platform_system_sepolicy/private/property.te
Jeff Vander Stoep 684d25b75a Refer to hal_dumpstate_server in neverallow rules
hal_dumpstate gets optimized away by the policy compiler causing
a CTS failure:
neverallow {   -init   -dumpstate   -hal_dumpstate   -vendor_init } hal_dumpstate_config_prop:file { { append create link unlink relabelfrom rename setattr write } open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads };
Warning!  Type or attribute hal_dumpstate used in neverallow undefined in policy being checked

Fixes: 166168257
Test: build policy
Change-Id: Ia7437b8297794502d496e9bd9998dddfdcb747ef
2020-08-25 11:41:00 +02:00

455 lines
8.3 KiB
Text

# Properties used only in /system
system_internal_prop(adbd_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
###
### Neverallow rules
###
treble_sysprop_neverallow(`
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
# neverallow domain {
# property_type
# -system_property_type
# -product_property_type
# -vendor_property_type
# }:file no_rw_file_perms;
neverallow { domain -coredomain } {
system_property_type
system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
neverallow { domain -coredomain } {
system_property_type
-system_public_property_type
}:property_service set;
# init is in coredomain, but should be able to read/write all props.
# dumpstate is also in coredomain, but should be able to read all props.
neverallow { coredomain -init -dumpstate } {
vendor_property_type
vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
')
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
# the get_prop() macro.
neverallow domain property_type:file { ioctl lock };
neverallow * {
core_property_type
-audio_prop
-config_prop
-cppreopt_prop
-dalvik_prop
-debuggerd_prop
-debug_prop
-default_prop
-dhcp_prop
-dumpstate_prop
-fingerprint_prop
-logd_prop
-net_radio_prop
-nfc_prop
-ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
-radio_prop
-restorecon_prop
-shell_prop
-system_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
# sigstop property is only used for debugging; should only be set by su which is permissive
# for userdebug/eng
neverallow {
domain
-init
-vendor_init
} ctl_sigstop_prop:property_service set;
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
dontaudit domain {
ctl_bootanim_prop
ctl_bugreport_prop
ctl_console_prop
ctl_default_prop
ctl_dumpstate_prop
ctl_fuse_prop
ctl_mdnsd_prop
ctl_rildaemon_prop
}:property_service set;
neverallow {
domain
-init
} init_svc_debug_prop:property_service set;
neverallow {
domain
-init
-dumpstate
userdebug_or_eng(`-su')
} init_svc_debug_prop:file no_rw_file_perms;
compatible_property_only(`
# Prevent properties from being set
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} {
core_property_type
extended_core_property_type
exported_config_prop
exported_default_prop
exported_dumpstate_prop
exported_system_prop
exported3_system_prop
usb_control_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_nfc_server
} {
nfc_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
-vendor_init
} {
radio_control_prop
}:property_service set;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
} {
radio_prop
}:property_service set;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
} {
bluetooth_prop
}:property_service set;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
-vendor_init
} {
exported_bluetooth_prop
}:property_service set;
neverallow {
domain
-coredomain
-hal_camera_server
-cameraserver
-vendor_init
} {
exported_camera_prop
}:property_service set;
neverallow {
domain
-coredomain
-hal_wifi_server
-wificond
} {
wifi_prop
}:property_service set;
neverallow {
domain
-init
-dumpstate
-hal_wifi_server
-wificond
-vendor_init
} {
wifi_hal_prop
}:property_service set;
# Prevent properties from being read
neverallow {
domain
-coredomain
-appdomain
-vendor_init
} {
core_property_type
dalvik_config_prop
extended_core_property_type
exported3_system_prop
systemsound_config_prop
-debug_prop
-logd_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-appdomain
-hal_nfc_server
} {
nfc_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-appdomain
-hal_telephony_server
} {
radio_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-bluetooth
-hal_bluetooth_server
} {
bluetooth_prop
}:file no_rw_file_perms;
neverallow {
domain
-coredomain
-hal_wifi_server
-wificond
} {
wifi_prop
}:file no_rw_file_perms;
')
compatible_property_only(`
# Neverallow coredomain to set vendor properties
neverallow {
coredomain
-init
-system_writes_vendor_properties_violators
} {
property_type
-system_property_type
-extended_core_property_type
}:property_service set;
')
neverallow {
-coredomain
-vendor_init
} {
ffs_config_prop
ffs_control_prop
}:file no_rw_file_perms;
neverallow {
-init
-system_server
} {
userspace_reboot_log_prop
}:property_service set;
neverallow {
# Only allow init and system_server to set system_adbd_prop
-init
-system_server
} {
system_adbd_prop
}:property_service set;
neverallow {
# Only allow init and adbd to set adbd_prop
-init
-adbd
} {
adbd_prop
}:property_service set;
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
-init
-shell
} {
userspace_reboot_test_prop
}:property_service set;
neverallow {
-init
-system_server
-vendor_init
} {
surfaceflinger_color_prop
}:property_service set;
neverallow {
-init
} {
libc_debug_prop
}:property_service set;
neverallow {
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
-coredomain
-vendor_init
} {
usb_config_prop
usb_control_prop
}:property_service set;
neverallow {
-init
-system_server
} {
provisioned_prop
retaildemo_prop
}:property_service set;
neverallow {
-coredomain
-vendor_init
} {
provisioned_prop
retaildemo_prop
}:file no_rw_file_perms;
neverallow {
-init
} {
init_service_status_private_prop
init_service_status_prop
}:property_service set;
neverallow {
-init
-radio
-appdomain
-hal_telephony_server
not_compatible_property(`-vendor_init')
} telephony_status_prop:property_service set;
neverallow {
-init
-vendor_init
} {
graphics_config_prop
}:property_service set;
neverallow {
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
-init
} {
localization_prop
}:property_service set;
neverallow {
-init
-vendor_init
-dumpstate
-system_app
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
-init
-vendor_init
-dumpstate
-appdomain
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
-init
-vendor_init
-dumpstate
-appdomain
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
-init
-dumpstate
-hal_dumpstate_server
not_compatible_property(`-vendor_init')
} hal_dumpstate_config_prop:file no_rw_file_perms;