1 # 2 # System Server aka system_server spawned by zygote. 3 # Most of the framework services run in this process. 4 # 5 6 typeattribute system_server coredomain; 7 typeattribute system_server mlstrustedsubject; 8 9 # Define a type for tmpfs-backed ashmem regions. 10 tmpfs_domain(system_server) 11 12 # Create a socket for connections from crash_dump. 13 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 14 15 allow system_server zygote_tmpfs:file read; 16 17 # For art. 18 allow system_server dalvikcache_data_file:dir r_dir_perms; 19 allow system_server dalvikcache_data_file:file r_file_perms; 20 21 # When running system server under --invoke-with, we'll try to load the boot image under the 22 # system server domain, following links to the system partition. 23 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 24 25 # /data/resource-cache 26 allow system_server resourcecache_data_file:file r_file_perms; 27 allow system_server resourcecache_data_file:dir r_dir_perms; 28 29 # ptrace to processes in the same domain for debugging crashes. 30 allow system_server self:process ptrace; 31 32 # Child of the zygote. 33 allow system_server zygote:fd use; 34 allow system_server zygote:process sigchld; 35 36 # May kill zygote on crashes. 37 allow system_server zygote:process sigkill; 38 allow system_server crash_dump:process sigkill; 39 allow system_server webview_zygote:process sigkill; 40 41 # Read /system/bin/app_process. 42 allow system_server zygote_exec:file r_file_perms; 43 44 # Needed to close the zygote socket, which involves getopt / getattr 45 allow system_server zygote:unix_stream_socket { getopt getattr }; 46 47 # system server gets network and bluetooth permissions. 48 net_domain(system_server) 49 # in addition to ioctls whitelisted for all domains, also allow system_server 50 # to use privileged ioctls commands. Needed to set up VPNs. 51 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 52 bluetooth_domain(system_server) 53 54 # These are the capabilities assigned by the zygote to the 55 # system server. 56 allow system_server self:global_capability_class_set { 57 ipc_lock 58 kill 59 net_admin 60 net_bind_service 61 net_broadcast 62 net_raw 63 sys_boot 64 sys_nice 65 sys_ptrace 66 sys_time 67 sys_tty_config 68 }; 69 70 wakelock_use(system_server) 71 72 # Trigger module auto-load. 73 allow system_server kernel:system module_request; 74 75 # Allow alarmtimers to be set 76 allow system_server self:global_capability2_class_set wake_alarm; 77 78 # Create and share netlink_netfilter_sockets for tetheroffload. 79 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 80 81 # Use netlink uevent sockets. 82 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 83 84 # Use generic netlink sockets. 85 allow system_server self:netlink_socket create_socket_perms_no_ioctl; 86 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 87 88 # libvintf reads the kernel config to verify vendor interface compatibility. 89 allow system_server config_gz:file { read open }; 90 91 # Use generic "sockets" where the address family is not known 92 # to the kernel. The ioctl permission is specifically omitted here, but may 93 # be added to device specific policy along with the ioctl commands to be 94 # whitelisted. 95 allow system_server self:socket create_socket_perms_no_ioctl; 96 97 # Set and get routes directly via netlink. 98 allow system_server self:netlink_route_socket nlmsg_write; 99 100 # Kill apps. 101 allow system_server appdomain:process { getpgid sigkill signal }; 102 103 # Set scheduling info for apps. 104 allow system_server appdomain:process { getsched setsched }; 105 allow system_server audioserver:process { getsched setsched }; 106 allow system_server hal_audio:process { getsched setsched }; 107 allow system_server hal_bluetooth:process { getsched setsched }; 108 allow system_server mediacodec:process { getsched setsched }; 109 allow system_server cameraserver:process { getsched setsched }; 110 allow system_server hal_camera:process { getsched setsched }; 111 allow system_server mediaserver:process { getsched setsched }; 112 allow system_server bootanim:process { getsched setsched }; 113 114 # Allow system_server to write to /proc/<pid>/timerslack_ns 115 allow system_server appdomain:file w_file_perms; 116 allow system_server audioserver:file w_file_perms; 117 allow system_server mediacodec:file w_file_perms; 118 allow system_server cameraserver:file w_file_perms; 119 allow system_server hal_audio_server:file w_file_perms; 120 121 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker 122 # within system_server to keep track of memory and CPU usage for 123 # all processes on the device. In addition, /proc/pid files access is needed 124 # for dumping stack traces of native processes. 