Lines Matching refs:system_server
2 # System Server aka system_server spawned by zygote.
6 typeattribute system_server coredomain;
7 typeattribute system_server domain_deprecated;
8 typeattribute system_server mlstrustedsubject;
11 tmpfs_domain(system_server)
14 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
16 allow system_server zygote_tmpfs:file read;
19 allow system_server dalvikcache_data_file:dir r_dir_perms;
20 allow system_server dalvikcache_data_file:file { r_file_perms execute };
23 auditallow system_server dalvikcache_data_file:file execute;
27 allow system_server resourcecache_data_file:file r_file_perms;
28 allow system_server resourcecache_data_file:dir r_dir_perms;
31 allow system_server self:process ptrace;
34 allow system_server reboot_data_file:file { rename r_file_perms unlink };
35 allow system_server reboot_data_file:dir { write search open remove_name };
38 allow system_server zygote:fd use;
39 allow system_server zygote:process sigchld;
42 allow system_server zygote:process sigkill;
43 allow system_server crash_dump:process sigkill;
46 allow system_server zygote_exec:file r_file_perms;
49 allow system_server zygote:unix_stream_socket { getopt getattr };
52 net_domain(system_server)
53 # in addition to ioctls whitelisted for all domains, also allow system_server
55 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
56 bluetooth_domain(system_server)
60 allow system_server self:capability {
74 wakelock_use(system_server)
77 allow system_server kernel:system module_request;
80 allow system_server self:capability2 wake_alarm;
83 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
86 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
87 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
90 allow system_server config_gz:file { read open };
96 allow system_server self:socket create_socket_perms_no_ioctl;
99 allow system_server self:netlink_route_socket nlmsg_write;
102 allow system_server appdomain:process { sigkill signal };
105 allow system_server appdomain:process { getsched setsched };
106 allow system_server audioserver:process { getsched setsched };
107 allow system_server hal_audio:process { getsched setsched };
108 allow system_server hal_bluetooth:process { getsched setsched };
109 allow system_server cameraserver:process { getsched setsched };
110 allow system_server hal_camera:process { getsched setsched };
111 allow system_server mediaserver:process { getsched setsched };
112 allow system_server bootanim:process { getsched setsched };
115 # within system_server to keep track of memory and CPU usage for
118 r_dir_file(system_server, domain)
121 allow system_server qtaguid_proc:file rw_file_perms;
122 allow system_server qtaguid_device:chr_file rw_file_perms;
125 allow system_server proc_uid_cputime_showstat:file r_file_perms;
128 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
131 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
134 allow system_server proc_sysrq:file rw_file_perms;
137 allow system_server proc_stat:file r_file_perms;
140 allow system_server debugfs:file r_file_perms;
143 allow system_server self:packet_socket create_socket_perms_no_ioctl;
147 allow system_server node:rawip_socket node_bind;
150 allow system_server self:tun_socket create_socket_perms_no_ioctl;
153 unix_socket_connect(system_server, lmkd, lmkd)
154 unix_socket_connect(system_server, mtpd, mtp)
155 unix_socket_connect(system_server, netd, netd)
156 unix_socket_connect(system_server, vold, vold)
157 unix_socket_connect(system_server, webview_zygote, webview_zygote)
158 unix_socket_connect(system_server, zygote, zygote)
159 unix_socket_connect(system_server, racoon, racoon)
160 unix_socket_connect(system_server, uncrypt, uncrypt)
163 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
166 binder_use(system_server)
167 binder_call(system_server, appdomain)
168 binder_call(system_server, binderservicedomain)
169 binder_call(system_server, dumpstate)
170 binder_call(system_server, fingerprintd)
171 binder_call(system_server, gatekeeperd)
172 binder_call(system_server, installd)
173 binder_call(system_server, incidentd)
174 binder_call(system_server, netd)
175 binder_call(system_server, wificond)
176 binder_service(system_server)
179 hal_client_domain(system_server, hal_allocator)
180 hal_client_domain(system_server, hal_contexthub)
181 hal_client_domain(system_server, hal_fingerprint)
182 hal_client_domain(system_server, hal_gnss)
