1 # 2 # System Server aka system_server spawned by zygote. 3 # Most of the framework services run in this process. 4 # 5 type system_server, domain, mlstrustedsubject; 6 7 # Define a type for tmpfs-backed ashmem regions. 8 tmpfs_domain(system_server) 9 10 # Dalvik Compiler JIT Mapping. 11 allow system_server self:process execmem; 12 allow system_server ashmem_device:chr_file execute; 13 allow system_server system_server_tmpfs:file execute; 14 15 # For art. 16 allow system_server dalvikcache_data_file:file execute; 17 allow system_server dalvikcache_data_file:dir r_dir_perms; 18 19 # /data/resource-cache 20 allow system_server resourcecache_data_file:file r_file_perms; 21 allow system_server resourcecache_data_file:dir r_dir_perms; 22 23 # ptrace to processes in the same domain for debugging crashes. 24 allow system_server self:process ptrace; 25 26 # Child of the zygote. 27 allow system_server zygote:fd use; 28 allow system_server zygote:process sigchld; 29 allow system_server zygote_tmpfs:file read; 30 31 # May kill zygote on crashes. 32 allow system_server zygote:process sigkill; 33 34 # Read /system/bin/app_process. 35 allow system_server zygote_exec:file r_file_perms; 36 37 # Needed to close the zygote socket, which involves getopt / getattr 38 allow system_server zygote:unix_stream_socket { getopt getattr }; 39 40 # system server gets network and bluetooth permissions. 41 net_domain(system_server) 42 bluetooth_domain(system_server) 43 44 # These are the capabilities assigned by the zygote to the 45 # system server. 46 allow system_server self:capability { 47 kill 48 net_admin 49 net_bind_service 50 net_broadcast 51 net_raw 52 sys_boot 53 sys_nice 54 sys_resource 55 sys_time 56 sys_tty_config 57 }; 58 59 wakelock_use(system_server) 60 61 # Triggered by /proc/pid accesses, not allowed. 62 dontaudit system_server self:capability sys_ptrace; 63 64 # Trigger module auto-load. 65 allow system_server kernel:system module_request; 66 67 # Use netlink uevent sockets. 68 allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 69 70 # Use generic netlink sockets. 71 allow system_server self:netlink_socket create_socket_perms; 72 73 # Set and get routes directly via netlink. 74 allow system_server self:netlink_route_socket nlmsg_write; 75 76 # Kill apps. 77 allow system_server appdomain:process { sigkill signal }; 78 79 # Set scheduling info for apps. 80 allow system_server appdomain:process { getsched setsched }; 81 allow system_server mediaserver:process { getsched setsched }; 82 83 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker 84 # within system_server to keep track of memory and CPU usage for 85 # all processes on the device. 86 r_dir_file(system_server, domain) 87 88 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 89 allow system_server qtaguid_proc:file rw_file_perms; 90 allow system_server qtaguid_device:chr_file rw_file_perms; 91 92 # Read /proc/uid_cputime/show_uid_stat. 93 allow system_server proc_uid_cputime_showstat:file r_file_perms; 94 95 # Write /proc/uid_cputime/remove_uid_range. 96 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 97 98 # Write to /proc/sysrq-trigger. 99 allow system_server proc_sysrq:file rw_file_perms; 100 101 # Read /sys/kernel/debug/wakeup_sources. 102 allow system_server debugfs:file r_file_perms; 103 104 # WifiWatchdog uses a packet_socket 105 allow system_server self:packet_socket create_socket_perms; 106 107 # 3rd party VPN clients require a tun_socket to be created 108 allow system_server self:tun_socket create_socket_perms; 109 110 # Notify init of death. 111 allow system_server init:process sigchld; 112 113 # Talk to init and various daemons via sockets. 114 unix_socket_connect(system_server, installd, installd) 115 unix_socket_connect(system_server, lmkd, lmkd) 116 unix_socket_connect(system_server, mtpd, mtp) 117 unix_socket_connect(system_server, netd, netd) 118 unix_socket_connect(system_server, vold, vold) 119 unix_socket_connect(system_server, zygote, zygote) 120 unix_socket_connect(system_server, gps, gpsd) 121 unix_socket_connect(system_server, racoon, racoon) 122 unix_socket_send(system_server, wpa, wpa) 123 124 # Communicate over a socket created by surfaceflinger. 125 allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 126 127 # Perform Binder IPC. 128 binder_use(system_server) 129 binder_call(system_server, binderservicedomain) 130 binder_call(system_server, gatekeeperd) 131 binder_call(system_server, fingerprintd) 132 binder_call(system_server, appdomain) 133 binder_call(system_server, dumpstate) 134 binder_service(system_server) 135 136 # Ask debuggerd to dump backtraces for native stacks of interest. 