bbae4a9a1c
This completely hides system internal properties (which are meant to be
used only in system) when compiling sepolicy of vendor, product, etc.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I4fc060f5973b7483c7f8502c40ef0a61f75ff088
Merged-In: I4fc060f5973b7483c7f8502c40ef0a61f75ff088
(cherry picked from commit c492c06e14)
338 lines
6.7 KiB
Text
338 lines
6.7 KiB
Text
# Properties used only in /system
|
|
system_internal_prop(adbd_prop)
|
|
system_internal_prop(device_config_storage_native_boot_prop)
|
|
system_internal_prop(device_config_sys_traced_prop)
|
|
system_internal_prop(device_config_window_manager_native_boot_prop)
|
|
system_internal_prop(device_config_configuration_prop)
|
|
system_internal_prop(gsid_prop)
|
|
system_internal_prop(init_perf_lsm_hooks_prop)
|
|
system_internal_prop(init_svc_debug_prop)
|
|
system_internal_prop(last_boot_reason_prop)
|
|
system_internal_prop(netd_stable_secret_prop)
|
|
system_internal_prop(pm_prop)
|
|
system_internal_prop(system_adbd_prop)
|
|
system_internal_prop(traced_perf_enabled_prop)
|
|
system_internal_prop(userspace_reboot_log_prop)
|
|
system_internal_prop(userspace_reboot_test_prop)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
treble_sysprop_neverallow(`
|
|
|
|
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
|
|
# neverallow domain {
|
|
# property_type
|
|
# -system_property_type
|
|
# -product_property_type
|
|
# -vendor_property_type
|
|
# }:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
system_internal_property_type
|
|
-system_restricted_property_type
|
|
-system_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { domain -coredomain } {
|
|
system_property_type
|
|
-system_public_property_type
|
|
}:property_service set;
|
|
|
|
# init is in coredomain, but should be able to read/write all props.
|
|
# dumpstate is also in coredomain, but should be able to read all props.
|
|
neverallow { coredomain -init -dumpstate } {
|
|
vendor_property_type
|
|
vendor_internal_property_type
|
|
-vendor_restricted_property_type
|
|
-vendor_public_property_type
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow { coredomain -init } {
|
|
vendor_property_type
|
|
-vendor_public_property_type
|
|
}:property_service set;
|
|
|
|
')
|
|
|
|
# There is no need to perform ioctl or advisory locking operations on
|
|
# property files. If this neverallow is being triggered, it is
|
|
# likely that the policy is using r_file_perms directly instead of
|
|
# the get_prop() macro.
|
|
neverallow domain property_type:file { ioctl lock };
|
|
|
|
neverallow * {
|
|
core_property_type
|
|
-audio_prop
|
|
-config_prop
|
|
-cppreopt_prop
|
|
-dalvik_prop
|
|
-debuggerd_prop
|
|
-debug_prop
|
|
-default_prop
|
|
-dhcp_prop
|
|
-dumpstate_prop
|
|
-ffs_prop
|
|
-fingerprint_prop
|
|
-logd_prop
|
|
-net_radio_prop
|
|
-nfc_prop
|
|
-ota_prop
|
|
-pan_result_prop
|
|
-persist_debug_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
-restorecon_prop
|
|
-shell_prop
|
|
-system_prop
|
|
-system_radio_prop
|
|
-vold_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
# sigstop property is only used for debugging; should only be set by su which is permissive
|
|
# for userdebug/eng
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
} ctl_sigstop_prop:property_service set;
|
|
|
|
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
|
|
# in the audit log
|
|
dontaudit domain {
|
|
ctl_bootanim_prop
|
|
ctl_bugreport_prop
|
|
ctl_console_prop
|
|
ctl_default_prop
|
|
ctl_dumpstate_prop
|
|
ctl_fuse_prop
|
|
ctl_mdnsd_prop
|
|
ctl_rildaemon_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
} init_svc_debug_prop:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-dumpstate
|
|
userdebug_or_eng(`-su')
|
|
} init_svc_debug_prop:file no_rw_file_perms;
|
|
|
|
compatible_property_only(`
|
|
# Prevent properties from being set
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_config_prop
|
|
exported_dalvik_prop
|
|
exported_default_prop
|
|
exported_dumpstate_prop
|
|
exported_ffs_prop
|
|
exported_fingerprint_prop
|
|
exported_system_prop
|
|
exported_system_radio_prop
|
|
exported_vold_prop
|
|
exported2_config_prop
|
|
exported2_default_prop
|
|
exported2_system_prop
|
|
exported2_vold_prop
|
|
exported3_default_prop
|
|
exported3_system_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
-vendor_init
|
|
} {
|
|
exported_radio_prop
|
|
exported3_radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
exported2_radio_prop
|
|
radio_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
-vendor_init
|
|
} {
|
|
exported_bluetooth_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_camera_server
|
|
-cameraserver
|
|
-vendor_init
|
|
} {
|
|
exported_camera_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
-vendor_init
|
|
} {
|
|
exported_wifi_prop
|
|
}:property_service set;
|
|
|
|
# Prevent properties from being read
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-vendor_init
|
|
} {
|
|
core_property_type
|
|
extended_core_property_type
|
|
exported_dalvik_prop
|
|
exported_ffs_prop
|
|
exported_system_radio_prop
|
|
exported2_config_prop
|
|
exported2_system_prop
|
|
exported2_vold_prop
|
|
exported3_default_prop
|
|
exported3_system_prop
|
|
-debug_prop
|
|
-logd_prop
|
|
-nfc_prop
|
|
-powerctl_prop
|
|
-radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_nfc_server
|
|
} {
|
|
nfc_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-appdomain
|
|
-hal_telephony_server
|
|
} {
|
|
radio_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-bluetooth
|
|
-hal_bluetooth_server
|
|
} {
|
|
bluetooth_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-coredomain
|
|
-hal_wifi_server
|
|
-wificond
|
|
} {
|
|
wifi_prop
|
|
}:file no_rw_file_perms;
|
|
')
|
|
|
|
compatible_property_only(`
|
|
# Neverallow coredomain to set vendor properties
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-system_writes_vendor_properties_violators
|
|
} {
|
|
property_type
|
|
-system_property_type
|
|
-extended_core_property_type
|
|
}:property_service set;
|
|
')
|
|
|
|
neverallow {
|
|
-init
|
|
-system_server
|
|
} {
|
|
userspace_reboot_log_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and system_server to set system_adbd_prop
|
|
-init
|
|
-system_server
|
|
} {
|
|
system_adbd_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and adbd to set adbd_prop
|
|
-init
|
|
-adbd
|
|
} {
|
|
adbd_prop
|
|
}:property_service set;
|
|
|
|
neverallow {
|
|
# Only allow init and shell to set userspace_reboot_test_prop
|
|
-init
|
|
-shell
|
|
} {
|
|
userspace_reboot_test_prop
|
|
}:property_service set;
|