
|
|
|
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
|
|
# neverallow domain {
|
|
# property_type
|
|
# -system_property_type
|
|
# -product_property_type
|
|
# -vendor_property_type
|
|
# }:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
system_internal_property_type
|
|
-system_restricted_property_type
|
|
-system_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
-system_public_property_type
|
|
}:property_service set;
|
|
|
|
# init is in coredomain, but should be able to read/write all props.
|
|
# dumpstate is also in coredomain, but should be able to read all props.
|
|
neverallow { coredomain -init -dumpstate } {
|
|
vendor_property_type
|
|
vendor_internal_property_type
|
|
-vendor_restricted_property_type
|
|
-vendor_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { coredomain -init } {
|
|
vendor_property_type
|
|
-vendor_public_property_type
|
|
}:property_service set;
|
|
|
|
')
|
|
|
|
# There is no need to perform ioctl or advisory locking operations on
|
|
# property files. If this neverallow is being triggered, it is
|
|
# likely that the policy is using r_file_perms directly instead of
|
|
# the get_prop() macro.
|
|
neverallow domain property_type:file { ioctl lock };
|
|
|
|
neverallow * {
|
|
core_property_type
|
|
-audio_prop
|
|
-config_prop
|
|
-cppreopt_prop
|
|
-dalvik_prop
|
|
-debuggerd_prop
|
|
-debug_prop
|
|
-default_prop
|
|
-dhcp_prop
|
|
-dumpstate_prop
|
|
-fingerprint_prop
|
|
-logd_prop
|
|
-net_radio_prop
|
|
-nfc_prop
|
|
-ota_prop
|
|
-pan_result_prop
|
|
-persist_debug_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
-restorecon_prop
|
|
-shell_prop
|
|
-system_prop
|
|
-usb_prop
|
|
-vold_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
|
# for userdebug/eng
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
} ctl_sigstop_prop:property_service set;
|
|
|
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
|
# in the audit log
|
|
dontaudit domain {
|
|
ctl_bootanim_prop
|
|
ctl_bugreport_prop
|
|
ctl_console_prop
|
|
ctl_default_prop
|
|
ctl_dumpstate_prop
|
|
ctl_fuse_prop
|
|
ctl_mdnsd_prop
|
|
ctl_rildaemon_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
} init_svc_debug_prop:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-dumpstate
|
|
userdebug_or_eng(`-su')
|
|
} init_svc_debug_prop:file no_rw_file_perms;
|
|
|
|
compatible_property_only(`
|
|
# Prevent properties from being set
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_config_prop
|
|
exported_default_prop
|
|
exported_dumpstate_prop
|
|
exported_system_prop
|
|
exported3_system_prop
|
|
usb_control_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
-vendor_init
|
|
} {
|
|
radio_control_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
-vendor_init
|
|
} {
|
|
exported_bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_camera_server
|
|
-cameraserver
|
|
-vendor_init
|
|
} {
|
|
exported_camera_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-dumpstate
|
|
-hal_wifi_server
|
|
-wificond
|
|
-vendor_init
|
|
} {
|
|
wifi_hal_prop
|
|
}:property_service set;
|
|
|
|
# Prevent properties from being read
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
dalvik_config_prop
|
|
extended_core_property_type
|
|
exported3_system_prop
|
|
systemsound_config_prop
|
|
-debug_prop
|
|
-logd_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:file no_rw_file_perms;
|
|
')
|
|
|
|
compatible_property_only(`
|
|
# Neverallow coredomain to set vendor properties
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-system_writes_vendor_properties_violators
|
|
} {
|
|
property_type
|
|
-system_property_type
|
|
-extended_core_property_type
|
|
}:property_service set;
|
|
')
|
|
|
|
neverallow {
|
|
-coredomain
|
|
-vendor_init
|
|
} {
|
|
ffs_config_prop
|
|
ffs_control_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
} {
|
|
userspace_reboot_log_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and system_server to set system_adbd_prop
|
|
-init
|
|
-system_server
|
|
} {
|
|
system_adbd_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and adbd to set adbd_prop
|
|
-init
|
|
-adbd
|
|
} {
|
|
adbd_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and shell to set userspace_reboot_test_prop
|
|
-init
|
|
-shell
|
|
} {
|
|
userspace_reboot_test_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
-vendor_init
|
|
} {
|
|
surfaceflinger_color_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
} {
|
|
libc_debug_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
-vendor_init
|
|
} zram_control_prop:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
-vendor_init
|
|
} dalvik_runtime_prop:property_service set;
|
|
|
|
neverallow {
|
|
-coredomain
|
|
-vendor_init
|
|
} {
|
|
usb_config_prop
|
|
usb_control_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
} {
|
|
provisioned_prop
|
|
retaildemo_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-coredomain
|
|
-vendor_init
|
|
} {
|
|
provisioned_prop
|
|
retaildemo_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-init
|
|
} {
|
|
init_service_status_private_prop
|
|
init_service_status_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-radio
|
|
-appdomain
|
|
-hal_telephony_server
|
|
not_compatible_property(`-vendor_init')
|
|
} telephony_status_prop:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-vendor_init
|
|
} {
|
|
graphics_config_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} packagemanager_config_prop:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-coredomain
|
|
-vendor_init
|
|
} keyguard_config_prop:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-init
|
|
} {
|
|
localization_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
-init
|
|
-vendor_init
|
|
-dumpstate
|
|
-system_app
|
|
} oem_unlock_prop:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-coredomain
|
|
-vendor_init
|
|
} storagemanager_config_prop:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-init
|
|
-vendor_init
|
|
-dumpstate
|
|
-appdomain
|
|
} sendbug_config_prop:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-init
|
|
-vendor_init
|
|
-dumpstate
|
|
-appdomain
|
|
} camera_calibration_prop:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
-init
|
|
-dumpstate
|
|
-hal_dumpstate_server
|
|
not_compatible_property(`-vendor_init')
|
|
} hal_dumpstate_config_prop:file no_rw_file_perms;
|