1 # 2 # System Server aka system_server spawned by zygote. 3 # Most of the framework services run in this process. 4 # 5 type system_server, domain, mlstrustedsubject; 6 7 # Define a type for tmpfs-backed ashmem regions. 8 tmpfs_domain(system_server) 9 10 # Dalvik Compiler JIT Mapping. 11 allow system_server self:process execmem; 12 allow system_server ashmem_device:chr_file execute; 13 allow system_server system_server_tmpfs:file execute; 14 15 # For art. 16 allow system_server dalvikcache_data_file:file execute; 17 18 # /data/resource-cache 19 allow system_server resourcecache_data_file:file r_file_perms; 20 allow system_server resourcecache_data_file:dir r_dir_perms; 21 22 # ptrace to processes in the same domain for debugging crashes. 23 allow system_server self:process ptrace; 24 25 # Child of the zygote. 26 allow system_server zygote:fd use; 27 allow system_server zygote:process sigchld; 28 allow system_server zygote_tmpfs:file read; 29 30 # May kill zygote on crashes. 31 allow system_server zygote:process sigkill; 32 33 # Read /system/bin/app_process. 34 allow system_server zygote_exec:file r_file_perms; 35 36 # Needed to close the zygote socket, which involves getopt / getattr 37 allow system_server zygote:unix_stream_socket { getopt getattr }; 38 39 # system server gets network and bluetooth permissions. 40 net_domain(system_server) 41 bluetooth_domain(system_server) 42 43 # These are the capabilities assigned by the zygote to the 44 # system server. 45 allow system_server self:capability { 46 kill 47 net_admin 48 net_bind_service 49 net_broadcast 50 net_raw 51 sys_boot 52 sys_module 53 sys_nice 54 sys_resource 55 sys_time 56 sys_tty_config 57 }; 58 59 wakelock_use(system_server) 60 61 # Triggered by /proc/pid accesses, not allowed. 62 dontaudit system_server self:capability sys_ptrace; 63 64 # Trigger module auto-load. 65 allow system_server kernel:system module_request; 66 67 # Use netlink uevent sockets. 68 allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 69 70 # Use generic netlink sockets. 71 allow system_server self:netlink_socket create_socket_perms; 72 73 # Set and get routes directly via netlink. 74 allow system_server self:netlink_route_socket nlmsg_write; 75 76 # Kill apps. 77 allow system_server appdomain:process { sigkill signal }; 78 79 # This line seems suspect, as it should not really need to 80 # set scheduling parameters for a kernel domain task. 81 allow system_server kernel:process setsched; 82 83 # Set scheduling info for apps. 84 allow system_server appdomain:process { getsched setsched }; 85 allow system_server mediaserver:process { getsched setsched }; 86 87 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker 88 # within system_server to keep track of memory and CPU usage for 89 # all processes on the device. 90 r_dir_file(system_server, domain) 91 92 # Write to /proc/pid/oom_adj_score for apps. 93 allow system_server appdomain:file write; 94 95 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 96 allow system_server qtaguid_proc:file rw_file_perms; 97 allow system_server qtaguid_device:chr_file rw_file_perms; 98 99 # Write to /proc/sysrq-trigger. 100 allow system_server proc_sysrq:file rw_file_perms; 101 102 # Read /sys/kernel/debug/wakeup_sources. 103 allow system_server debugfs:file r_file_perms; 104 105 # WifiWatchdog uses a packet_socket 106 allow system_server self:packet_socket create_socket_perms; 107 108 # 3rd party VPN clients require a tun_socket to be created 109 allow system_server self:tun_socket create_socket_perms; 110 111 # Notify init of death. 112 allow system_server init:process sigchld; 113 114 # Talk to init and various daemons via sockets. 