1# Properties used only in /system 2system_internal_prop(adbd_prop) 3system_internal_prop(apexd_payload_metadata_prop) 4system_internal_prop(ctl_snapuserd_prop) 5system_internal_prop(device_config_lmkd_native_prop) 6system_internal_prop(device_config_mglru_native_prop) 7system_internal_prop(device_config_profcollect_native_boot_prop) 8system_internal_prop(device_config_remote_key_provisioning_native_prop) 9system_internal_prop(device_config_statsd_native_prop) 10system_internal_prop(device_config_statsd_native_boot_prop) 11system_internal_prop(device_config_storage_native_boot_prop) 12system_internal_prop(device_config_sys_traced_prop) 13system_internal_prop(device_config_window_manager_native_boot_prop) 14system_internal_prop(device_config_configuration_prop) 15system_internal_prop(device_config_connectivity_prop) 16system_internal_prop(device_config_swcodec_native_prop) 17system_internal_prop(device_config_tethering_u_or_later_native_prop) 18system_internal_prop(dmesgd_start_prop) 19system_internal_prop(fastbootd_protocol_prop) 20system_internal_prop(gsid_prop) 21system_internal_prop(init_perf_lsm_hooks_prop) 22system_internal_prop(init_service_status_private_prop) 23system_internal_prop(init_storage_prop) 24system_internal_prop(init_svc_debug_prop) 25system_internal_prop(keystore_crash_prop) 26system_internal_prop(keystore_listen_prop) 27system_internal_prop(last_boot_reason_prop) 28system_internal_prop(localization_prop) 29system_internal_prop(lower_kptr_restrict_prop) 30system_internal_prop(net_464xlat_fromvendor_prop) 31system_internal_prop(net_connectivity_prop) 32system_internal_prop(netd_stable_secret_prop) 33system_internal_prop(odsign_prop) 34system_internal_prop(perf_drop_caches_prop) 35system_internal_prop(pm_prop) 36system_internal_prop(profcollectd_node_id_prop) 37system_internal_prop(radio_cdma_ecm_prop) 38system_internal_prop(remote_prov_prop) 39system_internal_prop(rollback_test_prop) 40system_internal_prop(setupwizard_prop) 41system_internal_prop(snapuserd_prop) 42system_internal_prop(system_adbd_prop) 43system_internal_prop(timezone_metadata_prop) 44system_internal_prop(traced_perf_enabled_prop) 45system_internal_prop(tuner_server_ctl_prop) 46system_internal_prop(userspace_reboot_log_prop) 47system_internal_prop(userspace_reboot_test_prop) 48system_internal_prop(verity_status_prop) 49system_internal_prop(zygote_wrap_prop) 50system_internal_prop(ctl_mediatranscoding_prop) 51system_internal_prop(ctl_odsign_prop) 52system_internal_prop(virtualizationservice_prop) 53system_internal_prop(ctl_apex_load_prop) 54 55# Properties which can't be written outside system 56system_restricted_prop(device_config_virtualization_framework_native_prop) 57system_restricted_prop(log_file_logger_prop) 58system_restricted_prop(persist_sysui_builder_extras_prop) 59 60### 61### Neverallow rules 62### 63 64treble_sysprop_neverallow(` 65 66enforce_sysprop_owner(` 67 neverallow domain { 68 property_type 69 -system_property_type 70 -product_property_type 71 -vendor_property_type 72 }:file no_rw_file_perms; 73') 74 75neverallow { domain -coredomain } { 76 system_property_type 77 system_internal_property_type 78 -system_restricted_property_type 79 -system_public_property_type 80}:file no_rw_file_perms; 81 82neverallow { domain -coredomain } { 83 system_property_type 84 -system_public_property_type 85}:property_service set; 86 87# init is in coredomain, but should be able to read/write all props. 88# dumpstate is also in coredomain, but should be able to read all props. 