125 r_dir_file(system_server, domain) 126 127 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 128 allow system_server qtaguid_proc:file rw_file_perms; 129 allow system_server qtaguid_device:chr_file rw_file_perms; 130 131 # Write /proc/uid_cputime/remove_uid_range. 132 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 133 134 # Write /proc/uid_procstat/set. 135 allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 136 137 # Write to /proc/sysrq-trigger. 138 allow system_server proc_sysrq:file rw_file_perms; 139 140 # Read /sys/kernel/debug/wakeup_sources. 141 allow system_server debugfs:file r_file_perms; 142 allow system_server debugfs_wakeup_sources:file r_file_perms; 143 144 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. 145 allow system_server stats_data_file:dir { open read remove_name search write }; 146 allow system_server stats_data_file:file unlink; 147 148 # The DhcpClient and WifiWatchdog use packet_sockets 149 allow system_server self:packet_socket create_socket_perms_no_ioctl; 150 151 # NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same 152 # as raw sockets, but the kernel doesn't yet distinguish between the two. 153 allow system_server node:rawip_socket node_bind; 154 155 # 3rd party VPN clients require a tun_socket to be created 156 allow system_server self:tun_socket create_socket_perms_no_ioctl; 157 158 # Talk to init and various daemons via sockets. 159 unix_socket_connect(system_server, lmkd, lmkd) 160 unix_socket_connect(system_server, mtpd, mtp) 161 unix_socket_connect(system_server, netd, netd) 162 unix_socket_connect(system_server, zygote, zygote) 163 unix_socket_connect(system_server, racoon, racoon) 164 unix_socket_connect(system_server, uncrypt, uncrypt) 165 166 # Communicate over a socket created by surfaceflinger. 167 allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 168 169 # Communicate over a socket created by webview_zygote. 170 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 171 172 # Perform Binder IPC. 173 binder_use(system_server) 174 binder_call(system_server, appdomain) 175 binder_call(system_server, binderservicedomain) 176 binder_call(system_server, dumpstate) 177 binder_call(system_server, fingerprintd) 178 binder_call(system_server, gatekeeperd) 179 binder_call(system_server, installd) 180 binder_call(system_server, incidentd) 181 binder_call(system_server, netd) 182 binder_call(system_server, statsd) 183 binder_call(system_server, storaged) 184 binder_call(system_server, vold) 185 binder_call(system_server, wificond) 186 binder_call(system_server, wpantund) 187 binder_service(system_server) 188 189 # Use HALs 190 hal_client_domain(system_server, hal_allocator) 191 hal_client_domain(system_server, hal_authsecret) 192 hal_client_domain(system_server, hal_broadcastradio) 193 hal_client_domain(system_server, hal_configstore) 194 hal_client_domain(system_server, hal_contexthub) 195 hal_client_domain(system_server, hal_fingerprint) 196 hal_client_domain(system_server, hal_gnss) 197 hal_client_domain(system_server, hal_graphics_allocator) 198 hal_client_domain(system_server, hal_health) 199 hal_client_domain(system_server, hal_ir) 200 hal_client_domain(system_server, hal_light) 201 hal_client_domain(system_server, hal_memtrack) 202 hal_client_domain(system_server, hal_neuralnetworks) 203 hal_client_domain(system_server, hal_oemlock) 204 allow system_server hal_codec2_hwservice:hwservice_manager find; 205 allow system_server hal_omx_hwservice:hwservice_manager find; 206 allow system_server