115 unix_socket_connect(system_server, property, init) 116 unix_socket_connect(system_server, installd, installd) 117 unix_socket_connect(system_server, lmkd, lmkd) 118 unix_socket_connect(system_server, mtpd, mtp) 119 unix_socket_connect(system_server, netd, netd) 120 unix_socket_connect(system_server, vold, vold) 121 unix_socket_connect(system_server, zygote, zygote) 122 unix_socket_connect(system_server, gps, gpsd) 123 unix_socket_connect(system_server, racoon, racoon) 124 unix_socket_send(system_server, wpa, wpa) 125 126 # Communicate over a socket created by surfaceflinger. 127 allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 128 129 # Perform Binder IPC. 130 binder_use(system_server) 131 binder_call(system_server, binderservicedomain) 132 binder_call(system_server, appdomain) 133 binder_call(system_server, dumpstate) 134 binder_service(system_server) 135 136 # Read /proc/pid files for dumping stack traces of native processes. 137 r_dir_file(system_server, mediaserver) 138 r_dir_file(system_server, sdcardd) 139 r_dir_file(system_server, surfaceflinger) 140 r_dir_file(system_server, inputflinger) 141 142 # Use sockets received over binder from various services. 143 allow system_server mediaserver:tcp_socket rw_socket_perms; 144 allow system_server mediaserver:udp_socket rw_socket_perms; 145 146 # Check SELinux permissions. 147 selinux_check_access(system_server) 148 149 # XXX Label sysfs files with a specific type? 150 allow system_server sysfs:file rw_file_perms; 151 allow system_server sysfs_nfc_power_writable:file rw_file_perms; 152 allow system_server sysfs_devices_system_cpu:file w_file_perms; 153 154 # Access devices. 155 allow system_server device:dir r_dir_perms; 156 allow system_server mdns_socket:sock_file rw_file_perms; 157 allow system_server alarm_device:chr_file rw_file_perms; 158 allow system_server gpu_device:chr_file rw_file_perms; 159 allow system_server iio_device:chr_file rw_file_perms; 160 allow system_server input_device:dir r_dir_perms; 161 allow system_server input_device:chr_file rw_file_perms; 162 allow system_server radio_device:chr_file r_file_perms; 163 allow system_server tty_device:chr_file rw_file_perms; 164 allow system_server usbaccessory_device:chr_file rw_file_perms; 165 allow system_server video_device:dir r_dir_perms; 166 allow system_server video_device:chr_file rw_file_perms; 167 allow system_server adbd_socket:sock_file rw_file_perms; 168 allow system_server audio_device:dir r_dir_perms; 169 allow system_server audio_device:chr_file r_file_perms; 170 171 # tun device used for 3rd party vpn apps 172 allow system_server tun_device:chr_file rw_file_perms; 173 174 # Manage system data files. 175 allow system_server system_data_file:dir create_dir_perms; 176 allow system_server system_data_file:notdevfile_class_set create_file_perms; 177 allow system_server keychain_data_file:dir create_dir_perms; 178 allow system_server keychain_data_file:file create_file_perms; 179 180 # Manage /data/app. 181 allow system_server apk_data_file:dir create_dir_perms; 182 allow system_server apk_data_file:file create_file_perms; 183 allow system_server apk_tmp_file:dir create_dir_perms; 184 allow system_server apk_tmp_file:file create_file_perms; 185 186 # Manage /data/app-private. 187 allow system_server apk_private_data_file:dir create_dir_perms; 188 allow system_server apk_private_data_file:file create_file_perms; 189 allow system_server apk_private_tmp_file:dir create_dir_perms; 190 allow system_server apk_private_tmp_file:file create_file_perms; 191 192 # Manage files within asec containers. 193 allow system_server asec_apk_file:dir create_dir_perms; 194 allow system_server asec_apk_file:file create_file_perms; 195 allow system_server asec_public_file:file create_file_perms; 196 197 # Manage /data/anr. 198 allow system_server anr_data_file:dir create_dir_perms; 199 allow system_server anr_data_file:file create_file_perms; 200 201 # Manage /data/backup. 