1 # 2 # System Server aka system_server spawned by zygote. 3 # Most of the framework services run in this process. 4 # 5 6 typeattribute system_server coredomain; 7 typeattribute system_server domain_deprecated; 8 typeattribute system_server mlstrustedsubject; 9 10 # Define a type for tmpfs-backed ashmem regions. 11 tmpfs_domain(system_server) 12 13 # Create a socket for connections from crash_dump. 14 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 15 16 allow system_server zygote_tmpfs:file read; 17 18 # For art. 19 allow system_server dalvikcache_data_file:dir r_dir_perms; 20 allow system_server dalvikcache_data_file:file r_file_perms; 21 22 # When running system server under --invoke-with, we'll try to load the boot image under the 23 # system server domain, following links to the system partition. 24 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 25 26 # /data/resource-cache 27 allow system_server resourcecache_data_file:file r_file_perms; 28 allow system_server resourcecache_data_file:dir r_dir_perms; 29 30 # ptrace to processes in the same domain for debugging crashes. 31 allow system_server self:process ptrace; 32 33 # Read and delete last_reboot_reason file 34 allow system_server reboot_data_file:file { rename r_file_perms unlink }; 35 allow system_server reboot_data_file:dir { write search open remove_name }; 36 37 # Child of the zygote. 38 allow system_server zygote:fd use; 39 allow system_server zygote:process sigchld; 40 41 # May kill zygote on crashes. 42 allow system_server zygote:process sigkill; 43 allow system_server crash_dump:process sigkill; 44 45 # Read /system/bin/app_process. 46 allow system_server zygote_exec:file r_file_perms; 47 48 # Needed to close the zygote socket, which involves getopt / getattr 49 allow system_server zygote:unix_stream_socket { getopt getattr }; 50 51 # system server gets network and bluetooth permissions. 52 net_domain(system_server) 53 # in addition to ioctls whitelisted for all domains, also allow system_server 54 # to use privileged ioctls commands. Needed to set up VPNs. 55 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 56 bluetooth_domain(system_server) 57 58 # These are the capabilities assigned by the zygote to the 59 # system server. 60 allow system_server self:capability { 61 ipc_lock 62 kill 63 net_admin 64 net_bind_service 65 net_broadcast 66 net_raw 67 sys_boot 68 sys_nice 69 sys_ptrace 70 sys_time 71 sys_tty_config 72 }; 73 74 wakelock_use(system_server) 75 76 # Trigger module auto-load. 77 allow system_server kernel:system module_request; 78 79 # Allow alarmtimers to be set 80 allow system_server self:capability2 wake_alarm; 81 82 # Create and share netlink_netfilter_sockets for tetheroffload. 83 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 84 85 # Use netlink uevent sockets. 86 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 87 88 # Use generic netlink sockets. 89 allow system_server self:netlink_socket create_socket_perms_no_ioctl; 90 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 91 92 # libvintf reads the kernel config to verify vendor interface compatibility. 93 allow system_server config_gz:file { read open }; 94 95 # Use generic "sockets" where the address family is not known 96 # to the kernel. The ioctl permission is specifically omitted here, but may 97 # be added to device specific policy along with the ioctl commands to be 98 # whitelisted. 99 allow system_server self:socket create_socket_perms_no_ioctl; 100 101 # Set and get routes directly via netlink. 102 allow system_server self:netlink_route_socket nlmsg_write; 103 104 # Kill apps. 105 allow system_server appdomain:process { getpgid sigkill signal }; 106 107 # Set scheduling info for apps. 108 allow system_server appdomain:process { getsched setsched }; 109 allow system_server audioserver:process { getsched setsched }; 110 allow system_server hal_audio:process { getsched setsched }; 111 allow system_server hal_bluetooth:process { getsched setsched }; 112 allow system_server cameraserver:process { getsched setsched }; 113 allow system_server hal_camera:process { getsched setsched }; 114 allow system_server mediaserver:process { getsched setsched }; 115 allow system_server bootanim:process { getsched setsched }; 116 117 # Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns 118 allow system_server cameraserver:file w_file_perms; 119 120 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker 121 # within system_server to keep track of memory and CPU usage for 122 # all processes on the device. In addition, /proc/pid files access is needed 123 # for dumping stack traces of native processes. 