137 allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; 138 139 # Read /proc/pid files for dumping stack traces of native processes. 140 r_dir_file(system_server, mediaserver) 141 r_dir_file(system_server, sdcardd) 142 r_dir_file(system_server, surfaceflinger) 143 r_dir_file(system_server, inputflinger) 144 145 # Use sockets received over binder from various services. 146 allow system_server mediaserver:tcp_socket rw_socket_perms; 147 allow system_server mediaserver:udp_socket rw_socket_perms; 148 149 # Check SELinux permissions. 150 selinux_check_access(system_server) 151 152 # XXX Label sysfs files with a specific type? 153 allow system_server sysfs:file rw_file_perms; 154 allow system_server sysfs_nfc_power_writable:file rw_file_perms; 155 allow system_server sysfs_devices_system_cpu:file w_file_perms; 156 157 # Access devices. 158 allow system_server device:dir r_dir_perms; 159 allow system_server mdns_socket:sock_file rw_file_perms; 160 allow system_server alarm_device:chr_file rw_file_perms; 161 allow system_server gpu_device:chr_file rw_file_perms; 162 allow system_server iio_device:chr_file rw_file_perms; 163 allow system_server input_device:dir r_dir_perms; 164 allow system_server input_device:chr_file rw_file_perms; 165 allow system_server radio_device:chr_file r_file_perms; 166 allow system_server tty_device:chr_file rw_file_perms; 167 allow system_server usbaccessory_device:chr_file rw_file_perms; 168 allow system_server video_device:dir r_dir_perms; 169 allow system_server video_device:chr_file rw_file_perms; 170 allow system_server adbd_socket:sock_file rw_file_perms; 171 allow system_server rtc_device:chr_file rw_file_perms; 172 allow system_server audio_device:dir r_dir_perms; 173 174 # write access needed for MIDI 175 allow system_server audio_device:chr_file rw_file_perms; 176 177 # tun device used for 3rd party vpn apps 178 allow system_server tun_device:chr_file rw_file_perms; 179 180 # Manage system data files. 181 allow system_server system_data_file:dir create_dir_perms; 182 allow system_server system_data_file:notdevfile_class_set create_file_perms; 183 allow system_server keychain_data_file:dir create_dir_perms; 184 allow system_server keychain_data_file:file create_file_perms; 185 186 # Manage /data/app. 187 allow system_server apk_data_file:dir create_dir_perms; 188 allow system_server apk_data_file:file { create_file_perms link }; 189 allow system_server apk_tmp_file:dir create_dir_perms; 190 allow system_server apk_tmp_file:file create_file_perms; 191 192 # Manage /data/app-private. 193 allow system_server apk_private_data_file:dir create_dir_perms; 194 allow system_server apk_private_data_file:file create_file_perms; 195 allow system_server apk_private_tmp_file:dir create_dir_perms; 196 allow system_server apk_private_tmp_file:file create_file_perms; 197 198 # Manage files within asec containers. 199 allow system_server asec_apk_file:dir create_dir_perms; 200 allow system_server asec_apk_file:file create_file_perms; 201 allow system_server asec_public_file:file create_file_perms; 202 203 # Manage /data/anr. 204 allow system_server anr_data_file:dir create_dir_perms; 205 allow system_server anr_data_file:file create_file_perms; 206 207 # Manage /data/backup. 208 allow system_server backup_data_file:dir create_dir_perms; 209 allow system_server backup_data_file:file create_file_perms; 210 211 # Read from /data/dalvik-cache/profiles 212 allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; 213 allow system_server dalvikcache_profiles_data_file:file create_file_perms; 214 215 # Write to /data/system/heapdump 216 allow system_server heapdump_data_file:dir rw_dir_perms; 217 allow system_server heapdump_data_file:file create_file_perms; 218 219 # Manage /data/misc/adb. 220 allow system_server adb_keys_file:dir create_dir_perms; 221 allow system_server adb_keys_file:file create_file_perms; 222 223 # Manage /data/misc/sms. 224 # TODO: Split into a separate type? 225 allow system_server radio_data_file:dir create_dir_perms; 226 allow system_server radio_data_file:file create_file_perms; 227 228 # Manage /data/misc/systemkeys. 229 allow system_server systemkeys_data_file:dir create_dir_perms; 230 allow system_server systemkeys_data_file:file create_file_perms; 231 232 # Access /data/tombstones. 