89neverallow { coredomain -init -dumpstate } { 90 vendor_property_type 91 vendor_internal_property_type 92 -vendor_restricted_property_type 93 -vendor_public_property_type 94}:file no_rw_file_perms; 95 96neverallow { coredomain -init } { 97 vendor_property_type 98 -vendor_public_property_type 99}:property_service set; 100 101') 102 103# There is no need to perform ioctl or advisory locking operations on 104# property files. If this neverallow is being triggered, it is 105# likely that the policy is using r_file_perms directly instead of 106# the get_prop() macro. 107neverallow domain property_type:file { ioctl lock }; 108 109neverallow * { 110 core_property_type 111 -audio_prop 112 -config_prop 113 -cppreopt_prop 114 -dalvik_prop 115 -debuggerd_prop 116 -debug_prop 117 -dhcp_prop 118 -dumpstate_prop 119 -fingerprint_prop 120 -logd_prop 121 -net_radio_prop 122 -nfc_prop 123 -ota_prop 124 -pan_result_prop 125 -persist_debug_prop 126 -powerctl_prop 127 -radio_prop 128 -restorecon_prop 129 -shell_prop 130 -system_prop 131 -usb_prop 132 -vold_prop 133}:file no_rw_file_perms; 134 135# sigstop property is only used for debugging; should only be set by su which is permissive 136# for userdebug/eng 137neverallow { 138 domain 139 -init 140 -vendor_init 141} ctl_sigstop_prop:property_service set; 142 143# Don't audit legacy ctl. property handling. We only want the newer permission check to appear 144# in the audit log 145dontaudit domain { 146 ctl_bootanim_prop 147 ctl_bugreport_prop 148 ctl_console_prop 149 ctl_default_prop 150 ctl_dumpstate_prop 151 ctl_fuse_prop 152 ctl_mdnsd_prop 153 ctl_rildaemon_prop 154}:property_service set; 155 156neverallow { 157 domain 158 -init 159 -extra_free_kbytes 160} init_storage_prop:property_service set; 161 162neverallow { 163 domain 164 -init 165} init_svc_debug_prop:property_service set; 166 167neverallow { 168 domain 169 -init 170 -dumpstate 171 userdebug_or_eng(`-su') 172} init_svc_debug_prop:file no_rw_file_perms; 173 174compatible_property_only(` 175# Prevent properties from being set 176 neverallow { 177 domain 178 -coredomain 179 -appdomain 180 -vendor_init 181 } { 182 core_property_type 183 extended_core_property_type 184 exported_config_prop 185 exported_default_prop 186 exported_dumpstate_prop 187 exported_system_prop 188 exported3_system_prop 189 usb_control_prop 190 -nfc_prop 191 -powerctl_prop 192 -radio_prop 193 }:property_service set; 194 195 neverallow { 196 domain 197 -coredomain 198 -appdomain 199 -hal_nfc_server 200 } { 201 nfc_prop 202 }:property_service set; 203 204 neverallow { 205 domain 206 -coredomain 207 -appdomain 208 -hal_telephony_server 209 -vendor_init 210 } { 211 radio_control_prop 212 }:property_service set; 213 214 neverallow { 215 domain 216 -coredomain 217 -appdomain 218 -hal_telephony_server 219 } { 220 radio_prop 221 }:property_service set; 222 223 neverallow { 224 domain 225 -coredomain 226 -bluetooth 227 -hal_bluetooth_server 228 } { 229 bluetooth_prop 230 }:property_service set; 231 232 neverallow { 233 domain 234 -coredomain 235 -bluetooth 236 -hal_bluetooth_server 237 -vendor_init 238 } { 239 exported_bluetooth_prop 240 }:property_service set; 241 242 neverallow { 243 domain 244 -coredomain 245 -hal_camera_server 246 -cameraserver 247 -vendor_init 248 } { 249 exported_camera_prop 250 }:property_service set; 251 252 neverallow { 253 domain 254 -coredomain 255 -hal_wifi_server 256 -wificond 257 } { 258 wifi_prop 259 }:property_service set; 260 261 neverallow { 262 domain 263 -init 264 -dumpstate 265 -hal_wifi_server 266 -wificond 267 -vendor_init 268 } { 269 wifi_hal_prop 270 }:property_service set; 271 272# Prevent properties from being read 273 neverallow { 274 domain 275 -coredomain 276 -appdomain 277 -vendor_init 278 } { 279 core_property_type 280 dalvik_config_prop_type 281 extended_core_property_type 282 exported3_system_prop 283 systemsound_config_prop 284 -debug_prop 285 -logd_prop 286 -nfc_prop 287 -powerctl_prop 288 -radio_prop 289 }:file no_rw_file_perms; 290 291 neverallow { 292 domain 293 -coredomain 