124 r_dir_file(system_server, domain) 125 126 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 127 allow system_server qtaguid_proc:file rw_file_perms; 128 allow system_server qtaguid_device:chr_file rw_file_perms; 129 130 # Read /proc/uid_cputime/show_uid_stat. 131 allow system_server proc_uid_cputime_showstat:file r_file_perms; 132 133 # Write /proc/uid_cputime/remove_uid_range. 134 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 135 136 # Write /proc/uid_procstat/set. 137 allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 138 139 # Read /proc/uid_time_in_state. 140 allow system_server proc_uid_time_in_state:file r_file_perms; 141 142 # Write to /proc/sysrq-trigger. 143 allow system_server proc_sysrq:file rw_file_perms; 144 145 # Read /proc/stat for CPU usage statistics 146 allow system_server proc_stat:file r_file_perms; 147 148 # Read /sys/kernel/debug/wakeup_sources. 149 allow system_server debugfs:file r_file_perms; 150 151 # The DhcpClient and WifiWatchdog use packet_sockets 152 allow system_server self:packet_socket create_socket_perms_no_ioctl; 153 154 # NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same 155 # as raw sockets, but the kernel doesn't yet distinguish between the two. 156 allow system_server node:rawip_socket node_bind; 157 158 # 3rd party VPN clients require a tun_socket to be created 159 allow system_server self:tun_socket create_socket_perms_no_ioctl; 160 161 # Talk to init and various daemons via sockets. 162 unix_socket_connect(system_server, lmkd, lmkd) 163 unix_socket_connect(system_server, mtpd, mtp) 164 unix_socket_connect(system_server, netd, netd) 165 unix_socket_connect(system_server, vold, vold) 166 unix_socket_connect(system_server, webview_zygote, webview_zygote) 167 unix_socket_connect(system_server, zygote, zygote) 168 unix_socket_connect(system_server, racoon, racoon) 169 unix_socket_connect(system_server, uncrypt, uncrypt) 170 171 # Communicate over a socket created by surfaceflinger. 172 allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 173 174 # Perform Binder IPC. 175 binder_use(system_server) 176 binder_call(system_server, appdomain) 177 binder_call(system_server, binderservicedomain) 178 binder_call(system_server, dumpstate) 179 binder_call(system_server, fingerprintd) 180 binder_call(system_server, gatekeeperd) 181 binder_call(system_server, installd) 182 binder_call(system_server, incidentd) 183 binder_call(system_server, netd) 184 binder_call(system_server, wificond) 185 binder_service(system_server) 186 187 # Use HALs 188 hal_client_domain(system_server, hal_allocator) 189 hal_client_domain(system_server, hal_broadcastradio) 190 hal_client_domain(system_server, hal_configstore) 191 hal_client_domain(system_server, hal_contexthub) 192 hal_client_domain(system_server, hal_fingerprint) 193 hal_client_domain(system_server, hal_gnss) 194 hal_client_domain(system_server, hal_graphics_allocator) 195 hal_client_domain(system_server, hal_ir) 196 hal_client_domain(system_server, hal_light) 197 hal_client_domain(system_server, hal_memtrack) 198 hal_client_domain(system_server, hal_neuralnetworks) 199 hal_client_domain(system_server, hal_oemlock) 200 allow system_server hal_omx_hwservice:hwservice_manager find; 201 allow system_server hidl_token_hwservice:hwservice_manager find; 202 hal_client_domain(system_server, hal_power) 203 hal_client_domain(system_server, hal_sensors) 204 hal_client_domain(system_server, hal_tetheroffload) 205 hal_client_domain(system_server, hal_thermal) 206 hal_client_domain(system_server, hal_tv_cec) 207 hal_client_domain(system_server, hal_tv_input) 208 hal_client_domain(system_server, hal_usb) 209 hal_client_domain(system_server, hal_vibrator) 210 hal_client_domain(system_server, hal_vr) 211 hal_client_domain(system_server, hal_weaver) 212 hal_client_domain(system_server, hal_wifi) 213 hal_client_domain(system_server, hal_wifi_offload) 214 hal_client_domain(system_server, hal_wifi_supplicant) 215 216 binder_call(system_server, mediacodec) 217 218 # Talk with graphics composer fences 219 allow system_server hal_graphics_composer:fd use; 220 221 # Use RenderScript always-passthrough HAL 222 allow system_server hal_renderscript_hwservice:hwservice_manager find; 223 224 # Offer HwBinder services 225 add_hwservice(system_server, fwk_scheduler_hwservice) 226 add_hwservice(system_server, fwk_sensor_hwservice) 227 228 # Talk to tombstoned to get ANR traces. 