183 hal_client_domain(system_server, hal_graphics_allocator)
184 hal_client_domain(system_server, hal_ir)
185 hal_client_domain(system_server, hal_light)
186 hal_client_domain(system_server, hal_memtrack)
187 hal_client_domain(system_server, hal_oemlock)
188 allow system_server hal_omx_hwservice:hwservice_manager find;
189 allow system_server hidl_token_hwservice:hwservice_manager find;
190 hal_client_domain(system_server, hal_power)
191 hal_client_domain(system_server, hal_sensors)
192 hal_client_domain(system_server, hal_tetheroffload)
193 hal_client_domain(system_server, hal_thermal)
194 hal_client_domain(system_server, hal_tv_cec)
195 hal_client_domain(system_server, hal_tv_input)
196 hal_client_domain(system_server, hal_usb)
197 hal_client_domain(system_server, hal_vibrator)
198 hal_client_domain(system_server, hal_vr)
199 hal_client_domain(system_server, hal_weaver)
200 hal_client_domain(system_server, hal_wifi)
201 hal_client_domain(system_server, hal_wifi_offload)
202 hal_client_domain(system_server, hal_wifi_supplicant)
204 binder_call(system_server, mediacodec)
207 allow system_server hal_graphics_composer:fd use;
210 allow system_server hal_renderscript_hwservice:hwservice_manager find;
213 add_hwservice(system_server, fwk_scheduler_hwservice)
214 add_hwservice(system_server, fwk_sensor_hwservice)
217 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
220 allow system_server hwservicemanager:hwservice_manager list;
223 allow system_server {
249 allow system_server audioserver:tcp_socket rw_socket_perms;
250 allow system_server audioserver:udp_socket rw_socket_perms;
251 allow system_server mediaserver:tcp_socket rw_socket_perms;
252 allow system_server mediaserver:udp_socket rw_socket_perms;
255 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
256 allow system_server mediadrmserver:udp_socket rw_socket_perms;
259 allow system_server file_contexts_file:file r_file_perms;
261 allow system_server mac_perms_file: file r_file_perms;
263 selinux_check_access(system_server)
266 allow system_server sysfs:file rw_file_perms;
267 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
268 allow system_server sysfs_devices_system_cpu:file w_file_perms;
269 allow system_server sysfs_mac_address:file r_file_perms;
270 allow system_server sysfs_thermal:dir search;
271 allow system_server sysfs_thermal:file r_file_perms;
274 allow system_server sysfs_vibrator:file { write append };
277 allow system_server sysfs_usb:file w_file_perms;
280 allow system_server device:dir r_dir_perms;
281 allow system_server mdns_socket:sock_file rw_file_perms;
282 allow system_server alarm_device:chr_file rw_file_perms;
283 allow system_server gpu_device:chr_file rw_file_perms;
284 allow system_server iio_device:chr_file rw_file_perms;
285 allow system_server input_device:dir r_dir_perms;
286 allow system_server input_device:chr_file rw_file_perms;
287 allow system_server radio_device:chr_file r_file_perms;
288 allow system_server tty_device:chr_file rw_file_perms;
289 allow system_server usbaccessory_device:chr_file rw_file_perms;
290 allow system_server video_device:dir r_dir_perms;
291 allow system_server video_device:chr_file rw_file_perms;
292 allow system_server adbd_socket:sock_file rw_file_perms;
293 allow system_server rtc_device:chr_file rw_file_perms;
294 allow system_server audio_device:dir r_dir_perms;
297 allow system_server audio_device:chr_file rw_file_perms;
300 allow system_server tun_device:chr_file rw_file_perms;
303 allow system_server system_data_file:dir create_dir_perms;
304 allow system_server system_data_file:notdevfile_class_set create_file_perms;
305 allow system_server keychain_data_file:dir create_dir_perms;
306 allow system_server keychain_data_file:file create_file_perms;
307 allow system_server keychain_data_file:lnk_file create_file_perms;
310 allow system_server apk_data_file:dir create_dir_perms;
311 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
312 allow system_server apk_tmp_file:dir create_dir_perms;
313 allow system_server apk_tmp_file:file create_file_perms;
316 r_dir_file(system_server, vendor_app_file)
319 r_dir_file(system_server, vendor_overlay_file)
322 allow system_server apk_private_data_file:dir create_dir_perms;
323 allow system_server apk_private_data_file:file create_file_perms;
324 allow system_server apk_private_tmp_file:dir create_dir_perms;
325 allow system_server apk_private_tmp_file:file create_file_perms;