hidl_token_hwservice:hwservice_manager find; 207 hal_client_domain(system_server, hal_power) 208 hal_client_domain(system_server, hal_sensors) 209 hal_client_domain(system_server, hal_tetheroffload) 210 hal_client_domain(system_server, hal_thermal) 211 hal_client_domain(system_server, hal_tv_cec) 212 hal_client_domain(system_server, hal_tv_input) 213 hal_client_domain(system_server, hal_usb) 214 hal_client_domain(system_server, hal_usb_gadget) 215 hal_client_domain(system_server, hal_vibrator) 216 hal_client_domain(system_server, hal_vr) 217 hal_client_domain(system_server, hal_weaver) 218 hal_client_domain(system_server, hal_wifi) 219 hal_client_domain(system_server, hal_wifi_hostapd) 220 hal_client_domain(system_server, hal_wifi_offload) 221 hal_client_domain(system_server, hal_wifi_supplicant) 222 223 binder_call(system_server, mediacodec) 224 225 # Talk with graphics composer fences 226 allow system_server hal_graphics_composer:fd use; 227 228 # Use RenderScript always-passthrough HAL 229 allow system_server hal_renderscript_hwservice:hwservice_manager find; 230 231 # Offer HwBinder services 232 add_hwservice(system_server, fwk_scheduler_hwservice) 233 add_hwservice(system_server, fwk_sensor_hwservice) 234 235 # Talk to tombstoned to get ANR traces. 236 unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 237 238 # List HAL interfaces to get ANR traces. 239 allow system_server hwservicemanager:hwservice_manager list; 240 241 # Send signals to trigger ANR traces. 242 allow system_server { 243 # This is derived from the list that system server defines as interesting native processes 244 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 245 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 246 audioserver 247 cameraserver 248 drmserver 249 inputflinger 250 mediadrmserver 251 mediaextractor 252 mediaserver 253 mediametrics 254 sdcardd 255 statsd 256 surfaceflinger 257 258 # This list comes from HAL_INTERFACES_OF_INTEREST in 259 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 260 hal_audio_server 261 hal_bluetooth_server 262 hal_camera_server 263 hal_graphics_composer_server 264 hal_sensors_server 265 hal_vr_server 266 mediacodec # TODO(b/36375899): hal_omx_server 267 }:process { signal }; 268 269 # Use sockets received over binder from various services. 270 allow system_server audioserver:tcp_socket rw_socket_perms; 271 allow system_server audioserver:udp_socket rw_socket_perms; 272 allow system_server mediaserver:tcp_socket rw_socket_perms; 273 allow system_server mediaserver:udp_socket rw_socket_perms; 274 275 # Use sockets received over binder from various services. 276 allow system_server mediadrmserver:tcp_socket rw_socket_perms; 277 allow system_server mediadrmserver:udp_socket rw_socket_perms; 278 279 # Get file context 280 allow system_server file_contexts_file:file r_file_perms; 281 # access for mac_permissions 282 allow system_server mac_perms_file: file r_file_perms; 283 # Check SELinux permissions. 284 selinux_check_access(system_server) 285 286 allow system_server sysfs_type:dir search; 287 288 r_dir_file(system_server, sysfs_android_usb) 289 allow system_server sysfs_android_usb:file w_file_perms; 290 291 r_dir_file(system_server, sysfs_ipv4) 292 allow system_server sysfs_ipv4:file w_file_perms; 293 294 r_dir_file(system_server, sysfs_rtc) 295 r_dir_file(system_server, sysfs_switch) 296 r_dir_file(system_server, sysfs_wakeup_reasons) 297 298 allow system_server sysfs_nfc_power_writable:file rw_file_perms; 299 allow system_server sysfs_mac_address:file r_file_perms; 300 allow system_server sysfs_power:dir search; 301 allow system_server sysfs_power:file rw_file_perms; 302 allow system_server sysfs_thermal:dir search; 303 allow system_server sysfs_thermal:file r_file_perms; 304 305 # TODO: Remove when HALs are forced into separate processes 306 allow system_server sysfs_vibrator:file { write append }; 307 308 # TODO: added to match above sysfs rule. Remove me? 309 allow system_server sysfs_usb:file w_file_perms; 310 311 # Access devices. 