229 unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 230 231 # List HAL interfaces to get ANR traces. 232 allow system_server hwservicemanager:hwservice_manager list; 233 234 # Send signals to trigger ANR traces. 235 allow system_server { 236 # This is derived from the list that system server defines as interesting native processes 237 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 238 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 239 audioserver 240 cameraserver 241 drmserver 242 inputflinger 243 mediadrmserver 244 mediaextractor 245 mediaserver 246 mediametrics 247 sdcardd 248 surfaceflinger 249 250 # This list comes from HAL_INTERFACES_OF_INTEREST in 251 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 252 hal_audio_server 253 hal_bluetooth_server 254 hal_camera_server 255 hal_graphics_composer_server 256 hal_sensors_server 257 hal_vr_server 258 mediacodec # TODO(b/36375899): hal_omx_server 259 }:process { signal }; 260 261 # Use sockets received over binder from various services. 262 allow system_server audioserver:tcp_socket rw_socket_perms; 263 allow system_server audioserver:udp_socket rw_socket_perms; 264 allow system_server mediaserver:tcp_socket rw_socket_perms; 265 allow system_server mediaserver:udp_socket rw_socket_perms; 266 267 # Use sockets received over binder from various services. 268 allow system_server mediadrmserver:tcp_socket rw_socket_perms; 269 allow system_server mediadrmserver:udp_socket rw_socket_perms; 270 271 # Get file context 272 allow system_server file_contexts_file:file r_file_perms; 273 # access for mac_permissions 274 allow system_server mac_perms_file: file r_file_perms; 275 # Check SELinux permissions. 276 selinux_check_access(system_server) 277 278 # XXX Label sysfs files with a specific type? 279 allow system_server sysfs:file rw_file_perms; 280 allow system_server sysfs_nfc_power_writable:file rw_file_perms; 281 allow system_server sysfs_devices_system_cpu:file w_file_perms; 282 allow system_server sysfs_mac_address:file r_file_perms; 283 allow system_server sysfs_thermal:dir search; 284 allow system_server sysfs_thermal:file r_file_perms; 285 286 # TODO: Remove when HALs are forced into separate processes 287 allow system_server sysfs_vibrator:file { write append }; 288 289 # TODO: added to match above sysfs rule. Remove me? 290 allow system_server sysfs_usb:file w_file_perms; 291 292 # Access devices. 293 allow system_server device:dir r_dir_perms; 294 allow system_server mdns_socket:sock_file rw_file_perms; 295 allow system_server alarm_device:chr_file rw_file_perms; 296 allow system_server gpu_device:chr_file rw_file_perms; 297 allow system_server iio_device:chr_file rw_file_perms; 298 allow system_server input_device:dir r_dir_perms; 299 allow system_server input_device:chr_file rw_file_perms; 300 allow system_server radio_device:chr_file r_file_perms; 301 allow system_server tty_device:chr_file rw_file_perms; 302 allow system_server usbaccessory_device:chr_file rw_file_perms; 303 allow system_server video_device:dir r_dir_perms; 304 allow system_server video_device:chr_file rw_file_perms; 305 allow system_server adbd_socket:sock_file rw_file_perms; 306 allow system_server rtc_device:chr_file rw_file_perms; 307 allow system_server audio_device:dir r_dir_perms; 308 309 # write access needed for MIDI 310 allow system_server audio_device:chr_file rw_file_perms; 311 312 # tun device used for 3rd party vpn apps 313 allow system_server tun_device:chr_file rw_file_perms; 314 315 # Manage system data files. 316 allow system_server system_data_file:dir create_dir_perms; 317 allow system_server system_data_file:notdevfile_class_set create_file_perms; 318 allow system_server keychain_data_file:dir create_dir_perms; 319 allow system_server keychain_data_file:file create_file_perms; 320 allow system_server keychain_data_file:lnk_file create_file_perms; 321 322 # Manage /data/app. 323 allow system_server apk_data_file:dir create_dir_perms; 324 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 325 allow system_server apk_tmp_file:dir create_dir_perms; 326 allow system_server apk_tmp_file:file create_file_perms; 327 328 # Access /vendor/app 329 r_dir_file(system_server, vendor_app_file) 330 331 # Access /vendor/app 332 r_dir_file(system_server, vendor_overlay_file) 333 334 # Manage /data/app-private. 335 allow system_server apk_private_data_file:dir create_dir_perms; 336 allow system_server apk_private_data_file:file create_file_perms; 337 allow system_server apk_private_tmp_file:dir create_dir_perms; 338 allow system_server apk_private_tmp_file:file create_file_perms; 339 340 # Manage files within asec containers. 