328 allow system_server asec_apk_file:dir create_dir_perms;
329 allow system_server asec_apk_file:file create_file_perms;
330 allow system_server asec_public_file:file create_file_perms;
333 allow system_server anr_data_file:dir create_dir_perms;
334 allow system_server anr_data_file:file create_file_perms;
338 allow system_server incident_data_file:file read;
341 allow system_server backup_data_file:dir create_dir_perms;
342 allow system_server backup_data_file:file create_file_perms;
345 allow system_server heapdump_data_file:dir rw_dir_perms;
346 allow system_server heapdump_data_file:file create_file_perms;
349 allow system_server adb_keys_file:dir create_dir_perms;
350 allow system_server adb_keys_file:file create_file_perms;
354 allow system_server radio_data_file:dir create_dir_perms;
355 allow system_server radio_data_file:file create_file_perms;
358 allow system_server systemkeys_data_file:dir create_dir_perms;
359 allow system_server systemkeys_data_file:file create_file_perms;
362 allow system_server textclassifier_data_file:dir create_dir_perms;
363 allow system_server textclassifier_data_file:file create_file_perms;
366 allow system_server tombstone_data_file:dir r_dir_perms;
367 allow system_server tombstone_data_file:file r_file_perms;
370 allow system_server vpn_data_file:dir create_dir_perms;
371 allow system_server vpn_data_file:file create_file_perms;
374 allow system_server wifi_data_file:dir create_dir_perms;
375 allow system_server wifi_data_file:file create_file_perms;
378 allow system_server zoneinfo_data_file:dir create_dir_perms;
379 allow system_server zoneinfo_data_file:file create_file_perms;
383 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
386 allow system_server unlabeled:dir r_dir_perms;
388 allow system_server unlabeled:file r_file_perms;
391 allow system_server system_app_data_file:dir create_dir_perms;
392 allow system_server system_app_data_file:file create_file_perms;
396 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
399 allow system_server media_rw_data_file:dir { search getattr open read };
403 allow system_server media_rw_data_file:file { getattr read write append };
406 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
407 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
410 allow system_server system_data_file:file relabelfrom;
411 allow system_server wallpaper_file:file relabelto;
412 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
415 allow system_server { system_data_file wallpaper_file }:file link;
418 allow system_server system_data_file:dir relabelfrom;
419 allow system_server
420 allow system_server shortcut_manager_icons:file create_file_perms;
423 allow system_server ringtone_file:dir { create_dir_perms relabelto };
424 allow system_server ringtone_file:file create_file_perms;
427 allow system_server icon_file:file relabelto;
428 allow system_server icon_file:file { rw_file_perms unlink };
431 allow system_server system_data_file:dir relabelfrom;
434 set_prop(system_server, system_prop)
435 set_prop(system_server, safemode_prop)
436 set_prop(system_server, dhcp_prop)
437 set_prop(system_server, net_radio_prop)
438 set_prop(system_server, net_dns_prop)
439 set_prop(system_server, system_radio_prop)
440 set_prop(system_server, debug_prop)
441 set_prop(system_server, powerctl_prop)
442 set_prop(system_server, fingerprint_prop)
443 set_prop(system_server, device_logging_prop)
444 set_prop(system_server, dumpstate_options_prop)
445 set_prop(system_server, overlay_prop)
446 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
449 set_prop(system_server, ctl_default_prop)
450 set_prop(system_server, ctl_bugreport_prop)
453 set_prop(system_server, cppreopt_prop)
456 get_prop(system_server, boottime_prop)
459 get_prop(system_server, serialno_prop)
461 # Read/write the property which keeps track of whether this is the first start of system_server
462 set_prop(system_server, firstboot_prop)
465 allow system_server system_ndebug_socket:sock_file create_file_perms;
468 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
469 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
470 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
472 allow system_server system_file:dir r_dir_perms;
473 allow system_server system_file:lnk_file r_file_perms;
477 allow system_server gps_control:file rw_file_perms;
479 # Allow system_server to use app-created sockets and pipes.