202 allow system_server backup_data_file:dir create_dir_perms; 203 allow system_server backup_data_file:file create_file_perms; 204 205 # Read from /data/dalvik-cache/profiles 206 allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; 207 allow system_server dalvikcache_profiles_data_file:file create_file_perms; 208 209 # Manage /data/misc/adb. 210 allow system_server adb_keys_file:dir create_dir_perms; 211 allow system_server adb_keys_file:file create_file_perms; 212 213 # Manage /data/misc/sms. 214 # TODO: Split into a separate type? 215 allow system_server radio_data_file:dir create_dir_perms; 216 allow system_server radio_data_file:file create_file_perms; 217 218 # Manage /data/misc/systemkeys. 219 allow system_server systemkeys_data_file:dir create_dir_perms; 220 allow system_server systemkeys_data_file:file create_file_perms; 221 222 # Access /data/tombstones. 223 allow system_server tombstone_data_file:dir r_dir_perms; 224 allow system_server tombstone_data_file:file r_file_perms; 225 226 # Manage /data/misc/vpn. 227 allow system_server vpn_data_file:dir create_dir_perms; 228 allow system_server vpn_data_file:file create_file_perms; 229 230 # Manage /data/misc/wifi. 231 allow system_server wifi_data_file:dir create_dir_perms; 232 allow system_server wifi_data_file:file create_file_perms; 233 234 # Manage /data/misc/zoneinfo. 235 allow system_server zoneinfo_data_file:dir create_dir_perms; 236 allow system_server zoneinfo_data_file:file create_file_perms; 237 238 # Walk /data/data subdirectories. 239 # Types extracted from seapp_contexts type= fields. 240 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 241 # Also permit for unlabeled /data/data subdirectories and 242 # for unlabeled asec containers on upgrades from 4.2. 243 allow system_server unlabeled:dir r_dir_perms; 244 # Read pkg.apk file before it has been relabeled by vold. 245 allow system_server unlabeled:file r_file_perms; 246 247 # Populate com.android.providers.settings/databases/settings.db. 248 allow system_server system_app_data_file:dir create_dir_perms; 249 allow system_server system_app_data_file:file create_file_perms; 250 251 # Receive and use open app data files passed over binder IPC. 252 # Types extracted from seapp_contexts type= fields. 253 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 254 255 # Receive and use open /data/media files passed over binder IPC. 256 allow system_server media_rw_data_file:file { getattr read write }; 257 258 # Read /file_contexts and /data/security/file_contexts 259 security_access_policy(system_server) 260 261 # Relabel apk files. 262 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 263 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 264 265 # Relabel wallpaper. 266 allow system_server system_data_file:file relabelfrom; 267 allow system_server wallpaper_file:file relabelto; 268 allow system_server wallpaper_file:file { rw_file_perms unlink }; 269 270 # Relabel /data/anr. 271 allow system_server system_data_file:dir relabelfrom; 272 allow system_server anr_data_file:dir relabelto; 273 274 # Property Service write 275 allow system_server system_prop:property_service set; 276 allow system_server dhcp_prop:property_service set; 277 allow system_server net_radio_prop:property_service set; 278 allow system_server system_radio_prop:property_service set; 279 allow system_server debug_prop:property_service set; 280 allow system_server powerctl_prop:property_service set; 281 282 # ctl interface 283 allow system_server ctl_default_prop:property_service set; 284 allow system_server ctl_dhcp_pan_prop:property_service set; 285 allow system_server ctl_bugreport_prop:property_service set; 286 287 # Create a socket for receiving info from wpa. 288 type_transition system_server wifi_data_file:sock_file system_wpa_socket; 289 type_transition system_server wpa_socket:sock_file system_wpa_socket; 290 allow system_server wpa_socket:dir rw_dir_perms; 291 allow system_server system_wpa_socket:sock_file create_file_perms; 292 293 # Remove sockets created by wpa_supplicant 294 allow system_server wpa_socket:sock_file unlink; 295 296 # Create a socket for connections from debuggerd. 