1*e4a36f41SAndroid Build Coastguard Worker# Properties used only in /system 2*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(adbd_prop) 3*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(apexd_payload_metadata_prop) 4*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(ctl_snapuserd_prop) 5*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(crashrecovery_prop) 6*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_core_experiments_team_internal_prop) 7*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_lmkd_native_prop) 8*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_mglru_native_prop) 9*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_profcollect_native_boot_prop) 10*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_remote_key_provisioning_native_prop) 11*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_statsd_native_prop) 12*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_statsd_native_boot_prop) 13*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_storage_native_boot_prop) 14*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_sys_traced_prop) 15*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_window_manager_native_boot_prop) 16*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_configuration_prop) 17*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_connectivity_prop) 18*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_swcodec_native_prop) 19*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(device_config_tethering_u_or_later_native_prop) 20*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(dmesgd_start_prop) 21*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(fastbootd_protocol_prop) 22*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(gsid_prop) 23*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(init_perf_lsm_hooks_prop) 24*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(init_service_status_private_prop) 25*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(init_storage_prop) 26*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(init_svc_debug_prop) 27*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(keystore_crash_prop) 28*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(keystore_listen_prop) 29*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(last_boot_reason_prop) 30*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(localization_prop) 31*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(logd_auditrate_prop) 32*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(lower_kptr_restrict_prop) 33*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(net_464xlat_fromvendor_prop) 34*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(net_connectivity_prop) 35*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(netd_stable_secret_prop) 36*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(next_boot_prop) 37*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(odsign_prop) 38*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(misctrl_prop) 39*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(perf_drop_caches_prop) 40*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(pm_prop) 41*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(profcollectd_node_id_prop) 42*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(radio_cdma_ecm_prop) 43*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(remote_prov_prop) 44*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(rollback_test_prop) 45*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(setupwizard_prop) 46*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(snapuserd_prop) 47*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(system_adbd_prop) 48*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(system_audio_config_prop) 49*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(timezone_metadata_prop) 50*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(traced_perf_enabled_prop) 51*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(uprobestats_start_with_config_prop) 52*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(tuner_server_ctl_prop) 53*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(userspace_reboot_log_prop) 54*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(userspace_reboot_test_prop) 55*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(verity_status_prop) 56*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(zygote_wrap_prop) 57*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(ctl_mediatranscoding_prop) 58*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(ctl_odsign_prop) 59*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(virtualizationservice_prop) 60*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(ctl_apex_load_prop) 61*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(enable_16k_pages_prop) 62*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(sensors_config_prop) 63*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(hypervisor_pvmfw_prop) 64*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(hypervisor_virtualizationmanager_prop) 65*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(game_manager_config_prop) 66*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(hidl_memory_prop) 67*e4a36f41SAndroid Build Coastguard Workersystem_internal_prop(suspend_debug_prop) 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Worker# Properties which can't be written outside system 70*e4a36f41SAndroid Build Coastguard Workersystem_restricted_prop(device_config_virtualization_framework_native_prop) 71*e4a36f41SAndroid Build Coastguard Workersystem_restricted_prop(log_file_logger_prop) 72*e4a36f41SAndroid Build Coastguard Workersystem_restricted_prop(persist_sysui_builder_extras_prop) 73*e4a36f41SAndroid Build Coastguard