341 allow system_server asec_apk_file:dir create_dir_perms; 342 allow system_server asec_apk_file:file create_file_perms; 343 allow system_server asec_public_file:file create_file_perms; 344 345 # Manage /data/anr. 346 # 347 # TODO: Some of these permissions can be withdrawn once we've switched to the 348 # new stack dumping mechanism, see b/32064548 and the rules below. In particular, 349 # the system_server should never need to create a new anr_data_file:file or write 350 # to one, but it will still need to read and append to existing files. 351 allow system_server anr_data_file:dir create_dir_perms; 352 allow system_server anr_data_file:file create_file_perms; 353 354 # New stack dumping scheme : request an output FD from tombstoned via a unix 355 # domain socket. 356 # 357 # Allow system_server to connect and write to the tombstoned java trace socket in 358 # order to dump its traces. Also allow the system server to write its traces to 359 # dumpstate during bugreport capture. 360 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 361 allow system_server tombstoned:fd use; 362 allow system_server dumpstate:fifo_file append; 363 364 # Read /data/misc/incidents - only read. The fd will be sent over binder, 365 # with no DAC access to it, for dropbox to read. 366 allow system_server incident_data_file:file read; 367 368 # Manage /data/backup. 369 allow system_server backup_data_file:dir create_dir_perms; 370 allow system_server backup_data_file:file create_file_perms; 371 372 # Write to /data/system/heapdump 373 allow system_server heapdump_data_file:dir rw_dir_perms; 374 allow system_server heapdump_data_file:file create_file_perms; 375 376 # Manage /data/misc/adb. 377 allow system_server adb_keys_file:dir create_dir_perms; 378 allow system_server adb_keys_file:file create_file_perms; 379 380 # Manage /data/misc/sms. 381 # TODO: Split into a separate type? 382 allow system_server radio_data_file:dir create_dir_perms; 383 allow system_server radio_data_file:file create_file_perms; 384 385 # Manage /data/misc/systemkeys. 386 allow system_server systemkeys_data_file:dir create_dir_perms; 387 allow system_server systemkeys_data_file:file create_file_perms; 388 389 # Manage /data/misc/textclassifier. 390 allow system_server textclassifier_data_file:dir create_dir_perms; 391 allow system_server textclassifier_data_file:file create_file_perms; 392 393 # Access /data/tombstones. 394 allow system_server tombstone_data_file:dir r_dir_perms; 395 allow system_server tombstone_data_file:file r_file_perms; 396 397 # Manage /data/misc/vpn. 398 allow system_server vpn_data_file:dir create_dir_perms; 399 allow system_server vpn_data_file:file create_file_perms; 400 401 # Manage /data/misc/wifi. 402 allow system_server wifi_data_file:dir create_dir_perms; 403 allow system_server wifi_data_file:file create_file_perms; 404 405 # Manage /data/misc/zoneinfo. 406 allow system_server zoneinfo_data_file:dir create_dir_perms; 407 allow system_server zoneinfo_data_file:file create_file_perms; 408 409 # Walk /data/data subdirectories. 410 # Types extracted from seapp_contexts type= fields. 411 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 412 # Also permit for unlabeled /data/data subdirectories and 413 # for unlabeled asec containers on upgrades from 4.2. 414 allow system_server unlabeled:dir r_dir_perms; 415 # Read pkg.apk file before it has been relabeled by vold. 416 allow system_server unlabeled:file r_file_perms; 417 418 # Populate com.android.providers.settings/databases/settings.db. 419 allow system_server system_app_data_file:dir create_dir_perms; 420 allow system_server system_app_data_file:file create_file_perms; 421 422 # Receive and use open app data files passed over binder IPC. 423 # Types extracted from seapp_contexts type= fields. 424 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append }; 425 426 # Access to /data/media for measuring disk usage. 427 allow system_server media_rw_data_file:dir { search getattr open read }; 428 429 # Receive and use open /data/media files passed over binder IPC. 430 # Also used for measuring disk usage. 431 allow system_server media_rw_data_file:file { getattr read write append }; 432 433 # Relabel apk files. 434 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 435 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 436 437 # Relabel wallpaper. 