1type audio_prop, property_type, core_property_type;
2type boottime_prop, property_type;
3type bluetooth_a2dp_offload_prop, property_type;
4type bluetooth_prop, property_type;
5type bootloader_boot_reason_prop, property_type;
6type config_prop, property_type, core_property_type;
7type cppreopt_prop, property_type, core_property_type;
8type ctl_bootanim_prop, property_type;
9type ctl_bugreport_prop, property_type;
10type ctl_console_prop, property_type;
11type ctl_default_prop, property_type;
12type ctl_dumpstate_prop, property_type;
13type ctl_fuse_prop, property_type;
14type ctl_interface_restart_prop, property_type;
15type ctl_interface_start_prop, property_type;
16type ctl_interface_stop_prop, property_type;
17type ctl_mdnsd_prop, property_type;
18type ctl_restart_prop, property_type;
19type ctl_rildaemon_prop, property_type;
20type ctl_sigstop_prop, property_type;
21type ctl_start_prop, property_type;
22type ctl_stop_prop, property_type;
23type dalvik_prop, property_type, core_property_type;
24type debuggerd_prop, property_type, core_property_type;
25type debug_prop, property_type, core_property_type;
26type default_prop, property_type, core_property_type;
27type device_logging_prop, property_type;
28type dhcp_prop, property_type, core_property_type;
29type dumpstate_options_prop, property_type;
30type dumpstate_prop, property_type, core_property_type;
31type exported_secure_prop, property_type;
32type ffs_prop, property_type, core_property_type;
33type fingerprint_prop, property_type, core_property_type;
34type firstboot_prop, property_type;
35type hwservicemanager_prop, property_type;
36type last_boot_reason_prop, property_type;
37type logd_prop, property_type, core_property_type;
38type logpersistd_logging_prop, property_type;
39type log_prop, property_type, log_property_type;
40type log_tag_prop, property_type, log_property_type;
41type lowpan_prop, property_type;
42type mmc_prop, property_type;
43type net_dns_prop, property_type;
44type net_radio_prop, property_type, core_property_type;
45type netd_stable_secret_prop, property_type;
46type nfc_prop, property_type, core_property_type;
47type overlay_prop, property_type;
48type pan_result_prop, property_type, core_property_type;
49type persist_debug_prop, property_type, core_property_type;
50type persistent_properties_ready_prop, property_type;
51type pm_prop, property_type;
52type powerctl_prop, property_type, core_property_type;
53type radio_prop, property_type, core_property_type;
54type restorecon_prop, property_type, core_property_type;
55type safemode_prop, property_type;
56type serialno_prop, property_type;
57type shell_prop, property_type, core_property_type;
58type system_boot_reason_prop, property_type;
59type system_prop, property_type, core_property_type;
60type system_radio_prop, property_type, core_property_type;
61type test_boot_reason_prop, property_type;
62type traced_enabled_prop, property_type;
63type vold_prop, property_type, core_property_type;
64type wifi_log_prop, property_type, log_property_type;
65type wifi_prop, property_type;
66type vendor_security_patch_level_prop, property_type;
67
68# Properties for whitelisting
69type exported_bluetooth_prop, property_type;
70type exported_config_prop, property_type;
71type exported_dalvik_prop, property_type;
72type exported_default_prop, property_type;
73type exported_dumpstate_prop, property_type;
74type exported_ffs_prop, property_type;
75type exported_fingerprint_prop, property_type;
76type exported_overlay_prop, property_type;
77type exported_pm_prop, property_type;
78type exported_radio_prop, property_type;
79type exported_system_prop, property_type;
80type exported_system_radio_prop, property_type;
81type exported_vold_prop, property_type;
82type exported_wifi_prop, property_type;
83type exported2_config_prop, property_type;
84type exported2_default_prop, property_type;
85type exported2_radio_prop, property_type;
86type exported2_system_prop, property_type;
87type exported2_vold_prop, property_type;
88type exported3_default_prop, property_type;
89type exported3_radio_prop, property_type;
90type exported3_system_prop, property_type;
91type vendor_default_prop, property_type;
92
93allow property_type tmpfs:filesystem associate;
94
95###
96### Neverallow rules
97###
98
99# core_property_type should not be used for new properties or
100# device specific properties. Properties with this attribute
101# are readable to everyone, which is overly broad and should
102# be avoided.