Workersystem_restricted_prop(persist_sysui_ranking_update_prop) 74*e4a36f41SAndroid Build Coastguard Worker 75*e4a36f41SAndroid Build Coastguard Worker### 76*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 77*e4a36f41SAndroid Build Coastguard Worker### 78*e4a36f41SAndroid Build Coastguard Worker 79*e4a36f41SAndroid Build Coastguard Workertreble_sysprop_neverallow(` 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Workerenforce_sysprop_owner(` 82*e4a36f41SAndroid Build Coastguard Worker neverallow domain { 83*e4a36f41SAndroid Build Coastguard Worker property_type 84*e4a36f41SAndroid Build Coastguard Worker -system_property_type 85*e4a36f41SAndroid Build Coastguard Worker -product_property_type 86*e4a36f41SAndroid Build Coastguard Worker -vendor_property_type 87*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 88*e4a36f41SAndroid Build Coastguard Worker') 89*e4a36f41SAndroid Build Coastguard Worker 90*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -coredomain } { 91*e4a36f41SAndroid Build Coastguard Worker system_property_type 92*e4a36f41SAndroid Build Coastguard Worker system_internal_property_type 93*e4a36f41SAndroid Build Coastguard Worker -system_restricted_property_type 94*e4a36f41SAndroid Build Coastguard Worker -system_public_property_type 95*e4a36f41SAndroid Build Coastguard Worker}:file no_rw_file_perms; 96*e4a36f41SAndroid Build Coastguard Worker 97*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -coredomain } { 98*e4a36f41SAndroid Build Coastguard Worker system_property_type 99*e4a36f41SAndroid Build Coastguard Worker -system_public_property_type 100*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 101*e4a36f41SAndroid Build Coastguard Worker 102*e4a36f41SAndroid Build Coastguard Worker# init is in coredomain, but should be able to read/write all props. 103*e4a36f41SAndroid Build Coastguard Worker# dumpstate is also in coredomain, but should be able to read all props. 104*e4a36f41SAndroid Build Coastguard Workerneverallow { coredomain -init -dumpstate } { 105*e4a36f41SAndroid Build Coastguard Worker vendor_property_type 106*e4a36f41SAndroid Build Coastguard Worker vendor_internal_property_type 107*e4a36f41SAndroid Build Coastguard Worker -vendor_restricted_property_type 108*e4a36f41SAndroid Build Coastguard Worker -vendor_public_property_type 109*e4a36f41SAndroid Build Coastguard Worker}:file no_rw_file_perms; 110*e4a36f41SAndroid Build Coastguard Worker 111*e4a36f41SAndroid Build Coastguard Workerneverallow { coredomain -init } { 112*e4a36f41SAndroid Build Coastguard Worker vendor_property_type 113*e4a36f41SAndroid Build Coastguard Worker -vendor_public_property_type 114*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 115*e4a36f41SAndroid Build Coastguard Worker 116*e4a36f41SAndroid Build Coastguard Worker') 117*e4a36f41SAndroid Build Coastguard Worker 118*e4a36f41SAndroid Build Coastguard Worker# There is no need to perform ioctl or advisory locking operations on 119*e4a36f41SAndroid Build Coastguard Worker# property files. If this neverallow is being triggered, it is 120*e4a36f41SAndroid Build Coastguard Worker# likely that the policy is using r_file_perms directly instead of 121*e4a36f41SAndroid Build Coastguard Worker# the get_prop() macro. 122*e4a36f41SAndroid Build Coastguard Workerneverallow domain property_type:file { ioctl lock }; 123*e4a36f41SAndroid Build Coastguard Worker 124*e4a36f41SAndroid Build Coastguard Workerneverallow * { 125*e4a36f41SAndroid Build Coastguard Worker core_property_type 126*e4a36f41SAndroid Build Coastguard Worker -audio_prop 127*e4a36f41SAndroid Build Coastguard Worker -config_prop 128*e4a36f41SAndroid Build Coastguard Worker -cppreopt_prop 129*e4a36f41SAndroid Build Coastguard Worker -dalvik_prop 130*e4a36f41SAndroid Build Coastguard Worker -debuggerd_prop 131*e4a36f41SAndroid Build Coastguard Worker -debug_prop 132*e4a36f41SAndroid Build Coastguard Worker -dhcp_prop 133*e4a36f41SAndroid Build Coastguard Worker -dumpstate_prop 134*e4a36f41SAndroid Build Coastguard Worker -fingerprint_prop 135*e4a36f41SAndroid Build Coastguard Worker -logd_prop 136*e4a36f41SAndroid Build Coastguard Worker -net_radio_prop 137*e4a36f41SAndroid Build Coastguard Worker -nfc_prop 138*e4a36f41SAndroid Build Coastguard Worker -ota_prop 139*e4a36f41SAndroid Build Coastguard Worker -pan_result_prop 140*e4a36f41SAndroid Build Coastguard Worker -persist_debug_prop 141*e4a36f41SAndroid Build Coastguard Worker -powerctl_prop 142*e4a36f41SAndroid Build Coastguard Worker -radio_prop 143*e4a36f41SAndroid Build Coastguard Worker -restorecon_prop 144*e4a36f41SAndroid Build Coastguard Worker -shell_prop 145*e4a36f41SAndroid Build Coastguard Worker -system_prop 146*e4a36f41SAndroid Build Coastguard Worker -usb_prop 147*e4a36f41SAndroid Build Coastguard Worker -vold_prop 148*e4a36f41SAndroid Build Coastguard Worker}:file no_rw_file_perms; 149*e4a36f41SAndroid Build Coastguard Worker 150*e4a36f41SAndroid Build Coastguard Worker# sigstop property is only used for debugging; should only be set by su which is permissive 151*e4a36f41SAndroid Build Coastguard Worker# for userdebug/eng 152*e4a36f41SAndroid Build Coastguard Workerneverallow { 153*e4a36f41SAndroid Build Coastguard Worker domain 154*e4a36f41SAndroid Build Coastguard Worker -init 155*e4a36f41SAndroid Build Coastguard Worker -vendor_init 156*e4a36f41SAndroid Build Coastguard Worker} ctl_sigstop_prop:property_service set; 157*e4a36f41SAndroid Build Coastguard Worker 158*e4a36f41SAndroid Build Coastguard Worker# Don't audit legacy ctl. property handling. We only want the newer permission check to appear 159*e4a36f41SAndroid Build Coastguard Worker# in the audit log 160*e4a36f41SAndroid Build Coastguard Workerdontaudit domain { 161*e4a36f41SAndroid Build Coastguard Worker ctl_bootanim_prop 162*e4a36f41SAndroid Build Coastguard Worker ctl_bugreport_prop 163*e4a36f41SAndroid