438 allow system_server system_data_file:file relabelfrom; 439 allow system_server wallpaper_file:file relabelto; 440 allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 441 442 # Backup of wallpaper imagery uses temporary hard links to avoid data churn 443 allow system_server { system_data_file wallpaper_file }:file link; 444 445 # ShortcutManager icons 446 allow system_server system_data_file:dir relabelfrom; 447 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 448 allow system_server shortcut_manager_icons:file create_file_perms; 449 450 # Manage ringtones. 451 allow system_server ringtone_file:dir { create_dir_perms relabelto }; 452 allow system_server ringtone_file:file create_file_perms; 453 454 # Relabel icon file. 455 allow system_server icon_file:file relabelto; 456 allow system_server icon_file:file { rw_file_perms unlink }; 457 458 # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 459 allow system_server system_data_file:dir relabelfrom; 460 461 # Property Service write 462 set_prop(system_server, system_prop) 463 set_prop(system_server, safemode_prop) 464 set_prop(system_server, dhcp_prop) 465 set_prop(system_server, net_radio_prop) 466 set_prop(system_server, net_dns_prop) 467 set_prop(system_server, system_radio_prop) 468 set_prop(system_server, debug_prop) 469 set_prop(system_server, powerctl_prop) 470 set_prop(system_server, fingerprint_prop) 471 set_prop(system_server, device_logging_prop) 472 set_prop(system_server, dumpstate_options_prop) 473 set_prop(system_server, overlay_prop) 474 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 475 476 # ctl interface 477 set_prop(system_server, ctl_default_prop) 478 set_prop(system_server, ctl_bugreport_prop) 479 480 # cppreopt property 481 set_prop(system_server, cppreopt_prop) 482 483 # Collect metrics on boot time created by init 484 get_prop(system_server, boottime_prop) 485 486 # Read device's serial number from system properties 487 get_prop(system_server, serialno_prop) 488 489 # Read/write the property which keeps track of whether this is the first start of system_server 490 set_prop(system_server, firstboot_prop) 491 492 # Create a socket for connections from debuggerd. 493 allow system_server system_ndebug_socket:sock_file create_file_perms; 494 495 # Manage cache files. 496 allow system_server cache_file:lnk_file r_file_perms; 497 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 498 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 499 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 500 501 allow system_server system_file:dir r_dir_perms; 502 allow system_server system_file:lnk_file r_file_perms; 503 504 # LocationManager(e.g, GPS) needs to read and write 505 # to uart driver and ctrl proc entry 506 allow system_server gps_control:file rw_file_perms; 507 508 # Allow system_server to use app-created sockets and pipes. 509 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 510 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 511 512 # BackupManagerService needs to manipulate backup data files 513 allow system_server cache_backup_file:dir rw_dir_perms; 514 allow system_server cache_backup_file:file create_file_perms; 515 # LocalTransport works inside /cache/backup 516 allow system_server cache_private_backup_file:dir create_dir_perms; 517 allow system_server cache_private_backup_file:file create_file_perms; 518 519 # Allow system to talk to usb device 520 allow system_server usb_device:chr_file rw_file_perms; 521 allow system_server usb_device:dir r_dir_perms; 522 523 # Read from HW RNG (needed by EntropyMixer). 524 allow system_server hw_random_device:chr_file r_file_perms; 525 526 # Read and delete files under /dev/fscklogs. 527 r_dir_file(system_server, fscklogs) 528 allow system_server fscklogs:dir { write remove_name }; 529 allow system_server fscklogs:file unlink; 530 531 # logd access, system_server inherit logd write socket 532 # (urge is to deprecate this long term) 533 allow system_server zygote:unix_dgram_socket write; 534 535 # Read from log daemon. 