294 -appdomain 295 -hal_nfc_server 296 } { 297 nfc_prop 298 }:file no_rw_file_perms; 299 300 neverallow { 301 domain 302 -coredomain 303 -appdomain 304 -hal_telephony_server 305 } { 306 radio_prop 307 }:file no_rw_file_perms; 308 309 neverallow { 310 domain 311 -coredomain 312 -bluetooth 313 -hal_bluetooth_server 314 } { 315 bluetooth_prop 316 }:file no_rw_file_perms; 317 318 neverallow { 319 domain 320 -coredomain 321 -hal_wifi_server 322 -wificond 323 } { 324 wifi_prop 325 }:file no_rw_file_perms; 326 327 neverallow { 328 domain 329 -coredomain 330 -vendor_init 331 } { 332 suspend_prop 333 }:property_service set; 334') 335 336compatible_property_only(` 337 # Neverallow coredomain to set vendor properties 338 neverallow { 339 coredomain 340 -init 341 -system_writes_vendor_properties_violators 342 } { 343 property_type 344 -system_property_type 345 -extended_core_property_type 346 }:property_service set; 347') 348 349neverallow { 350 domain 351 -coredomain 352 -vendor_init 353} { 354 ffs_config_prop 355 ffs_control_prop 356}:file no_rw_file_perms; 357 358neverallow { 359 domain 360 -init 361 -system_server 362} { 363 userspace_reboot_log_prop 364}:property_service set; 365 366neverallow { 367 # Only allow init and system_server to set system_adbd_prop 368 domain 369 -init 370 -system_server 371} { 372 system_adbd_prop 373}:property_service set; 374 375# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port 376neverallow { 377 domain 378 -init 379 -vendor_init 380 -adbd 381 -system_server 382} { 383 adbd_config_prop 384}:property_service set; 385 386neverallow { 387 # Only allow init and adbd to set adbd_prop 388 domain 389 -init 390 -adbd 391} { 392 adbd_prop 393}:property_service set; 394 395neverallow { 396 # Only allow init to set apexd_payload_metadata_prop 397 domain 398 -init 399} { 400 apexd_payload_metadata_prop 401}:property_service set; 402 403 404neverallow { 405 # Only allow init and shell to set userspace_reboot_test_prop 406 domain 407 -init 408 -shell 409} { 410 userspace_reboot_test_prop 411}:property_service set; 412 413neverallow { 414 domain 415 -init 416 -system_server 417 -vendor_init 418} { 419 surfaceflinger_color_prop 420}:property_service set; 421 422neverallow { 423 domain 424 -init 425} { 426 libc_debug_prop 427}:property_service set; 428 429# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb 430# shell access can control the settings on their device. Allow system apps to 431# set MTE props, so Developer Options can set them. 432neverallow { 433 domain 434 -init 435 -shell 436 -system_app 437 -system_server 438 -mtectrl 439} { 440 arm64_memtag_prop 441 gwp_asan_prop 442}:property_service set; 443 444neverallow { 445 domain 446 -init 447 -system_server 448 -vendor_init 449} zram_control_prop:property_service set; 450 451neverallow { 452 domain 453 -init 454 -system_server 455 -vendor_init 456} dalvik_runtime_prop:property_service set; 457 458neverallow { 459 domain 460 -coredomain 461 -vendor_init 462} { 463 usb_config_prop 464 usb_control_prop 465}:property_service set; 466 467neverallow { 468 domain 469 -init 470 -system_server 471} { 472 provisioned_prop 473 retaildemo_prop 474}:property_service set; 475 476neverallow { 477 domain 478 -coredomain 479 -vendor_init 480} { 481 provisioned_prop 482 retaildemo_prop 483}:file no_rw_file_perms; 484 485neverallow { 486 domain 487 -init 488} { 489 init_service_status_private_prop 490 init_service_status_prop 491}:property_service set; 492 493neverallow { 494 domain 495 -init 496 -radio 497 -appdomain 498 -hal_telephony_server 499 not_compatible_property(`-vendor_init') 500} telephony_status_prop:property_service set; 501 502neverallow { 503 domain 504 -init 505 -vendor_init 506} { 507 graphics_config_prop 508}:property_service set; 509 