Build Coastguard Worker ctl_console_prop 164*e4a36f41SAndroid Build Coastguard Worker ctl_default_prop 165*e4a36f41SAndroid Build Coastguard Worker ctl_dumpstate_prop 166*e4a36f41SAndroid Build Coastguard Worker ctl_fuse_prop 167*e4a36f41SAndroid Build Coastguard Worker ctl_mdnsd_prop 168*e4a36f41SAndroid Build Coastguard Worker ctl_rildaemon_prop 169*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 170*e4a36f41SAndroid Build Coastguard Worker 171*e4a36f41SAndroid Build Coastguard Workerneverallow { 172*e4a36f41SAndroid Build Coastguard Worker domain 173*e4a36f41SAndroid Build Coastguard Worker -init 174*e4a36f41SAndroid Build Coastguard Worker -extra_free_kbytes 175*e4a36f41SAndroid Build Coastguard Worker} init_storage_prop:property_service set; 176*e4a36f41SAndroid Build Coastguard Worker 177*e4a36f41SAndroid Build Coastguard Workerneverallow { 178*e4a36f41SAndroid Build Coastguard Worker domain 179*e4a36f41SAndroid Build Coastguard Worker -init 180*e4a36f41SAndroid Build Coastguard Worker} init_svc_debug_prop:property_service set; 181*e4a36f41SAndroid Build Coastguard Worker 182*e4a36f41SAndroid Build Coastguard Workerneverallow { 183*e4a36f41SAndroid Build Coastguard Worker domain 184*e4a36f41SAndroid Build Coastguard Worker -init 185*e4a36f41SAndroid Build Coastguard Worker -dumpstate 186*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-su') 187*e4a36f41SAndroid Build Coastguard Worker} init_svc_debug_prop:file no_rw_file_perms; 188*e4a36f41SAndroid Build Coastguard Worker 189*e4a36f41SAndroid Build Coastguard Worker# DO NOT ADD: compat risk 190*e4a36f41SAndroid Build Coastguard Workerneverallow { 191*e4a36f41SAndroid Build Coastguard Worker domain 192*e4a36f41SAndroid Build Coastguard Worker -init 193*e4a36f41SAndroid Build Coastguard Worker -dumpstate 194*e4a36f41SAndroid Build Coastguard Worker -misctrl 195*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-su') 196*e4a36f41SAndroid Build Coastguard Worker} misctrl_prop:file no_rw_file_perms; 197*e4a36f41SAndroid Build Coastguard Workerneverallow { 198*e4a36f41SAndroid Build Coastguard Worker domain 199*e4a36f41SAndroid Build Coastguard Worker -init 200*e4a36f41SAndroid Build Coastguard Worker -misctrl 201*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-su') 202*e4a36f41SAndroid Build Coastguard Worker} misctrl_prop:property_service set; 203*e4a36f41SAndroid Build Coastguard Worker 204*e4a36f41SAndroid Build Coastguard Workercompatible_property_only(` 205*e4a36f41SAndroid Build Coastguard Worker# Prevent properties from being set 206*e4a36f41SAndroid Build Coastguard Worker neverallow { 207*e4a36f41SAndroid Build Coastguard Worker domain 208*e4a36f41SAndroid Build Coastguard Worker -coredomain 209*e4a36f41SAndroid Build Coastguard Worker -appdomain 210*e4a36f41SAndroid Build Coastguard Worker -vendor_init 211*e4a36f41SAndroid Build Coastguard Worker } { 212*e4a36f41SAndroid Build Coastguard Worker core_property_type 213*e4a36f41SAndroid Build Coastguard Worker extended_core_property_type 214*e4a36f41SAndroid Build Coastguard Worker exported_config_prop 215*e4a36f41SAndroid Build Coastguard Worker exported_default_prop 216*e4a36f41SAndroid Build Coastguard Worker exported_dumpstate_prop 217*e4a36f41SAndroid Build Coastguard Worker exported_system_prop 218*e4a36f41SAndroid Build Coastguard Worker exported3_system_prop 219*e4a36f41SAndroid Build Coastguard Worker usb_control_prop 220*e4a36f41SAndroid Build Coastguard Worker -nfc_prop 221*e4a36f41SAndroid Build Coastguard Worker -powerctl_prop 222*e4a36f41SAndroid Build Coastguard Worker -radio_prop 223*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 224*e4a36f41SAndroid Build Coastguard Worker 225*e4a36f41SAndroid Build Coastguard Worker neverallow { 226*e4a36f41SAndroid Build Coastguard Worker domain 227*e4a36f41SAndroid Build Coastguard Worker -coredomain 228*e4a36f41SAndroid Build Coastguard Worker -appdomain 229*e4a36f41SAndroid Build Coastguard Worker -hal_nfc_server 230*e4a36f41SAndroid Build Coastguard Worker } { 231*e4a36f41SAndroid Build Coastguard Worker nfc_prop 232*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 233*e4a36f41SAndroid Build Coastguard Worker 234*e4a36f41SAndroid Build Coastguard Worker neverallow { 235*e4a36f41SAndroid Build Coastguard Worker domain 236*e4a36f41SAndroid Build Coastguard Worker -coredomain 237*e4a36f41SAndroid Build Coastguard Worker -appdomain 238*e4a36f41SAndroid Build Coastguard Worker -hal_telephony_server 239*e4a36f41SAndroid Build Coastguard Worker -vendor_init 240*e4a36f41SAndroid Build Coastguard Worker } { 241*e4a36f41SAndroid Build Coastguard Worker radio_control_prop 242*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 243*e4a36f41SAndroid Build Coastguard Worker 244*e4a36f41SAndroid Build Coastguard Worker neverallow { 245*e4a36f41SAndroid Build Coastguard Worker domain 246*e4a36f41SAndroid Build Coastguard Worker -coredomain 247*e4a36f41SAndroid Build Coastguard Worker -appdomain 248*e4a36f41SAndroid Build Coastguard Worker -hal_telephony_server 249*e4a36f41SAndroid Build Coastguard Worker } { 250*e4a36f41SAndroid Build Coastguard Worker radio_prop 251*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 252*e4a36f41SAndroid Build Coastguard Worker 253*e4a36f41SAndroid Build Coastguard Worker neverallow { 254*e4a36f41SAndroid Build Coastguard Worker domain 255*e4a36f41SAndroid Build Coastguard Worker -coredomain 256*e4a36f41SAndroid Build Coastguard Worker -bluetooth 257*e4a36f41SAndroid Build Coastguard Worker -hal_bluetooth_server 258*e4a36f41SAndroid Build Coastguard Worker } { 259*e4a36f41SAndroid Build Coastguard Worker bluetooth_prop 260*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 261*e4a36f41SAndroid Build Coastguard Worker 262*e4a36f41SAndroid Build Coastguard Worker neverallow { 263*e4a36f41SAndroid Build