312 allow system_server device:dir r_dir_perms; 313 allow system_server mdns_socket:sock_file rw_file_perms; 314 allow system_server alarm_device:chr_file rw_file_perms; 315 allow system_server gpu_device:chr_file rw_file_perms; 316 allow system_server iio_device:chr_file rw_file_perms; 317 allow system_server input_device:dir r_dir_perms; 318 allow system_server input_device:chr_file rw_file_perms; 319 allow system_server radio_device:chr_file r_file_perms; 320 allow system_server tty_device:chr_file rw_file_perms; 321 allow system_server usbaccessory_device:chr_file rw_file_perms; 322 allow system_server video_device:dir r_dir_perms; 323 allow system_server video_device:chr_file rw_file_perms; 324 allow system_server adbd_socket:sock_file rw_file_perms; 325 allow system_server rtc_device:chr_file rw_file_perms; 326 allow system_server audio_device:dir r_dir_perms; 327 328 # write access needed for MIDI 329 allow system_server audio_device:chr_file rw_file_perms; 330 331 # tun device used for 3rd party vpn apps 332 allow system_server tun_device:chr_file rw_file_perms; 333 334 # Manage system data files. 335 allow system_server system_data_file:dir create_dir_perms; 336 allow system_server system_data_file:notdevfile_class_set create_file_perms; 337 allow system_server keychain_data_file:dir create_dir_perms; 338 allow system_server keychain_data_file:file create_file_perms; 339 allow system_server keychain_data_file:lnk_file create_file_perms; 340 341 # Manage /data/app. 342 allow system_server apk_data_file:dir create_dir_perms; 343 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 344 allow system_server apk_tmp_file:dir create_dir_perms; 345 allow system_server apk_tmp_file:file create_file_perms; 346 347 # Access /vendor/{app,framework,overlay} 348 r_dir_file(system_server, vendor_app_file) 349 r_dir_file(system_server, vendor_framework_file) 350 r_dir_file(system_server, vendor_overlay_file) 351 352 # Manage /data/app-private. 353 allow system_server apk_private_data_file:dir create_dir_perms; 354 allow system_server apk_private_data_file:file create_file_perms; 355 allow system_server apk_private_tmp_file:dir create_dir_perms; 356 allow system_server apk_private_tmp_file:file create_file_perms; 357 358 # Manage files within asec containers. 359 allow system_server asec_apk_file:dir create_dir_perms; 360 allow system_server asec_apk_file:file create_file_perms; 361 allow system_server asec_public_file:file create_file_perms; 362 363 # Manage /data/anr. 364 # 365 # TODO: Some of these permissions can be withdrawn once we've switched to the 366 # new stack dumping mechanism, see b/32064548 and the rules below. In particular, 367 # the system_server should never need to create a new anr_data_file:file or write 368 # to one, but it will still need to read and append to existing files. 369 allow system_server anr_data_file:dir create_dir_perms; 370 allow system_server anr_data_file:file create_file_perms; 371 372 # New stack dumping scheme : request an output FD from tombstoned via a unix 373 # domain socket. 374 # 375 # Allow system_server to connect and write to the tombstoned java trace socket in 376 # order to dump its traces. Also allow the system server to write its traces to 377 # dumpstate during bugreport capture and incidentd during incident collection. 378 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 379 allow system_server tombstoned:fd use; 380 allow system_server dumpstate:fifo_file append; 381 allow system_server incidentd:fifo_file append; 382 383 # Read /data/misc/incidents - only read. The fd will be sent over binder, 384 # with no DAC access to it, for dropbox to read. 385 allow system_server incident_data_file:file read; 386 387 # Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over 388 # binder. 389 allow system_server perfetto_traces_data_file:file read; 390 allow system_server perfetto:fd use; 391 392 # Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder. 393 userdebug_or_eng(` 394 allow system_server perfprofd_data_file:file read; 395 allow system_server perfprofd:fd use; 396 ') 397 398 # Manage /data/backup. 