297 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 298 allow system_server system_ndebug_socket:sock_file create_file_perms; 299 300 # Specify any arguments to zygote. 301 allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; 302 303 # Manage cache files. 304 allow system_server cache_file:dir { relabelfrom create_dir_perms }; 305 allow system_server cache_file:file { relabelfrom create_file_perms }; 306 307 # Run system programs, e.g. dexopt. 308 allow system_server system_file:file x_file_perms; 309 310 # LocationManager(e.g, GPS) needs to read and write 311 # to uart driver and ctrl proc entry 312 allow system_server gps_device:chr_file rw_file_perms; 313 allow system_server gps_control:file rw_file_perms; 314 315 # Allow system_server to use app-created sockets and pipes. 316 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 317 allow system_server appdomain:fifo_file { getattr read write }; 318 319 # Allow abstract socket connection 320 allow system_server rild:unix_stream_socket connectto; 321 322 # BackupManagerService lets PMS create a data backup file 323 allow system_server cache_backup_file:file create_file_perms; 324 # Relabel /data/backup 325 allow system_server backup_data_file:dir { relabelto relabelfrom }; 326 # Relabel /cache/.*\.{data|restore} 327 allow system_server cache_backup_file:file { relabelto relabelfrom }; 328 # LocalTransport creates and relabels /cache/backup 329 allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; 330 331 # Allow system to talk to usb device 332 allow system_server usb_device:chr_file rw_file_perms; 333 allow system_server usb_device:dir r_dir_perms; 334 335 # Allow system to talk to sensors 336 allow system_server sensors_device:chr_file rw_file_perms; 337 338 # Read from HW RNG (needed by EntropyMixer). 339 allow system_server hw_random_device:chr_file r_file_perms; 340 341 # Read and delete files under /dev/fscklogs. 342 r_dir_file(system_server, fscklogs) 343 allow system_server fscklogs:dir { write remove_name }; 344 allow system_server fscklogs:file unlink; 345 346 # For SELinuxPolicyInstallReceiver 347 selinux_manage_policy(system_server) 348 349 # logd access, system_server inherit logd write socket 350 # (urge is to deprecate this long term) 351 allow system_server zygote:unix_dgram_socket write; 352 353 # Read from log daemon. 354 read_logd(system_server) 355 356 # Be consistent with DAC permissions. Allow system_server to write to 357 # /sys/module/lowmemorykiller/parameters/adj 358 # /sys/module/lowmemorykiller/parameters/minfree 359 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 360 361 # Read /sys/fs/pstore/console-ramoops 362 # Don't worry about overly broad permissions for now, as there's 363 # only one file in /sys/fs/pstore 364 allow system_server pstorefs:dir r_dir_perms; 365 allow system_server pstorefs:file r_file_perms; 366 367 allow system_server system_server_service:service_manager add; 368 369 allow system_server keystore:keystore_key { 370 test 371 get 372 insert 373 delete 374 exist 375 saw 376 reset 377 password 378 lock 379 unlock 380 zero 381 sign 382 verify 383 grant 384 duplicate 385 clear_uid 386 reset_uid 387 sync_uid 388 password_uid 389 }; 390 391 # Allow system server to search and write to the persistent factory reset 392 # protection partition. This block device does not get wiped in a factory reset. 393 allow system_server block_device:dir search; 394 allow system_server frp_block_device:blk_file rw_file_perms; 395 396 # Clean up old cgroups 397 allow system_server cgroup:dir { remove_name rmdir }; 398 399 # /oem access 400 r_dir_file(system_server, oemfs) 401 402 ### 403 ### Neverallow rules 404 ### 405 ### system_server should NEVER do any of this 406 407 # Do not allow accessing SDcard files as unsafe ejection could 408 # cause the kernel to kill the system_server. 409 neverallow system_server sdcard_type:file rw_file_perms; 410