Coastguard Worker domain 264*e4a36f41SAndroid Build Coastguard Worker -coredomain 265*e4a36f41SAndroid Build Coastguard Worker -bluetooth 266*e4a36f41SAndroid Build Coastguard Worker -hal_bluetooth_server 267*e4a36f41SAndroid Build Coastguard Worker -vendor_init 268*e4a36f41SAndroid Build Coastguard Worker } { 269*e4a36f41SAndroid Build Coastguard Worker exported_bluetooth_prop 270*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 271*e4a36f41SAndroid Build Coastguard Worker 272*e4a36f41SAndroid Build Coastguard Worker neverallow { 273*e4a36f41SAndroid Build Coastguard Worker domain 274*e4a36f41SAndroid Build Coastguard Worker -coredomain 275*e4a36f41SAndroid Build Coastguard Worker -hal_camera_server 276*e4a36f41SAndroid Build Coastguard Worker -cameraserver 277*e4a36f41SAndroid Build Coastguard Worker -vendor_init 278*e4a36f41SAndroid Build Coastguard Worker } { 279*e4a36f41SAndroid Build Coastguard Worker exported_camera_prop 280*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 281*e4a36f41SAndroid Build Coastguard Worker 282*e4a36f41SAndroid Build Coastguard Worker neverallow { 283*e4a36f41SAndroid Build Coastguard Worker domain 284*e4a36f41SAndroid Build Coastguard Worker -coredomain 285*e4a36f41SAndroid Build Coastguard Worker -hal_wifi_server 286*e4a36f41SAndroid Build Coastguard Worker -wificond 287*e4a36f41SAndroid Build Coastguard Worker } { 288*e4a36f41SAndroid Build Coastguard Worker wifi_prop 289*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 290*e4a36f41SAndroid Build Coastguard Worker 291*e4a36f41SAndroid Build Coastguard Worker neverallow { 292*e4a36f41SAndroid Build Coastguard Worker domain 293*e4a36f41SAndroid Build Coastguard Worker -init 294*e4a36f41SAndroid Build Coastguard Worker -dumpstate 295*e4a36f41SAndroid Build Coastguard Worker -hal_wifi_server 296*e4a36f41SAndroid Build Coastguard Worker -wificond 297*e4a36f41SAndroid Build Coastguard Worker -vendor_init 298*e4a36f41SAndroid Build Coastguard Worker } { 299*e4a36f41SAndroid Build Coastguard Worker wifi_hal_prop 300*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 301*e4a36f41SAndroid Build Coastguard Worker 302*e4a36f41SAndroid Build Coastguard Worker# Prevent properties from being read 303*e4a36f41SAndroid Build Coastguard Worker neverallow { 304*e4a36f41SAndroid Build Coastguard Worker domain 305*e4a36f41SAndroid Build Coastguard Worker -coredomain 306*e4a36f41SAndroid Build Coastguard Worker -appdomain 307*e4a36f41SAndroid Build Coastguard Worker -vendor_init 308*e4a36f41SAndroid Build Coastguard Worker } { 309*e4a36f41SAndroid Build Coastguard Worker core_property_type 310*e4a36f41SAndroid Build Coastguard Worker dalvik_config_prop_type 311*e4a36f41SAndroid Build Coastguard Worker extended_core_property_type 312*e4a36f41SAndroid Build Coastguard Worker exported3_system_prop 313*e4a36f41SAndroid Build Coastguard Worker systemsound_config_prop 314*e4a36f41SAndroid Build Coastguard Worker -debug_prop 315*e4a36f41SAndroid Build Coastguard Worker -logd_prop 316*e4a36f41SAndroid Build Coastguard Worker -nfc_prop 317*e4a36f41SAndroid Build Coastguard Worker -powerctl_prop 318*e4a36f41SAndroid Build Coastguard Worker -radio_prop 319*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 320*e4a36f41SAndroid Build Coastguard Worker 321*e4a36f41SAndroid Build Coastguard Worker neverallow { 322*e4a36f41SAndroid Build Coastguard Worker domain 323*e4a36f41SAndroid Build Coastguard Worker -coredomain 324*e4a36f41SAndroid Build Coastguard Worker -appdomain 325*e4a36f41SAndroid Build Coastguard Worker -hal_nfc_server 326*e4a36f41SAndroid Build Coastguard Worker } { 327*e4a36f41SAndroid Build Coastguard Worker nfc_prop 328*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 329*e4a36f41SAndroid Build Coastguard Worker 330*e4a36f41SAndroid Build Coastguard Worker neverallow { 331*e4a36f41SAndroid Build Coastguard Worker domain 332*e4a36f41SAndroid Build Coastguard Worker -coredomain 333*e4a36f41SAndroid Build Coastguard Worker -appdomain 334*e4a36f41SAndroid Build Coastguard Worker -hal_telephony_server 335*e4a36f41SAndroid Build Coastguard Worker } { 336*e4a36f41SAndroid Build Coastguard Worker radio_prop 337*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 338*e4a36f41SAndroid Build Coastguard Worker 339*e4a36f41SAndroid Build Coastguard Worker neverallow { 340*e4a36f41SAndroid Build Coastguard Worker domain 341*e4a36f41SAndroid Build Coastguard Worker -coredomain 342*e4a36f41SAndroid Build Coastguard Worker -bluetooth 343*e4a36f41SAndroid Build Coastguard Worker -hal_bluetooth_server 344*e4a36f41SAndroid Build Coastguard Worker } { 345*e4a36f41SAndroid Build Coastguard Worker bluetooth_prop 346*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 347*e4a36f41SAndroid Build Coastguard Worker 348*e4a36f41SAndroid Build Coastguard Worker neverallow { 349*e4a36f41SAndroid Build Coastguard Worker domain 350*e4a36f41SAndroid Build Coastguard Worker -coredomain 351*e4a36f41SAndroid Build Coastguard Worker -hal_wifi_server 352*e4a36f41SAndroid Build Coastguard Worker -wificond 353*e4a36f41SAndroid Build Coastguard Worker } { 354*e4a36f41SAndroid Build Coastguard Worker wifi_prop 355*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 356*e4a36f41SAndroid Build Coastguard Worker 357*e4a36f41SAndroid Build Coastguard Worker neverallow { 358*e4a36f41SAndroid Build Coastguard Worker domain 359*e4a36f41SAndroid Build Coastguard Worker -coredomain 360*e4a36f41SAndroid Build Coastguard Worker -vendor_init 361*e4a36f41SAndroid Build Coastguard Worker } { 362*e4a36f41SAndroid Build Coastguard Worker suspend_prop 363*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 364*e4a36f41SAndroid Build Coastguard Worker 365*e4a36f41SAndroid Build Coastguard Worker neverallow { 366*e4a36f41SAndroid Build Coastguard Worker domain 367*e4a36f41SAndroid Build