536 read_logd(system_server) 537 read_runtime_log_tags(system_server) 538 539 # Be consistent with DAC permissions. Allow system_server to write to 540 # /sys/module/lowmemorykiller/parameters/adj 541 # /sys/module/lowmemorykiller/parameters/minfree 542 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 543 544 # Read /sys/fs/pstore/console-ramoops 545 # Don't worry about overly broad permissions for now, as there's 546 # only one file in /sys/fs/pstore 547 allow system_server pstorefs:dir r_dir_perms; 548 allow system_server pstorefs:file r_file_perms; 549 550 # /sys access 551 allow system_server sysfs_zram:dir search; 552 allow system_server sysfs_zram:file r_file_perms; 553 554 add_service(system_server, system_server_service); 555 allow system_server audioserver_service:service_manager find; 556 allow system_server batteryproperties_service:service_manager find; 557 allow system_server cameraserver_service:service_manager find; 558 allow system_server drmserver_service:service_manager find; 559 allow system_server dumpstate_service:service_manager find; 560 allow system_server fingerprintd_service:service_manager find; 561 allow system_server hal_fingerprint_service:service_manager find; 562 allow system_server gatekeeper_service:service_manager find; 563 allow system_server incident_service:service_manager find; 564 allow system_server installd_service:service_manager find; 565 allow system_server keystore_service:service_manager find; 566 allow system_server mediaserver_service:service_manager find; 567 allow system_server mediametrics_service:service_manager find; 568 allow system_server mediaextractor_service:service_manager find; 569 allow system_server mediacodec_service:service_manager find; 570 allow system_server mediadrmserver_service:service_manager find; 571 allow system_server netd_service:service_manager find; 572 allow system_server nfc_service:service_manager find; 573 allow system_server radio_service:service_manager find; 574 allow system_server surfaceflinger_service:service_manager find; 575 allow system_server wificond_service:service_manager find; 576 577 allow system_server keystore:keystore_key { 578 get_state 579 get 580 insert 581 delete 582 exist 583 list 584 reset 585 password 586 lock 587 unlock 588 is_empty 589 sign 590 verify 591 grant 592 duplicate 593 clear_uid 594 add_auth 595 user_changed 596 }; 597 598 # Allow system server to search and write to the persistent factory reset 599 # protection partition. This block device does not get wiped in a factory reset. 600 allow system_server block_device:dir search; 601 allow system_server frp_block_device:blk_file rw_file_perms; 602 603 # Clean up old cgroups 604 allow system_server cgroup:dir { remove_name rmdir }; 605 606 # /oem access 607 r_dir_file(system_server, oemfs) 608 609 # Allow resolving per-user storage symlinks 610 allow system_server { mnt_user_file storage_file }:dir { getattr search }; 611 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 612 613 # Allow statfs() on storage devices, which happens fast enough that 614 # we shouldn't be killed during unsafe removal 615 allow system_server sdcard_type:dir { getattr search }; 616 617 # Traverse into expanded storage 618 allow system_server mnt_expand_file:dir r_dir_perms; 619 620 # Allow system process to relabel the fingerprint directory after mkdir 621 # and delete the directory and files when no longer needed 622 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 623 allow system_server fingerprintd_data_file:file { getattr unlink }; 624 625 # Allow system process to read network MAC address 626 allow system_server sysfs_mac_address:file r_file_perms; 627 628 userdebug_or_eng(` 629 # Allow system server to create and write method traces in /data/misc/trace. 630 allow system_server method_trace_data_file:dir w_dir_perms; 631 allow system_server method_trace_data_file:file { create w_file_perms }; 632 633 # Allow system server to read dmesg 634 allow system_server kernel:system syslog_read; 635 ') 636 637 # For AppFuse. 638 allow system_server vold:fd use; 639 allow system_server fuse_device:chr_file { read write ioctl getattr }; 640 allow system_server app_fuse_file:dir rw_dir_perms; 641 allow system_server app_fuse_file:file { read write open getattr append }; 642 643 # For configuring sdcardfs 644 allow system_server configfs:dir { create_dir_perms }; 645 allow system_server configfs:file { getattr open unlink write }; 646 647 # Connect to adbd and use a socket transferred from it. 648 # Used for e.g. jdwp. 649 allow system_server adbd:unix_stream_socket connectto; 650 allow system_server adbd:fd use; 651 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 652 653 # Allow invoking tools like "timeout" 654 allow system_server toolbox_exec:file rx_file_perms; 655 656 # Postinstall 657 # 658 # For OTA dexopt, allow calls coming from postinstall. 