103# New properties should have appropriate read / write access
104# control rules written.
105
106neverallow * {
107  core_property_type
108  -audio_prop
109  -config_prop
110  -cppreopt_prop
111  -dalvik_prop
112  -debuggerd_prop
113  -debug_prop
114  -default_prop
115  -dhcp_prop
116  -dumpstate_prop
117  -ffs_prop
118  -fingerprint_prop
119  -logd_prop
120  -net_radio_prop
121  -nfc_prop
122  -pan_result_prop
123  -persist_debug_prop
124  -powerctl_prop
125  -radio_prop
126  -restorecon_prop
127  -shell_prop
128  -system_prop
129  -system_radio_prop
130  -vold_prop
131}:file no_rw_file_perms;
132
133# sigstop property is only used for debugging; should only be set by su which is permissive
134# for userdebug/eng
135neverallow {
136  domain
137  -init
138  -vendor_init
139} ctl_sigstop_prop:property_service set;
140
141# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
142# in the audit log
143dontaudit domain {
144  ctl_bootanim_prop
145  ctl_bugreport_prop
146  ctl_console_prop
147  ctl_default_prop
148  ctl_dumpstate_prop
149  ctl_fuse_prop
150  ctl_mdnsd_prop
151  ctl_rildaemon_prop
152}:property_service set;
153
154compatible_property_only(`
155# Prevent properties from being set
156  neverallow {
157    domain
158    -coredomain
159    -appdomain
160    -vendor_init
161  } {
162    core_property_type
163    extended_core_property_type
164    exported_config_prop
165    exported_dalvik_prop
166    exported_default_prop
167    exported_dumpstate_prop
168    exported_ffs_prop
169    exported_fingerprint_prop
170    exported_system_prop
171    exported_system_radio_prop
172    exported_vold_prop
173    exported2_config_prop
174    exported2_default_prop
175    exported2_system_prop
176    exported2_vold_prop
177    exported3_default_prop
178    exported3_system_prop
179    -nfc_prop
180    -powerctl_prop
181    -radio_prop
182  }:property_service set;
183
184  neverallow {
185    domain
186    -coredomain
187    -appdomain
188    -hal_nfc_server
189  } {
190    nfc_prop
191  }:property_service set;
192
193  neverallow {
194    domain
195    -coredomain
196    -appdomain
197    -hal_telephony_server
198    -vendor_init
199  } {
200    exported_radio_prop
201    exported3_radio_prop
202  }:property_service set;
203
204  neverallow {
205    domain
206    -coredomain
207    -appdomain
208    -hal_telephony_server
209  } {
210    exported2_radio_prop
211    radio_prop
212  }:property_service set;
213
214  neverallow {
215    domain
216    -coredomain
217    -bluetooth
218    -hal_bluetooth_server
219  } {
220    bluetooth_prop
221  }:property_service set;
222
223  neverallow {
224    domain
225    -coredomain
226    -bluetooth
227    -hal_bluetooth_server
228    -vendor_init
229  } {
230    exported_bluetooth_prop
231  }:property_service set;
232
233  neverallow {
234    domain
235    -coredomain
236    -hal_wifi_server
237    -wificond
238  } {
239    wifi_prop
240  }:property_service set;
241
242  neverallow {
243    domain
244    -coredomain
245    -hal_wifi_server
246    -wificond
247    -vendor_init
248  } {
249    exported_wifi_prop
250  }:property_service set;
251
252# Prevent properties from being read
253  neverallow {
254    domain
255    -coredomain
256    -appdomain
257    -vendor_init
258  } {
259    core_property_type
260    extended_core_property_type
261    exported_dalvik_prop
262    exported_ffs_prop
263    exported_system_radio_prop
264    exported2_config_prop