510neverallow { 511 domain 512 -init 513 -surfaceflinger 514} { 515 surfaceflinger_display_prop 516}:property_service set; 517 518neverallow { 519 domain 520 -coredomain 521 -appdomain 522 -vendor_init 523} packagemanager_config_prop:file no_rw_file_perms; 524 525neverallow { 526 domain 527 -coredomain 528 -vendor_init 529} keyguard_config_prop:file no_rw_file_perms; 530 531neverallow { 532 domain 533 -init 534} { 535 localization_prop 536}:property_service set; 537 538neverallow { 539 domain 540 -init 541 -vendor_init 542 -dumpstate 543 -system_app 544} oem_unlock_prop:file no_rw_file_perms; 545 546neverallow { 547 domain 548 -coredomain 549 -vendor_init 550} storagemanager_config_prop:file no_rw_file_perms; 551 552neverallow { 553 domain 554 -init 555 -vendor_init 556 -dumpstate 557 -appdomain 558} sendbug_config_prop:file no_rw_file_perms; 559 560neverallow { 561 domain 562 -init 563 -vendor_init 564 -dumpstate 565 -appdomain 566} camera_calibration_prop:file no_rw_file_perms; 567 568neverallow { 569 domain 570 -init 571 -dumpstate 572 -hal_dumpstate_server 573 not_compatible_property(`-vendor_init') 574} hal_dumpstate_config_prop:file no_rw_file_perms; 575 576neverallow { 577 domain 578 -init 579 userdebug_or_eng(`-profcollectd') 580 userdebug_or_eng(`-simpleperf_boot') 581 userdebug_or_eng(`-traced_probes') 582 userdebug_or_eng(`-traced_perf') 583} { 584 lower_kptr_restrict_prop 585}:property_service set; 586 587neverallow { 588 domain 589 -init 590} zygote_wrap_prop:property_service set; 591 592neverallow { 593 domain 594 -init 595} verity_status_prop:property_service set; 596 597neverallow { 598 domain 599 -init 600} setupwizard_prop:property_service set; 601 602# ro.product.property_source_order is useless after initialization of ro.product.* props. 603# So making it accessible only from init and vendor_init. 604neverallow { 605 domain 606 -init 607 -dumpstate 608 -vendor_init 609} build_config_prop:file no_rw_file_perms; 610 611neverallow { 612 domain 613 -init 614 -shell 615} sqlite_log_prop:property_service set; 616 617neverallow { 618 domain 619 -coredomain 620 -appdomain 621} sqlite_log_prop:file no_rw_file_perms; 622 623neverallow { 624 domain 625 -init 626} default_prop:property_service set; 627 628# Only one of system_property_type and vendor_property_type can be assigned. 629# Property types having both attributes won't be accessible from anywhere. 630neverallow domain system_and_vendor_property_type:{file property_service} *; 631 632neverallow { 633 domain 634 -init 635 -shell 636 -rkpdapp 637} remote_prov_prop:property_service set; 638 639neverallow { 640 # Only allow init and shell to set rollback_test_prop 641 domain 642 -init 643 -shell 644} rollback_test_prop:property_service set; 645 646neverallow { 647 domain 648 -init 649 -apexd 650} ctl_apex_load_prop:property_service set; 651 652neverallow { 653 domain 654 -coredomain 655 -init 656 -dumpstate 657 -apexd 658} ctl_apex_load_prop:file no_rw_file_perms; 659 660neverallow { 661 domain 662 -init 663 -apexd 664} apex_ready_prop:property_service set; 665 666neverallow { 667 domain 668 -coredomain 669 -dumpstate 670 -apexd 671 -vendor_init 672} apex_ready_prop:file no_rw_file_perms; 673 674neverallow { 675 # Only allow init and profcollectd to access profcollectd_node_id_prop 676 domain 677 -init 678 -dumpstate 679 -profcollectd 680} profcollectd_node_id_prop:file r_file_perms; 681 682neverallow { 683 domain 684 -init 685} log_file_logger_prop:property_service set; 686 687neverallow { 688 domain 689 -init 690 -vendor_init 691} usb_uvc_enabled_prop:property_service set; 692 693# Disallow non system apps from reading ro.usb.uvc.enabled 694neverallow { 695 appdomain 696 -system_app 697 -device_as_webcam 698} usb_uvc_enabled_prop:file no_rw_file_perms; 699