From cdb1624c27e51ee85b6a4ea6ebd529bd0e07648f Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Tue, 1 May 2018 15:15:16 -0700
Subject: [PATCH] neverallow coredomain from writing vendor properties

System properties can be abused to get around Treble requirements of
having a clean system/vendor split.  This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.

Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677
---
 prebuilts/api/28.0/public/attributes  |  6 ++
 prebuilts/api/28.0/public/property.te | 93 +++++++++++++++++++++++++++
 public/attributes                     |  6 ++
 public/property.te                    | 93 +++++++++++++++++++++++++++
 4 files changed, 198 insertions(+)

diff --git a/prebuilts/api/28.0/public/attributes b/prebuilts/api/28.0/public/attributes
index 7a0c07a72..6a66c031a 100644
--- a/prebuilts/api/28.0/public/attributes
+++ b/prebuilts/api/28.0/public/attributes
@@ -166,6 +166,12 @@ expandattribute data_between_core_and_vendor_violators false;
 attribute system_executes_vendor_violators;
 expandattribute system_executes_vendor_violators false;
 
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
 # hwservices that are accessible from untrusted applications
 # WARNING: Use of this attribute should be avoided unless
 # absolutely necessary.  It is a temporary allowance to aid the
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index de8e4bec9..c31210c0b 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -279,3 +279,96 @@ compatible_property_only(`
     wifi_prop
   }:file no_rw_file_perms;
 ')
+
+compatible_property_only(`
+  # Neverallow coredomain to set vendor properties
+  neverallow {
+    coredomain
+    -init
+    -system_writes_vendor_properties_violators
+  } {
+    property_type
+    -audio_prop
+    -bluetooth_a2dp_offload_prop
+    -bluetooth_prop
+    -bootloader_boot_reason_prop
+    -boottime_prop
+    -config_prop
+    -cppreopt_prop
+    -ctl_bootanim_prop
+    -ctl_bugreport_prop
+    -ctl_console_prop
+    -ctl_default_prop
+    -ctl_dumpstate_prop
+    -ctl_fuse_prop
+    -ctl_mdnsd_prop
+    -ctl_rildaemon_prop
+    -dalvik_prop
+    -debug_prop
+    -debuggerd_prop
+    -default_prop
+    -device_logging_prop
+    -dhcp_prop
+    -dumpstate_options_prop
+    -dumpstate_prop
+    -exported2_config_prop
+    -exported2_default_prop
+    -exported2_radio_prop
+    -exported2_system_prop
+    -exported2_vold_prop
+    -exported3_default_prop
+    -exported3_radio_prop
+    -exported3_system_prop
+    -exported_bluetooth_prop
+    -exported_config_prop
+    -exported_dalvik_prop
+    -exported_default_prop
+    -exported_dumpstate_prop
+    -exported_ffs_prop
+    -exported_fingerprint_prop
+    -exported_overlay_prop
+    -exported_pm_prop
+    -exported_radio_prop
+    -exported_secure_prop
+    -exported_system_prop
+    -exported_system_radio_prop
+    -exported_vold_prop
+    -exported_wifi_prop
+    -ffs_prop
+    -fingerprint_prop
+    -firstboot_prop
+    -hwservicemanager_prop
+    -last_boot_reason_prop
+    -log_prop
+    -log_tag_prop
+    -logd_prop
+    -logpersistd_logging_prop
+    -lowpan_prop
+    -mmc_prop
+    -net_dns_prop
+    -net_radio_prop
+    -netd_stable_secret_prop
+    -nfc_prop
+    -overlay_prop
+    -pan_result_prop
+    -persist_debug_prop
+    -persistent_properties_ready_prop
+    -pm_prop
+    -powerctl_prop
+    -radio_prop
+    -restorecon_prop
+    -safemode_prop
+    -serialno_prop
+    -shell_prop
+    -system_boot_reason_prop
+    -system_prop
+    -system_radio_prop
+    -test_boot_reason_prop
+    -traced_enabled_prop
+    -vendor_default_prop
+    -vendor_security_patch_level_prop
+    -vold_prop
+    -wifi_log_prop
+    -wifi_prop
+  }:property_service set;
+')
diff --git a/public/attributes b/public/attributes
index 7a0c07a72..6a66c031a 100644
--- a/public/attributes
+++ b/public/attributes
@@ -166,6 +166,12 @@ expandattribute data_between_core_and_vendor_violators false;
 attribute system_executes_vendor_violators;
 expandattribute system_executes_vendor_violators false;
 
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
 # hwservices that are accessible from untrusted applications
 # WARNING: Use of this attribute should be avoided unless
 # absolutely necessary.  It is a temporary allowance to aid the
diff --git a/public/property.te b/public/property.te
index de8e4bec9..c31210c0b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -279,3 +279,96 @@ compatible_property_only(`
     wifi_prop
   }:file no_rw_file_perms;
 ')
+
+compatible_property_only(`
+  # Neverallow coredomain to set vendor properties
+  neverallow {
+    coredomain
+    -init
+    -system_writes_vendor_properties_violators
+  } {
+    property_type
+    -audio_prop
+    -bluetooth_a2dp_offload_prop
+    -bluetooth_prop
+    -bootloader_boot_reason_prop
+    -boottime_prop
+    -config_prop
+    -cppreopt_prop
+    -ctl_bootanim_prop
+    -ctl_bugreport_prop
+    -ctl_console_prop
+    -ctl_default_prop
+    -ctl_dumpstate_prop
+    -ctl_fuse_prop
+    -ctl_mdnsd_prop
+    -ctl_rildaemon_prop
+    -dalvik_prop
+    -debug_prop
+    -debuggerd_prop
+    -default_prop
+    -device_logging_prop
+    -dhcp_prop
+    -dumpstate_options_prop
+    -dumpstate_prop
+    -exported2_config_prop
+    -exported2_default_prop
+    -exported2_radio_prop
+    -exported2_system_prop
+    -exported2_vold_prop
+    -exported3_default_prop
+    -exported3_radio_prop
+    -exported3_system_prop
+    -exported_bluetooth_prop
+    -exported_config_prop
+    -exported_dalvik_prop
+    -exported_default_prop
+    -exported_dumpstate_prop
+    -exported_ffs_prop
+    -exported_fingerprint_prop
+    -exported_overlay_prop
+    -exported_pm_prop
+    -exported_radio_prop
+    -exported_secure_prop
+    -exported_system_prop
+    -exported_system_radio_prop
+    -exported_vold_prop
+    -exported_wifi_prop
+    -ffs_prop
+    -fingerprint_prop
+    -firstboot_prop
+    -hwservicemanager_prop
+    -last_boot_reason_prop
+    -log_prop
+    -log_tag_prop
+    -logd_prop
+    -logpersistd_logging_prop
+    -lowpan_prop
+    -mmc_prop
+    -net_dns_prop
+    -net_radio_prop
+    -netd_stable_secret_prop
+    -nfc_prop
+    -overlay_prop
+    -pan_result_prop
+    -persist_debug_prop
+    -persistent_properties_ready_prop
+    -pm_prop
+    -powerctl_prop
+    -radio_prop
+    -restorecon_prop
+    -safemode_prop
+    -serialno_prop
+    -shell_prop
+    -system_boot_reason_prop
+    -system_prop
+    -system_radio_prop
+    -test_boot_reason_prop
+    -traced_enabled_prop
+    -vendor_default_prop
+    -vendor_security_patch_level_prop
+    -vold_prop
+    -wifi_log_prop
+    -wifi_prop
+  }:property_service set;
+')
-- 
GitLab