399 allow system_server backup_data_file:dir create_dir_perms; 400 allow system_server backup_data_file:file create_file_perms; 401 402 # Write to /data/system/heapdump 403 allow system_server heapdump_data_file:dir rw_dir_perms; 404 allow system_server heapdump_data_file:file create_file_perms; 405 406 # Manage /data/misc/adb. 407 allow system_server adb_keys_file:dir create_dir_perms; 408 allow system_server adb_keys_file:file create_file_perms; 409 410 # Manage /data/misc/network_watchlist 411 allow system_server network_watchlist_data_file:dir create_dir_perms; 412 allow system_server network_watchlist_data_file:file create_file_perms; 413 414 # Manage /data/misc/sms. 415 # TODO: Split into a separate type? 416 allow system_server radio_data_file:dir create_dir_perms; 417 allow system_server radio_data_file:file create_file_perms; 418 419 # Manage /data/misc/systemkeys. 420 allow system_server systemkeys_data_file:dir create_dir_perms; 421 allow system_server systemkeys_data_file:file create_file_perms; 422 423 # Manage /data/misc/textclassifier. 424 allow system_server textclassifier_data_file:dir create_dir_perms; 425 allow system_server textclassifier_data_file:file create_file_perms; 426 427 # Access /data/tombstones. 428 allow system_server tombstone_data_file:dir r_dir_perms; 429 allow system_server tombstone_data_file:file r_file_perms; 430 431 # Manage /data/misc/vpn. 432 allow system_server vpn_data_file:dir create_dir_perms; 433 allow system_server vpn_data_file:file create_file_perms; 434 435 # Manage /data/misc/wifi. 436 allow system_server wifi_data_file:dir create_dir_perms; 437 allow system_server wifi_data_file:file create_file_perms; 438 439 # Manage /data/misc/zoneinfo. 440 allow system_server zoneinfo_data_file:dir create_dir_perms; 441 allow system_server zoneinfo_data_file:file create_file_perms; 442 443 # Walk /data/data subdirectories. 444 # Types extracted from seapp_contexts type= fields. 445 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 446 # Also permit for unlabeled /data/data subdirectories and 447 # for unlabeled asec containers on upgrades from 4.2. 448 allow system_server unlabeled:dir r_dir_perms; 449 # Read pkg.apk file before it has been relabeled by vold. 450 allow system_server unlabeled:file r_file_perms; 451 452 # Populate com.android.providers.settings/databases/settings.db. 453 allow system_server system_app_data_file:dir create_dir_perms; 454 allow system_server system_app_data_file:file create_file_perms; 455 456 # Receive and use open app data files passed over binder IPC. 457 # Types extracted from seapp_contexts type= fields. 458 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append }; 459 460 # Access to /data/media for measuring disk usage. 461 allow system_server media_rw_data_file:dir { search getattr open read }; 462 463 # Receive and use open /data/media files passed over binder IPC. 464 # Also used for measuring disk usage. 465 allow system_server media_rw_data_file:file { getattr read write append }; 466 467 # Relabel apk files. 468 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 469 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 470 471 # Relabel wallpaper. 472 allow system_server system_data_file:file relabelfrom; 473 allow system_server wallpaper_file:file relabelto; 474 allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 475 476 # Backup of wallpaper imagery uses temporary hard links to avoid data churn 477 allow system_server { system_data_file wallpaper_file }:file link; 478 479 # ShortcutManager icons 480 allow system_server system_data_file:dir relabelfrom; 481 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 482 allow system_server shortcut_manager_icons:file create_file_perms; 483 484 # Manage ringtones. 