265    exported2_system_prop
266    exported2_vold_prop
267    exported3_default_prop
268    exported3_system_prop
269    -debug_prop
270    -logd_prop
271    -nfc_prop
272    -powerctl_prop
273    -radio_prop
274  }:file no_rw_file_perms;
275
276  neverallow {
277    domain
278    -coredomain
279    -appdomain
280    -hal_nfc_server
281  } {
282    nfc_prop
283  }:file no_rw_file_perms;
284
285  neverallow {
286    domain
287    -coredomain
288    -appdomain
289    -hal_telephony_server
290  } {
291    radio_prop
292  }:file no_rw_file_perms;
293
294  neverallow {
295    domain
296    -coredomain
297    -bluetooth
298    -hal_bluetooth_server
299  } {
300    bluetooth_prop
301  }:file no_rw_file_perms;
302
303  neverallow {
304    domain
305    -coredomain
306    -hal_wifi_server
307    -wificond
308  } {
309    wifi_prop
310  }:file no_rw_file_perms;
311')
312
313compatible_property_only(`
314  # Neverallow coredomain to set vendor properties
315  neverallow {
316    coredomain
317    -init
318    -system_writes_vendor_properties_violators
319  } {
320    property_type
321    -audio_prop
322    -bluetooth_a2dp_offload_prop
323    -bluetooth_prop
324    -bootloader_boot_reason_prop
325    -boottime_prop
326    -config_prop
327    -cppreopt_prop
328    -ctl_bootanim_prop
329    -ctl_bugreport_prop
330    -ctl_console_prop
331    -ctl_default_prop
332    -ctl_dumpstate_prop
333    -ctl_fuse_prop
334    -ctl_interface_restart_prop
335    -ctl_interface_start_prop
336    -ctl_interface_stop_prop
337    -ctl_mdnsd_prop
338    -ctl_restart_prop
339    -ctl_rildaemon_prop
340    -ctl_sigstop_prop
341    -ctl_start_prop
342    -ctl_stop_prop
343    -dalvik_prop
344    -debug_prop
345    -debuggerd_prop
346    -default_prop
347    -device_logging_prop
348    -dhcp_prop
349    -dumpstate_options_prop
350    -dumpstate_prop
351    -exported2_config_prop
352    -exported2_default_prop
353    -exported2_radio_prop
354    -exported2_system_prop
355    -exported2_vold_prop
356    -exported3_default_prop
357    -exported3_radio_prop
358    -exported3_system_prop
359    -exported_bluetooth_prop
360    -exported_config_prop
361    -exported_dalvik_prop
362    -exported_default_prop
363    -exported_dumpstate_prop
364    -exported_ffs_prop
365    -exported_fingerprint_prop
366    -exported_overlay_prop
367    -exported_pm_prop
368    -exported_radio_prop
369    -exported_secure_prop
370    -exported_system_prop
371    -exported_system_radio_prop
372    -exported_vold_prop
373    -exported_wifi_prop
374    -extended_core_property_type
375    -ffs_prop
376    -fingerprint_prop
377    -firstboot_prop
378    -hwservicemanager_prop
379    -last_boot_reason_prop
380    -log_prop
381    -log_tag_prop
382    -logd_prop
383    -logpersistd_logging_prop
384    -lowpan_prop
385    -mmc_prop
386    -net_dns_prop
387    -net_radio_prop
388    -netd_stable_secret_prop
389    -nfc_prop
390    -overlay_prop
391    -pan_result_prop
392    -persist_debug_prop
393    -persistent_properties_ready_prop
394    -pm_prop
395    -powerctl_prop
396    -radio_prop
397    -restorecon_prop
398    -safemode_prop
399    -serialno_prop
400    -shell_prop
401    -system_boot_reason_prop
402    -system_prop
403    -system_radio_prop
404    -test_boot_reason_prop
405    -traced_enabled_prop
406    -vendor_default_prop
407    -vendor_security_patch_level_prop
408    -vold_prop
409    -wifi_log_prop
410    -wifi_prop
411  }:property_service set;
412')
413