Coastguard Worker -init 368*e4a36f41SAndroid Build Coastguard Worker } { 369*e4a36f41SAndroid Build Coastguard Worker suspend_debug_prop 370*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 371*e4a36f41SAndroid Build Coastguard Worker 372*e4a36f41SAndroid Build Coastguard Worker neverallow { 373*e4a36f41SAndroid Build Coastguard Worker domain 374*e4a36f41SAndroid Build Coastguard Worker -init 375*e4a36f41SAndroid Build Coastguard Worker -dumpstate 376*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-system_suspend') 377*e4a36f41SAndroid Build Coastguard Worker } { 378*e4a36f41SAndroid Build Coastguard Worker suspend_debug_prop 379*e4a36f41SAndroid Build Coastguard Worker }:file no_rw_file_perms; 380*e4a36f41SAndroid Build Coastguard Worker') 381*e4a36f41SAndroid Build Coastguard Worker 382*e4a36f41SAndroid Build Coastguard Workerdontaudit system_suspend suspend_debug_prop:file r_file_perms; 383*e4a36f41SAndroid Build Coastguard Worker 384*e4a36f41SAndroid Build Coastguard Workercompatible_property_only(` 385*e4a36f41SAndroid Build Coastguard Worker # Neverallow coredomain to set vendor properties 386*e4a36f41SAndroid Build Coastguard Worker neverallow { 387*e4a36f41SAndroid Build Coastguard Worker coredomain 388*e4a36f41SAndroid Build Coastguard Worker -init 389*e4a36f41SAndroid Build Coastguard Worker -system_writes_vendor_properties_violators 390*e4a36f41SAndroid Build Coastguard Worker } { 391*e4a36f41SAndroid Build Coastguard Worker property_type 392*e4a36f41SAndroid Build Coastguard Worker -system_property_type 393*e4a36f41SAndroid Build Coastguard Worker -extended_core_property_type 394*e4a36f41SAndroid Build Coastguard Worker }:property_service set; 395*e4a36f41SAndroid Build Coastguard Worker') 396*e4a36f41SAndroid Build Coastguard Worker 397*e4a36f41SAndroid Build Coastguard Workerneverallow { 398*e4a36f41SAndroid Build Coastguard Worker domain 399*e4a36f41SAndroid Build Coastguard Worker -coredomain 400*e4a36f41SAndroid Build Coastguard Worker -vendor_init 401*e4a36f41SAndroid Build Coastguard Worker} { 402*e4a36f41SAndroid Build Coastguard Worker ffs_config_prop 403*e4a36f41SAndroid Build Coastguard Worker ffs_control_prop 404*e4a36f41SAndroid Build Coastguard Worker}:file no_rw_file_perms; 405*e4a36f41SAndroid Build Coastguard Worker 406*e4a36f41SAndroid Build Coastguard Workerneverallow { 407*e4a36f41SAndroid Build Coastguard Worker domain 408*e4a36f41SAndroid Build Coastguard Worker -init 409*e4a36f41SAndroid Build Coastguard Worker -system_server 410*e4a36f41SAndroid Build Coastguard Worker} { 411*e4a36f41SAndroid Build Coastguard Worker userspace_reboot_log_prop 412*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 413*e4a36f41SAndroid Build Coastguard Worker 414*e4a36f41SAndroid Build Coastguard Workerneverallow { 415*e4a36f41SAndroid Build Coastguard Worker # Only allow init and system_server to set system_adbd_prop 416*e4a36f41SAndroid Build Coastguard Worker domain 417*e4a36f41SAndroid Build Coastguard Worker -init 418*e4a36f41SAndroid Build Coastguard Worker -system_server 419*e4a36f41SAndroid Build Coastguard Worker} { 420*e4a36f41SAndroid Build Coastguard Worker system_adbd_prop 421*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 422*e4a36f41SAndroid Build Coastguard Worker 423*e4a36f41SAndroid Build Coastguard Worker# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port 424*e4a36f41SAndroid Build Coastguard Workerneverallow { 425*e4a36f41SAndroid Build Coastguard Worker domain 426*e4a36f41SAndroid Build Coastguard Worker -init 427*e4a36f41SAndroid Build Coastguard Worker -vendor_init 428*e4a36f41SAndroid Build Coastguard Worker -adbd 429*e4a36f41SAndroid Build Coastguard Worker -system_server 430*e4a36f41SAndroid Build Coastguard Worker} { 431*e4a36f41SAndroid Build Coastguard Worker adbd_config_prop 432*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 433*e4a36f41SAndroid Build Coastguard Worker 434*e4a36f41SAndroid Build Coastguard Workerneverallow { 435*e4a36f41SAndroid Build Coastguard Worker # Only allow init and adbd to set adbd_prop 436*e4a36f41SAndroid Build Coastguard Worker domain 437*e4a36f41SAndroid Build Coastguard Worker -init 438*e4a36f41SAndroid Build Coastguard Worker -adbd 439*e4a36f41SAndroid Build Coastguard Worker} { 440*e4a36f41SAndroid Build Coastguard Worker adbd_prop 441*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 442*e4a36f41SAndroid Build Coastguard Worker 443*e4a36f41SAndroid Build Coastguard Workerneverallow { 444*e4a36f41SAndroid Build Coastguard Worker # Only allow init to set apexd_payload_metadata_prop 445*e4a36f41SAndroid Build Coastguard Worker domain 446*e4a36f41SAndroid Build Coastguard Worker -init 447*e4a36f41SAndroid Build Coastguard Worker} { 448*e4a36f41SAndroid Build Coastguard Worker apexd_payload_metadata_prop 449*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 450*e4a36f41SAndroid Build Coastguard Worker 451*e4a36f41SAndroid Build Coastguard Worker 452*e4a36f41SAndroid Build Coastguard Workerneverallow { 453*e4a36f41SAndroid Build Coastguard Worker # Only allow init and shell to set userspace_reboot_test_prop 454*e4a36f41SAndroid Build Coastguard Worker domain 455*e4a36f41SAndroid Build Coastguard Worker -init 456*e4a36f41SAndroid Build Coastguard Worker -shell 457*e4a36f41SAndroid Build Coastguard Worker} { 458*e4a36f41SAndroid Build Coastguard Worker userspace_reboot_test_prop 459*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 460*e4a36f41SAndroid Build Coastguard Worker 461*e4a36f41SAndroid Build Coastguard Workerneverallow { 462*e4a36f41SAndroid Build Coastguard Worker domain 463*e4a36f41SAndroid Build Coastguard Worker -init 464*e4a36f41SAndroid Build Coastguard Worker -system_server 465*e4a36f41SAndroid Build Coastguard Worker -vendor_init 466*e4a36f41SAndroid Build Coastguard Worker} { 467*e4a36f41SAndroid