480 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
481 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
484 allow system_server cache_backup_file:dir rw_dir_perms;
485 allow system_server cache_backup_file:file create_file_perms;
487 allow system_server cache_private_backup_file:dir create_dir_perms;
488 allow system_server cache_private_backup_file:file create_file_perms;
491 allow system_server usb_device:chr_file rw_file_perms;
492 allow system_server usb_device:dir r_dir_perms;
495 allow system_server hw_random_device:chr_file r_file_perms;
498 r_dir_file(system_server, fscklogs)
499 allow system_server fscklogs:dir { write remove_name };
500 allow system_server fscklogs:file unlink;
502 # logd access, system_server inherit logd write socket
504 allow system_server zygote:unix_dgram_socket write;
507 read_logd(system_server)
508 read_runtime_log_tags(system_server)
510 # Be consistent with DAC permissions. Allow system_server to write to
513 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
518 allow system_server pstorefs:dir r_dir_perms;
519 allow system_server pstorefs:file r_file_perms;
522 allow system_server sysfs_zram:dir search;
523 allow system_server sysfs_zram:file r_file_perms;
525 add_service(system_server, system_server_service);
526 allow system_server audioserver_service:service_manager find;
527 allow system_server batteryproperties_service:service_manager find;
528 allow system_server cameraserver_service:service_manager find;
529 allow system_server drmserver_service:service_manager find;
530 allow system_server dumpstate_service:service_manager find;
531 allow system_server fingerprintd_service:service_manager find;
532 allow system_server hal_fingerprint_service:service_manager find;
533 allow system_server gatekeeper_service:service_manager find;
534 allow system_server incident_service:service_manager find;
535 allow system_server installd_service:service_manager find;
536 allow system_server keystore_service:service_manager find;
537 allow system_server mediaserver_service:service_manager find;
538 allow system_server mediametrics_service:service_manager find;
539 allow system_server mediaextractor_service:service_manager find;
540 allow system_server mediacodec_service:service_manager find;
541 allow system_server mediadrmserver_service:service_manager find;
542 allow system_server mediacasserver_service:service_manager find;
543 allow system_server netd_service:service_manager find;
544 allow system_server nfc_service:service_manager find;
545 allow system_server radio_service:service_manager find;
546 allow system_server surfaceflinger_service:service_manager find;
547 allow system_server wificond_service:service_manager find;
549 allow system_server keystore:keystore_key {
572 allow system_server block_device:dir search;
573 allow system_server frp_block_device:blk_file rw_file_perms;
576 allow system_server cgroup:dir { remove_name rmdir };
579 r_dir_file(system_server, oemfs)
582 allow system_server { mnt_user_file storage_file }:dir { getattr search };
583 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
587 allow system_server sdcard_type:dir { getattr search };
590 allow system_server mnt_expand_file:dir r_dir_perms;
594 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
595 allow system_server fingerprintd_data_file:file { getattr unlink };
598 allow system_server sysfs_mac_address:file r_file_perms;
602 allow system_server method_trace_data_file:dir w_dir_perms;
603 allow system_server method_trace_data_file:file { create w_file_perms };
606 allow system_server kernel:system syslog_read;
610 allow system_server vold:fd use;
611 allow system_server fuse_device:chr_file { read write ioctl getattr };
612 allow system_server app_fuse_file:dir rw_dir_perms;
613 allow system_server app_fuse_file:file { read write open getattr append };
616 allow system_server configfs:dir { create_dir_perms };
617 allow system_server configfs:file { getattr open unlink write };
621 allow system_server adbd:unix_stream_socket connectto;
622 allow system_server adbd:fd use;
623 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
626 allow system_server toolbox_exec:file rx_file_perms;
631 binder_call(system_server, postinstall)
633 allow system_server postinstall:fifo_file write;
634 allow system_server update_engine:fd use;
635 allow system_server update_engine:fifo_file write;
638 allow system_server preloads_data_file:file { r_file_perms unlink };
639 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
640 allow system_server preloads_media_file:file { r_file_perms unlink };
641 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
643 r_dir_file(system_server, cgroup)
644 allow system_server ion_device:chr_file r_file_perms;
646 r_dir_file(system_server, proc)
647 r_dir_file(system_server, proc_meminfo)
648 r_dir_file(system_server, proc_net)
649 r_dir_file(system_server, rootfs)
650 r_dir_file(system_server, sysfs_type)
652 ### Rules needed when Light HAL runs inside system_server process.
654 allow system_server sysfs_leds:lnk_file read;
655 allow system_server sysfs_leds:file rw_file_perms;
656 allow system_server sysfs_leds:dir r_dir_perms;
660 allow system_server debugfs_tracing_instances:dir search;
661 allow system_server debugfs_wifi_tracing:file rw_file_perms;
663 # allow system_server to exec shell on ASAN builds. Needed to run
666 allow system_server shell_exec:file rx_file_perms;
672 ### system_server should NEVER do any of this
675 # could cause the kernel to kill the system_server.
676 neverallow system_server sdcard_type:dir { open read write };
677 neverallow system_server sdcard_type:file rw_file_perms;
683 # those types that system_server needs to open directly.
684 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
690 neverallow system_server {
697 # Ensure that system_server doesn't perform any domain transitions other than
699 neverallow system_server { domain -crash_dump }:process transition;
700 neverallow system_server *:process dyntransition;
703 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
705 # system_server should never be executing dex2oat. This is either
709 neverallow system_server dex2oat_exec:file no_x_file_perms;
711 # system_server should never execute or load executable shared libraries
713 neverallow system_server {
718 # The only block device system_server should be accessing is
719 # the frp_block_device. This helps avoid a system_server to root
721 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
723 # system_server should never use JIT functionality
724 neverallow system_server self:process execmem;
725 neverallow system_server ashmem_device:chr_file execute;
728 neverallow system_server system_server_tmpfs:file execute;
731 # system_server should never access.
732 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
735 neverallow system_server { domain -system_server }:process ptrace;
740 neverallow system_server system_server:capability sys_resource;
