From 5897e23ea19566b8966d3b4b56cbd41f31640ba3 Mon Sep 17 00:00:00 2001 From: Tom Cherry Date: Tue, 1 May 2018 15:15:16 -0700 Subject: [PATCH] neverallow coredomain from writing vendor properties System properties can be abused to get around Treble requirements of having a clean system/vendor split. This CL seeks to prevent that by neverallowing coredomain from writing vendor properties. Bug: 78598545 Test: build 2017 Pixels Test: build aosp_arm64 Change-Id: I5e06894150ba121624d753228e550ba9b81f7677 (cherry picked from commit cdb1624c27e51ee85b6a4ea6ebd529bd0e07648f) --- public/attributes | 6 +++ public/property.te | 100 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) diff --git a/public/attributes b/public/attributes index 68696a1f5..0ec789c88 100644 --- a/public/attributes +++ b/public/attributes @@ -173,6 +173,12 @@ expandattribute data_between_core_and_vendor_violators false; attribute system_executes_vendor_violators; expandattribute system_executes_vendor_violators false; +# All system domains which violate the requirement of not writing vendor +# properties. +# TODO(b/78598545): Remove this once there are no violations +attribute system_writes_vendor_properties_violators; +expandattribute system_writes_vendor_properties_violators false; + # hwservices that are accessible from untrusted applications # WARNING: Use of this attribute should be avoided unless # absolutely necessary. It is a temporary allowance to aid the diff --git a/public/property.te b/public/property.te index f8dfb0484..c9bcb8657 100644 --- a/public/property.te +++ b/public/property.te @@ -307,3 +307,103 @@ compatible_property_only(` wifi_prop }:file no_rw_file_perms; ') + +compatible_property_only(` + # Neverallow coredomain to set vendor properties + neverallow { + coredomain + -init + -system_writes_vendor_properties_violators + } { + property_type + -audio_prop + -bluetooth_a2dp_offload_prop + -bluetooth_prop + -bootloader_boot_reason_prop + -boottime_prop + -config_prop + -cppreopt_prop + -ctl_bootanim_prop + -ctl_bugreport_prop + -ctl_console_prop + -ctl_default_prop + -ctl_dumpstate_prop + -ctl_fuse_prop + -ctl_interface_restart_prop + -ctl_interface_start_prop + -ctl_interface_stop_prop + -ctl_mdnsd_prop + -ctl_restart_prop + -ctl_rildaemon_prop + -ctl_sigstop_prop + -ctl_start_prop + -ctl_stop_prop + -dalvik_prop + -debug_prop + -debuggerd_prop + -default_prop + -device_logging_prop + -dhcp_prop + -dumpstate_options_prop + -dumpstate_prop + -exported2_config_prop + -exported2_default_prop + -exported2_radio_prop + -exported2_system_prop + -exported2_vold_prop + -exported3_default_prop + -exported3_radio_prop + -exported3_system_prop + -exported_bluetooth_prop + -exported_config_prop + -exported_dalvik_prop + -exported_default_prop + -exported_dumpstate_prop + -exported_ffs_prop + -exported_fingerprint_prop + -exported_overlay_prop + -exported_pm_prop + -exported_radio_prop + -exported_secure_prop + -exported_system_prop + -exported_system_radio_prop + -exported_vold_prop + -exported_wifi_prop + -ffs_prop + -fingerprint_prop + -firstboot_prop + -hwservicemanager_prop + -last_boot_reason_prop + -log_prop + -log_tag_prop + -logd_prop + -logpersistd_logging_prop + -lowpan_prop + -mmc_prop + -net_dns_prop + -net_radio_prop + -netd_stable_secret_prop + -nfc_prop + -overlay_prop + -pan_result_prop + -persist_debug_prop + -persistent_properties_ready_prop + -pm_prop + -powerctl_prop + -radio_prop + -restorecon_prop + -safemode_prop + -serialno_prop + -shell_prop + -system_boot_reason_prop + -system_prop + -system_radio_prop + -test_boot_reason_prop + -traced_enabled_prop + -vendor_default_prop + -vendor_security_patch_level_prop + -vold_prop + -wifi_log_prop + -wifi_prop + }:property_service set; +')