Build Coastguard Worker surfaceflinger_color_prop 468*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 469*e4a36f41SAndroid Build Coastguard Worker 470*e4a36f41SAndroid Build Coastguard Workerneverallow { 471*e4a36f41SAndroid Build Coastguard Worker domain 472*e4a36f41SAndroid Build Coastguard Worker -init 473*e4a36f41SAndroid Build Coastguard Worker} { 474*e4a36f41SAndroid Build Coastguard Worker libc_debug_prop 475*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 476*e4a36f41SAndroid Build Coastguard Worker 477*e4a36f41SAndroid Build Coastguard Worker# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb 478*e4a36f41SAndroid Build Coastguard Worker# shell access can control the settings on their device. Allow system apps to 479*e4a36f41SAndroid Build Coastguard Worker# set MTE props, so Developer Options can set them. 480*e4a36f41SAndroid Build Coastguard Workerneverallow { 481*e4a36f41SAndroid Build Coastguard Worker domain 482*e4a36f41SAndroid Build Coastguard Worker -init 483*e4a36f41SAndroid Build Coastguard Worker -shell 484*e4a36f41SAndroid Build Coastguard Worker -system_app 485*e4a36f41SAndroid Build Coastguard Worker -system_server 486*e4a36f41SAndroid Build Coastguard Worker -mtectrl 487*e4a36f41SAndroid Build Coastguard Worker} { 488*e4a36f41SAndroid Build Coastguard Worker arm64_memtag_prop 489*e4a36f41SAndroid Build Coastguard Worker gwp_asan_prop 490*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 491*e4a36f41SAndroid Build Coastguard Worker 492*e4a36f41SAndroid Build Coastguard Workerneverallow { 493*e4a36f41SAndroid Build Coastguard Worker domain 494*e4a36f41SAndroid Build Coastguard Worker -init 495*e4a36f41SAndroid Build Coastguard Worker -system_server 496*e4a36f41SAndroid Build Coastguard Worker -vendor_init 497*e4a36f41SAndroid Build Coastguard Worker} zram_control_prop:property_service set; 498*e4a36f41SAndroid Build Coastguard Worker 499*e4a36f41SAndroid Build Coastguard Workerneverallow { 500*e4a36f41SAndroid Build Coastguard Worker domain 501*e4a36f41SAndroid Build Coastguard Worker -init 502*e4a36f41SAndroid Build Coastguard Worker -system_server 503*e4a36f41SAndroid Build Coastguard Worker -vendor_init 504*e4a36f41SAndroid Build Coastguard Worker} dalvik_runtime_prop:property_service set; 505*e4a36f41SAndroid Build Coastguard Worker 506*e4a36f41SAndroid Build Coastguard Workerneverallow { 507*e4a36f41SAndroid Build Coastguard Worker domain 508*e4a36f41SAndroid Build Coastguard Worker -coredomain 509*e4a36f41SAndroid Build Coastguard Worker -vendor_init 510*e4a36f41SAndroid Build Coastguard Worker} { 511*e4a36f41SAndroid Build Coastguard Worker usb_config_prop 512*e4a36f41SAndroid Build Coastguard Worker usb_control_prop 513*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 514*e4a36f41SAndroid Build Coastguard Worker 515*e4a36f41SAndroid Build Coastguard Workerneverallow { 516*e4a36f41SAndroid Build Coastguard Worker domain 517*e4a36f41SAndroid Build Coastguard Worker -init 518*e4a36f41SAndroid Build Coastguard Worker -system_server 519*e4a36f41SAndroid Build Coastguard Worker} { 520*e4a36f41SAndroid Build Coastguard Worker provisioned_prop 521*e4a36f41SAndroid Build Coastguard Worker retaildemo_prop 522*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 523*e4a36f41SAndroid Build Coastguard Worker 524*e4a36f41SAndroid Build Coastguard Workerneverallow { 525*e4a36f41SAndroid Build Coastguard Worker domain 526*e4a36f41SAndroid Build Coastguard Worker -coredomain 527*e4a36f41SAndroid Build Coastguard Worker -vendor_init 528*e4a36f41SAndroid Build Coastguard Worker} { 529*e4a36f41SAndroid Build Coastguard Worker provisioned_prop 530*e4a36f41SAndroid Build Coastguard Worker retaildemo_prop 531*e4a36f41SAndroid Build Coastguard Worker}:file no_rw_file_perms; 532*e4a36f41SAndroid Build Coastguard Worker 533*e4a36f41SAndroid Build Coastguard Workerneverallow { 534*e4a36f41SAndroid Build Coastguard Worker domain 535*e4a36f41SAndroid Build Coastguard Worker -init 536*e4a36f41SAndroid Build Coastguard Worker} { 537*e4a36f41SAndroid Build Coastguard Worker init_service_status_private_prop 538*e4a36f41SAndroid Build Coastguard Worker init_service_status_prop 539*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 540*e4a36f41SAndroid Build Coastguard Worker 541*e4a36f41SAndroid Build Coastguard Workerneverallow { 542*e4a36f41SAndroid Build Coastguard Worker domain 543*e4a36f41SAndroid Build Coastguard Worker -init 544*e4a36f41SAndroid Build Coastguard Worker -radio 545*e4a36f41SAndroid Build Coastguard Worker -appdomain 546*e4a36f41SAndroid Build Coastguard Worker -hal_telephony_server 547*e4a36f41SAndroid Build Coastguard Worker not_compatible_property(`-vendor_init') 548*e4a36f41SAndroid Build Coastguard Worker} telephony_status_prop:property_service set; 549*e4a36f41SAndroid Build Coastguard Worker 550*e4a36f41SAndroid Build Coastguard Workerneverallow { 551*e4a36f41SAndroid Build Coastguard Worker domain 552*e4a36f41SAndroid Build Coastguard Worker -init 553*e4a36f41SAndroid Build Coastguard Worker -vendor_init 554*e4a36f41SAndroid Build Coastguard Worker} { 555*e4a36f41SAndroid Build Coastguard Worker graphics_config_prop 556*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 557*e4a36f41SAndroid Build Coastguard Worker 558*e4a36f41SAndroid Build Coastguard Workerneverallow { 559*e4a36f41SAndroid Build Coastguard Worker domain 560*e4a36f41SAndroid Build Coastguard Worker -init 561*e4a36f41SAndroid Build Coastguard Worker -surfaceflinger 562*e4a36f41SAndroid Build Coastguard Worker} { 563*e4a36f41SAndroid Build Coastguard Worker surfaceflinger_display_prop 564*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 565*e4a36f41SAndroid Build Coastguard Worker 566*e4a36f41SAndroid Build Coastguard Workerneverallow { 567*e4a36f41SAndroid Build Coastguard Worker domain 568*e4a36f41SAndroid