233 allow system_server tombstone_data_file:dir r_dir_perms; 234 allow system_server tombstone_data_file:file r_file_perms; 235 236 # Manage /data/misc/vpn. 237 allow system_server vpn_data_file:dir create_dir_perms; 238 allow system_server vpn_data_file:file create_file_perms; 239 240 # Manage /data/misc/wifi. 241 allow system_server wifi_data_file:dir create_dir_perms; 242 allow system_server wifi_data_file:file create_file_perms; 243 244 # Manage /data/misc/zoneinfo. 245 allow system_server zoneinfo_data_file:dir create_dir_perms; 246 allow system_server zoneinfo_data_file:file create_file_perms; 247 248 # Walk /data/data subdirectories. 249 # Types extracted from seapp_contexts type= fields. 250 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 251 # Also permit for unlabeled /data/data subdirectories and 252 # for unlabeled asec containers on upgrades from 4.2. 253 allow system_server unlabeled:dir r_dir_perms; 254 # Read pkg.apk file before it has been relabeled by vold. 255 allow system_server unlabeled:file r_file_perms; 256 257 # Populate com.android.providers.settings/databases/settings.db. 258 allow system_server system_app_data_file:dir create_dir_perms; 259 allow system_server system_app_data_file:file create_file_perms; 260 261 # Receive and use open app data files passed over binder IPC. 262 # Types extracted from seapp_contexts type= fields. 263 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 264 265 # Receive and use open /data/media files passed over binder IPC. 266 allow system_server media_rw_data_file:file { getattr read write }; 267 268 # Read /file_contexts and /data/security/file_contexts 269 security_access_policy(system_server) 270 271 # Relabel apk files. 272 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 273 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 274 275 # Relabel wallpaper. 276 allow system_server system_data_file:file relabelfrom; 277 allow system_server wallpaper_file:file relabelto; 278 allow system_server wallpaper_file:file { rw_file_perms unlink }; 279 280 # Relabel /data/anr. 281 allow system_server system_data_file:dir relabelfrom; 282 allow system_server anr_data_file:dir relabelto; 283 284 # Property Service write 285 set_prop(system_server, system_prop) 286 set_prop(system_server, dhcp_prop) 287 set_prop(system_server, net_radio_prop) 288 set_prop(system_server, system_radio_prop) 289 set_prop(system_server, debug_prop) 290 set_prop(system_server, powerctl_prop) 291 set_prop(system_server, fingerprint_prop) 292 293 # ctl interface 294 set_prop(system_server, ctl_default_prop) 295 set_prop(system_server, ctl_dhcp_pan_prop) 296 set_prop(system_server, ctl_bugreport_prop) 297 298 # Create a socket for receiving info from wpa. 299 type_transition system_server wifi_data_file:sock_file system_wpa_socket; 300 type_transition system_server wpa_socket:sock_file system_wpa_socket; 301 allow system_server wpa_socket:dir rw_dir_perms; 302 allow system_server system_wpa_socket:sock_file create_file_perms; 303 304 # Remove sockets created by wpa_supplicant 305 allow system_server wpa_socket:sock_file unlink; 306 307 # Create a socket for connections from debuggerd. 308 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 309 allow system_server system_ndebug_socket:sock_file create_file_perms; 310 311 # Manage cache files. 312 allow system_server cache_file:dir { relabelfrom create_dir_perms }; 313 allow system_server cache_file:file { relabelfrom create_file_perms }; 314 allow system_server cache_file:fifo_file create_file_perms; 315 316 # Run system programs, e.g. dexopt. 317 allow system_server system_file:file x_file_perms; 318 319 # LocationManager(e.g, GPS) needs to read and write 320 # to uart driver and ctrl proc entry 321 allow system_server gps_device:chr_file rw_file_perms; 322 allow system_server gps_control:file rw_file_perms; 323 324 # Allow system_server to use app-created sockets and pipes. 325 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 326 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 327 328 # Allow abstract socket connection 329 allow system_server rild:unix_stream_socket connectto; 330 331 # BackupManagerService lets PMS create a data backup file 332 allow system_server cache_backup_file:file create_file_perms; 333 # Relabel /data/backup 334 allow system_server backup_data_file:dir { relabelto relabelfrom }; 335 # Relabel /cache/.*\.{data|restore} 336 allow system_server cache_backup_file:file { relabelto relabelfrom }; 337 # LocalTransport creates and relabels /cache/backup 338 allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; 339 340 # Allow system to talk to usb device 341 allow system_server usb_device:chr_file rw_file_perms; 342 allow system_server usb_device:dir r_dir_perms; 343 344 # Allow system to talk to sensors 345 allow system_server sensors_device:chr_file rw_file_perms; 346 347 # Read from HW RNG (needed by EntropyMixer). 