659 binder_call(system_server, postinstall) 660 661 allow system_server postinstall:fifo_file write; 662 allow system_server update_engine:fd use; 663 allow system_server update_engine:fifo_file write; 664 665 # Access to /data/preloads 666 allow system_server preloads_data_file:file { r_file_perms unlink }; 667 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 668 allow system_server preloads_media_file:file { r_file_perms unlink }; 669 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 670 671 r_dir_file(system_server, cgroup) 672 allow system_server ion_device:chr_file r_file_perms; 673 674 r_dir_file(system_server, proc) 675 r_dir_file(system_server, proc_meminfo) 676 r_dir_file(system_server, proc_net) 677 r_dir_file(system_server, rootfs) 678 r_dir_file(system_server, sysfs_type) 679 680 ### Rules needed when Light HAL runs inside system_server process. 681 ### These rules should eventually be granted only when needed. 682 allow system_server sysfs_leds:lnk_file read; 683 allow system_server sysfs_leds:file rw_file_perms; 684 allow system_server sysfs_leds:dir r_dir_perms; 685 ### 686 687 # Allow WifiService to start, stop, and read wifi-specific trace events. 688 allow system_server debugfs_tracing_instances:dir search; 689 allow system_server debugfs_wifi_tracing:dir search; 690 allow system_server debugfs_wifi_tracing:file rw_file_perms; 691 692 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 693 # asanwrapper. 694 with_asan(` 695 allow system_server shell_exec:file rx_file_perms; 696 allow system_server asanwrapper_exec:file rx_file_perms; 697 allow system_server zygote_exec:file rx_file_perms; 698 ') 699 700 ### 701 ### Neverallow rules 702 ### 703 ### system_server should NEVER do any of this 704 705 # Do not allow opening files from external storage as unsafe ejection 706 # could cause the kernel to kill the system_server. 707 neverallow system_server sdcard_type:dir { open read write }; 708 neverallow system_server sdcard_type:file rw_file_perms; 709 710 # system server should never be operating on zygote spawned app data 711 # files directly. Rather, they should always be passed via a 712 # file descriptor. 713 # Types extracted from seapp_contexts type= fields, excluding 714 # those types that system_server needs to open directly. 715 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; 716 717 # Forking and execing is inherently dangerous and racy. See, for 718 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 719 # Prevent the addition of new file execs to stop the problem from 720 # getting worse. b/28035297 721 neverallow system_server { 722 file_type 723 -toolbox_exec 724 -logcat_exec 725 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 726 }:file execute_no_trans; 727 728 # Ensure that system_server doesn't perform any domain transitions other than 729 # transitioning to the crash_dump domain when a crash occurs. 730 neverallow system_server { domain -crash_dump }:process transition; 731 neverallow system_server *:process dyntransition; 732 733 # Only allow crash_dump to connect to system_ndebug_socket. 734 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 735 736 # system_server should never be executing dex2oat. This is either 737 # a bug (for example, bug 16317188), or represents an attempt by 738 # system server to dynamically load a dex file, something we do not 739 # want to allow. 740 neverallow system_server dex2oat_exec:file no_x_file_perms; 741 742 # system_server should never execute or load executable shared libraries 743 # in /data except for /data/dalvik-cache files. 744 neverallow system_server { 745 data_file_type 746 -dalvikcache_data_file #mapping with PROT_EXEC 747 }:file no_x_file_perms; 748 749 # The only block device system_server should be accessing is 750 # the frp_block_device. This helps avoid a system_server to root 751 # escalation by writing to raw block devices. 752 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 753 754 # system_server should never use JIT functionality 755 neverallow system_server self:process execmem; 756 neverallow system_server ashmem_device:chr_file execute; 757 758 # TODO: deal with tmpfs_domain pub/priv split properly 759 neverallow system_server system_server_tmpfs:file execute; 760 761 # dexoptanalyzer is currently used only for secondary dex files which 762 # system_server should never access. 763 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 764 765 # No ptracing others 766 neverallow system_server { domain -system_server }:process ptrace; 767 768 # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 769 # file read access. However, that is now unnecessary (b/34951864) 770 # This neverallow can be removed after b/34951864 is fixed. 771 neverallow system_server system_server:capability sys_resource; 772