Build Coastguard Worker -coredomain 569*e4a36f41SAndroid Build Coastguard Worker -appdomain 570*e4a36f41SAndroid Build Coastguard Worker -vendor_init 571*e4a36f41SAndroid Build Coastguard Worker} packagemanager_config_prop:file no_rw_file_perms; 572*e4a36f41SAndroid Build Coastguard Worker 573*e4a36f41SAndroid Build Coastguard Workerneverallow { 574*e4a36f41SAndroid Build Coastguard Worker domain 575*e4a36f41SAndroid Build Coastguard Worker -coredomain 576*e4a36f41SAndroid Build Coastguard Worker -vendor_init 577*e4a36f41SAndroid Build Coastguard Worker} keyguard_config_prop:file no_rw_file_perms; 578*e4a36f41SAndroid Build Coastguard Worker 579*e4a36f41SAndroid Build Coastguard Workerneverallow { 580*e4a36f41SAndroid Build Coastguard Worker domain 581*e4a36f41SAndroid Build Coastguard Worker -init 582*e4a36f41SAndroid Build Coastguard Worker} { 583*e4a36f41SAndroid Build Coastguard Worker localization_prop 584*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 585*e4a36f41SAndroid Build Coastguard Worker 586*e4a36f41SAndroid Build Coastguard Workerneverallow { 587*e4a36f41SAndroid Build Coastguard Worker domain 588*e4a36f41SAndroid Build Coastguard Worker -init 589*e4a36f41SAndroid Build Coastguard Worker -vendor_init 590*e4a36f41SAndroid Build Coastguard Worker -dumpstate 591*e4a36f41SAndroid Build Coastguard Worker -system_app 592*e4a36f41SAndroid Build Coastguard Worker} oem_unlock_prop:file no_rw_file_perms; 593*e4a36f41SAndroid Build Coastguard Worker 594*e4a36f41SAndroid Build Coastguard Workerneverallow { 595*e4a36f41SAndroid Build Coastguard Worker domain 596*e4a36f41SAndroid Build Coastguard Worker -coredomain 597*e4a36f41SAndroid Build Coastguard Worker -vendor_init 598*e4a36f41SAndroid Build Coastguard Worker} storagemanager_config_prop:file no_rw_file_perms; 599*e4a36f41SAndroid Build Coastguard Worker 600*e4a36f41SAndroid Build Coastguard Workerneverallow { 601*e4a36f41SAndroid Build Coastguard Worker domain 602*e4a36f41SAndroid Build Coastguard Worker -init 603*e4a36f41SAndroid Build Coastguard Worker -vendor_init 604*e4a36f41SAndroid Build Coastguard Worker -dumpstate 605*e4a36f41SAndroid Build Coastguard Worker -appdomain 606*e4a36f41SAndroid Build Coastguard Worker} sendbug_config_prop:file no_rw_file_perms; 607*e4a36f41SAndroid Build Coastguard Worker 608*e4a36f41SAndroid Build Coastguard Workerneverallow { 609*e4a36f41SAndroid Build Coastguard Worker domain 610*e4a36f41SAndroid Build Coastguard Worker -init 611*e4a36f41SAndroid Build Coastguard Worker -vendor_init 612*e4a36f41SAndroid Build Coastguard Worker -dumpstate 613*e4a36f41SAndroid Build Coastguard Worker -appdomain 614*e4a36f41SAndroid Build Coastguard Worker} camera_calibration_prop:file no_rw_file_perms; 615*e4a36f41SAndroid Build Coastguard Worker 616*e4a36f41SAndroid Build Coastguard Workerneverallow { 617*e4a36f41SAndroid Build Coastguard Worker domain 618*e4a36f41SAndroid Build Coastguard Worker -init 619*e4a36f41SAndroid Build Coastguard Worker -dumpstate 620*e4a36f41SAndroid Build Coastguard Worker -hal_dumpstate_server 621*e4a36f41SAndroid Build Coastguard Worker not_compatible_property(`-vendor_init') 622*e4a36f41SAndroid Build Coastguard Worker} hal_dumpstate_config_prop:file no_rw_file_perms; 623*e4a36f41SAndroid Build Coastguard Worker 624*e4a36f41SAndroid Build Coastguard Workerneverallow { 625*e4a36f41SAndroid Build Coastguard Worker domain 626*e4a36f41SAndroid Build Coastguard Worker -init 627*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-profcollectd') 628*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-simpleperf_boot') 629*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-traced_probes') 630*e4a36f41SAndroid Build Coastguard Worker userdebug_or_eng(`-traced_perf') 631*e4a36f41SAndroid Build Coastguard Worker} { 632*e4a36f41SAndroid Build Coastguard Worker lower_kptr_restrict_prop 633*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 634*e4a36f41SAndroid Build Coastguard Worker 635*e4a36f41SAndroid Build Coastguard Workerneverallow { 636*e4a36f41SAndroid Build Coastguard Worker domain 637*e4a36f41SAndroid Build Coastguard Worker -init 638*e4a36f41SAndroid Build Coastguard Worker} zygote_wrap_prop:property_service set; 639*e4a36f41SAndroid Build Coastguard Worker 640*e4a36f41SAndroid Build Coastguard Workerneverallow { 641*e4a36f41SAndroid Build Coastguard Worker domain 642*e4a36f41SAndroid Build Coastguard Worker -init 643*e4a36f41SAndroid Build Coastguard Worker} verity_status_prop:property_service set; 644*e4a36f41SAndroid Build Coastguard Worker 645*e4a36f41SAndroid Build Coastguard Workerneverallow { 646*e4a36f41SAndroid Build Coastguard Worker domain 647*e4a36f41SAndroid Build Coastguard Worker -init 648*e4a36f41SAndroid Build Coastguard Worker -vendor_init 649*e4a36f41SAndroid Build Coastguard Worker} setupwizard_mode_prop:property_service set; 650*e4a36f41SAndroid Build Coastguard Worker 651*e4a36f41SAndroid Build Coastguard Workerneverallow { 652*e4a36f41SAndroid Build Coastguard Worker domain 653*e4a36f41SAndroid Build Coastguard Worker -init 654*e4a36f41SAndroid Build Coastguard Worker} setupwizard_prop:property_service set; 655*e4a36f41SAndroid Build Coastguard Worker 656*e4a36f41SAndroid Build Coastguard Worker# ro.product.property_source_order is useless after initialization of ro.product.* props. 