348 allow system_server hw_random_device:chr_file r_file_perms; 349 350 # Read and delete files under /dev/fscklogs. 351 r_dir_file(system_server, fscklogs) 352 allow system_server fscklogs:dir { write remove_name }; 353 allow system_server fscklogs:file unlink; 354 355 # For SELinuxPolicyInstallReceiver 356 selinux_manage_policy(system_server) 357 358 # logd access, system_server inherit logd write socket 359 # (urge is to deprecate this long term) 360 allow system_server zygote:unix_dgram_socket write; 361 362 # Read from log daemon. 363 read_logd(system_server) 364 365 # Be consistent with DAC permissions. Allow system_server to write to 366 # /sys/module/lowmemorykiller/parameters/adj 367 # /sys/module/lowmemorykiller/parameters/minfree 368 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 369 370 # Read /sys/fs/pstore/console-ramoops 371 # Don't worry about overly broad permissions for now, as there's 372 # only one file in /sys/fs/pstore 373 allow system_server pstorefs:dir r_dir_perms; 374 allow system_server pstorefs:file r_file_perms; 375 376 allow system_server drmserver_service:service_manager find; 377 allow system_server healthd_service:service_manager find; 378 allow system_server keystore_service:service_manager find; 379 allow system_server gatekeeper_service:service_manager find; 380 allow system_server fingerprintd_service:service_manager find; 381 allow system_server mediaserver_service:service_manager find; 382 allow system_server nfc_service:service_manager find; 383 allow system_server radio_service:service_manager find; 384 allow system_server system_server_service:service_manager { add find }; 385 allow system_server surfaceflinger_service:service_manager find; 386 387 allow system_server keystore:keystore_key { 388 get_state 389 get 390 insert 391 delete 392 exist 393 list 394 reset 395 password 396 lock 397 unlock 398 is_empty 399 sign 400 verify 401 grant 402 duplicate 403 clear_uid 404 add_auth 405 user_changed 406 }; 407 408 # Allow system server to search and write to the persistent factory reset 409 # protection partition. This block device does not get wiped in a factory reset. 410 allow system_server block_device:dir search; 411 allow system_server frp_block_device:blk_file rw_file_perms; 412 413 # Clean up old cgroups 414 allow system_server cgroup:dir { remove_name rmdir }; 415 416 # /oem access 417 r_dir_file(system_server, oemfs) 418 419 # Allow resolving per-user storage symlinks 420 allow system_server { mnt_user_file storage_file }:dir { getattr search }; 421 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 422 423 # Allow statfs() on storage devices, which happens fast enough that 424 # we shouldn't be killed during unsafe removal 425 allow system_server sdcard_type:dir { getattr search }; 426 427 # Traverse into expanded storage 428 allow system_server mnt_expand_file:dir r_dir_perms; 429 430 # Allow system process to relabel the fingerprint directory after mkdir 431 allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto}; 432 433 ### 434 ### Neverallow rules 435 ### 436 ### system_server should NEVER do any of this 437 438 # Do not allow opening files from external storage as unsafe ejection 439 # could cause the kernel to kill the system_server. 440 neverallow system_server sdcard_type:dir { open read write }; 441 neverallow system_server sdcard_type:file rw_file_perms; 442 443 # system server should never be opening zygote spawned app data 444 # files directly. Rather, they should always be passed via a 445 # file descriptor. 446 # Types extracted from seapp_contexts type= fields, excluding 447 # those types that system_server needs to open directly. 448 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open; 449 450 # system_server should never be executing dex2oat. This is either 451 # a bug (for example, bug 16317188), or represents an attempt by 452 # system server to dynamically load a dex file, something we do not 453 # want to allow. 454 neverallow system_server dex2oat_exec:file no_x_file_perms; 455 456 # The only block device system_server should be accessing is 457 # the frp_block_device. This helps avoid a system_server to root 458 # escalation by writing to raw block devices. 459 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 460