657*e4a36f41SAndroid Build Coastguard Worker# So making it accessible only from init and vendor_init. 658*e4a36f41SAndroid Build Coastguard Workerneverallow { 659*e4a36f41SAndroid Build Coastguard Worker domain 660*e4a36f41SAndroid Build Coastguard Worker -init 661*e4a36f41SAndroid Build Coastguard Worker -dumpstate 662*e4a36f41SAndroid Build Coastguard Worker -vendor_init 663*e4a36f41SAndroid Build Coastguard Worker} build_config_prop:file no_rw_file_perms; 664*e4a36f41SAndroid Build Coastguard Worker 665*e4a36f41SAndroid Build Coastguard Workerneverallow { 666*e4a36f41SAndroid Build Coastguard Worker domain 667*e4a36f41SAndroid Build Coastguard Worker -init 668*e4a36f41SAndroid Build Coastguard Worker -shell 669*e4a36f41SAndroid Build Coastguard Worker} sqlite_log_prop:property_service set; 670*e4a36f41SAndroid Build Coastguard Worker 671*e4a36f41SAndroid Build Coastguard Workerneverallow { 672*e4a36f41SAndroid Build Coastguard Worker domain 673*e4a36f41SAndroid Build Coastguard Worker -coredomain 674*e4a36f41SAndroid Build Coastguard Worker -appdomain 675*e4a36f41SAndroid Build Coastguard Worker} sqlite_log_prop:file no_rw_file_perms; 676*e4a36f41SAndroid Build Coastguard Worker 677*e4a36f41SAndroid Build Coastguard Workerneverallow { 678*e4a36f41SAndroid Build Coastguard Worker domain 679*e4a36f41SAndroid Build Coastguard Worker -init 680*e4a36f41SAndroid Build Coastguard Worker} default_prop:property_service set; 681*e4a36f41SAndroid Build Coastguard Worker 682*e4a36f41SAndroid Build Coastguard Worker# Only one of system_property_type and vendor_property_type can be assigned. 683*e4a36f41SAndroid Build Coastguard Worker# Property types having both attributes won't be accessible from anywhere. 684*e4a36f41SAndroid Build Coastguard Workerneverallow domain system_and_vendor_property_type:{file property_service} *; 685*e4a36f41SAndroid Build Coastguard Worker 686*e4a36f41SAndroid Build Coastguard Workerneverallow { 687*e4a36f41SAndroid Build Coastguard Worker domain 688*e4a36f41SAndroid Build Coastguard Worker -init 689*e4a36f41SAndroid Build Coastguard Worker -shell 690*e4a36f41SAndroid Build Coastguard Worker -rkpdapp 691*e4a36f41SAndroid Build Coastguard Worker} remote_prov_prop:property_service set; 692*e4a36f41SAndroid Build Coastguard Worker 693*e4a36f41SAndroid Build Coastguard Workerneverallow { 694*e4a36f41SAndroid Build Coastguard Worker # Only allow init and shell to set rollback_test_prop 695*e4a36f41SAndroid Build Coastguard Worker domain 696*e4a36f41SAndroid Build Coastguard Worker -init 697*e4a36f41SAndroid Build Coastguard Worker -shell 698*e4a36f41SAndroid Build Coastguard Worker} rollback_test_prop:property_service set; 699*e4a36f41SAndroid Build Coastguard Worker 700*e4a36f41SAndroid Build Coastguard Workerneverallow { 701*e4a36f41SAndroid Build Coastguard Worker domain 702*e4a36f41SAndroid Build Coastguard Worker -init 703*e4a36f41SAndroid Build Coastguard Worker -apexd 704*e4a36f41SAndroid Build Coastguard Worker} ctl_apex_load_prop:property_service set; 705*e4a36f41SAndroid Build Coastguard Worker 706*e4a36f41SAndroid Build Coastguard Workerneverallow { 707*e4a36f41SAndroid Build Coastguard Worker domain 708*e4a36f41SAndroid Build Coastguard Worker -coredomain 709*e4a36f41SAndroid Build Coastguard Worker -init 710*e4a36f41SAndroid Build Coastguard Worker -dumpstate 711*e4a36f41SAndroid Build Coastguard Worker -apexd 712*e4a36f41SAndroid Build Coastguard Worker} ctl_apex_load_prop:file no_rw_file_perms; 713*e4a36f41SAndroid Build Coastguard Worker 714*e4a36f41SAndroid Build Coastguard Workerneverallow { 715*e4a36f41SAndroid Build Coastguard Worker domain 716*e4a36f41SAndroid Build Coastguard Worker -init 717*e4a36f41SAndroid Build Coastguard Worker -apexd 718*e4a36f41SAndroid Build Coastguard Worker} apex_ready_prop:property_service set; 719*e4a36f41SAndroid Build Coastguard Worker 720*e4a36f41SAndroid Build Coastguard Workerneverallow { 721*e4a36f41SAndroid Build Coastguard Worker domain 722*e4a36f41SAndroid Build Coastguard Worker -coredomain 723*e4a36f41SAndroid Build Coastguard Worker -dumpstate 724*e4a36f41SAndroid Build Coastguard Worker -apexd 725*e4a36f41SAndroid Build Coastguard Worker -vendor_init 726*e4a36f41SAndroid Build Coastguard Worker} apex_ready_prop:file no_rw_file_perms; 727*e4a36f41SAndroid Build Coastguard Worker 728*e4a36f41SAndroid Build Coastguard Workerneverallow { 729*e4a36f41SAndroid Build Coastguard Worker # Only allow init and profcollectd to access profcollectd_node_id_prop 730*e4a36f41SAndroid Build Coastguard Worker domain 731*e4a36f41SAndroid Build Coastguard Worker -init 732*e4a36f41SAndroid Build Coastguard Worker -dumpstate 733*e4a36f41SAndroid Build Coastguard Worker -profcollectd 734*e4a36f41SAndroid Build Coastguard Worker} profcollectd_node_id_prop:file r_file_perms; 735*e4a36f41SAndroid Build Coastguard Worker 736*e4a36f41SAndroid Build Coastguard Workerneverallow { 737*e4a36f41SAndroid Build Coastguard Worker domain 738*e4a36f41SAndroid Build Coastguard Worker -init 739*e4a36f41SAndroid Build Coastguard Worker} log_file_logger_prop:property_service set; 740*e4a36f41SAndroid Build Coastguard Worker 741*e4a36f41SAndroid Build Coastguard Workerneverallow { 742*e4a36f41SAndroid Build Coastguard Worker domain 743*e4a36f41SAndroid Build Coastguard Worker -init 744*e4a36f41SAndroid Build Coastguard Worker -vendor_init 745*e4a36f41SAndroid Build Coastguard Worker} usb_uvc_enabled_prop:property_service set; 746*e4a36f41SAndroid Build Coastguard Worker 747*e4a36f41SAndroid Build Coastguard Worker# Disallow non system apps from reading ro.usb.uvc.enabled 748*e4a36f41SAndroid Build Coastguard Workerneverallow { 749*e4a36f41SAndroid Build Coastguard Worker appdomain 750*e4a36f41SAndroid Build Coastguard Worker -system_app 751*e4a36f41SAndroid Build Coastguard Worker -device_as_webcam 752*e4a36f41SAndroid Build Coastguard Worker} usb_uvc_enabled_prop:file no_rw_file_perms; 753*e4a36f41SAndroid Build Coastguard Worker 754*e4a36f41SAndroid Build Coastguard Workerneverallow { 755*e4a36f41SAndroid Build Coastguard Worker domain 756*e4a36f41SAndroid Build Coastguard Worker -init 757*e4a36f41SAndroid Build Coastguard Worker -vendor_init 758*e4a36f41SAndroid Build Coastguard Worker} pm_archiving_enabled_prop:property_service set; 759*e4a36f41SAndroid Build Coastguard Worker 760