485 allow system_server ringtone_file:dir { create_dir_perms relabelto }; 486 allow system_server ringtone_file:file create_file_perms; 487 488 # Relabel icon file. 489 allow system_server icon_file:file relabelto; 490 allow system_server icon_file:file { rw_file_perms unlink }; 491 492 # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 493 allow system_server system_data_file:dir relabelfrom; 494 495 # Property Service write 496 set_prop(system_server, system_prop) 497 set_prop(system_server, exported_system_prop) 498 set_prop(system_server, exported2_system_prop) 499 set_prop(system_server, exported3_system_prop) 500 set_prop(system_server, safemode_prop) 501 set_prop(system_server, dhcp_prop) 502 set_prop(system_server, net_radio_prop) 503 set_prop(system_server, net_dns_prop) 504 set_prop(system_server, system_radio_prop) 505 set_prop(system_server, exported_system_radio_prop) 506 set_prop(system_server, debug_prop) 507 set_prop(system_server, powerctl_prop) 508 set_prop(system_server, fingerprint_prop) 509 set_prop(system_server, exported_fingerprint_prop) 510 set_prop(system_server, device_logging_prop) 511 set_prop(system_server, dumpstate_options_prop) 512 set_prop(system_server, overlay_prop) 513 set_prop(system_server, exported_overlay_prop) 514 set_prop(system_server, pm_prop) 515 set_prop(system_server, exported_pm_prop) 516 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 517 518 # ctl interface 519 set_prop(system_server, ctl_default_prop) 520 set_prop(system_server, ctl_bugreport_prop) 521 522 # cppreopt property 523 set_prop(system_server, cppreopt_prop) 524 525 # BootReceiver to read ro.boot.bootreason 526 get_prop(system_server, bootloader_boot_reason_prop) 527 # PowerManager to read persist.sys.boot.reason 528 get_prop(system_server, last_boot_reason_prop) 529 530 # Collect metrics on boot time created by init 531 get_prop(system_server, boottime_prop) 532 533 # Read device's serial number from system properties 534 get_prop(system_server, serialno_prop) 535 536 # Read/write the property which keeps track of whether this is the first start of system_server 537 set_prop(system_server, firstboot_prop) 538 539 # Create a socket for connections from debuggerd. 540 allow system_server system_ndebug_socket:sock_file create_file_perms; 541 542 # Manage cache files. 543 allow system_server cache_file:lnk_file r_file_perms; 544 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 545 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 546 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 547 548 allow system_server system_file:dir r_dir_perms; 549 allow system_server system_file:lnk_file r_file_perms; 550 551 # LocationManager(e.g, GPS) needs to read and write 552 # to uart driver and ctrl proc entry 553 allow system_server gps_control:file rw_file_perms; 554 555 # Allow system_server to use app-created sockets and pipes. 556 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 557 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 558 559 # BackupManagerService needs to manipulate backup data files 560 allow system_server cache_backup_file:dir rw_dir_perms; 561 allow system_server cache_backup_file:file create_file_perms; 562 # LocalTransport works inside /cache/backup 563 allow system_server cache_private_backup_file:dir create_dir_perms; 564 allow system_server cache_private_backup_file:file create_file_perms; 565 566 # Allow system to talk to usb device 567 allow system_server usb_device:chr_file rw_file_perms; 568 allow system_server usb_device:dir r_dir_perms; 569 570 # Read from HW RNG (needed by EntropyMixer). 571 allow system_server hw_random_device:chr_file r_file_perms; 572 573 # Read and delete files under /dev/fscklogs. 574 r_dir_file(system_server, fscklogs) 575 allow system_server fscklogs:dir { write remove_name }; 576 allow system_server fscklogs:file unlink; 577 578 # logd access, system_server inherit logd write socket 579 # (urge is to deprecate this long term) 580 allow system_server zygote:unix_dgram_socket write; 581 582 # Read from log daemon. 583 read_logd(system_server) 584 read_runtime_log_tags(system_server) 585 586 # Be consistent with DAC permissions. Allow system_server to write to 587 # /sys/module/lowmemorykiller/parameters/adj 588 # /sys/module/lowmemorykiller/parameters/minfree 589 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 590 591 # Read /sys/fs/pstore/console-ramoops 592 # Don't worry about overly broad permissions for now, as there's 593 # only one file in /sys/fs/pstore 594 allow system_server pstorefs:dir r_dir_perms; 595 allow system_server pstorefs:file r_file_perms; 596 597 # /sys access 598 allow system_server sysfs_zram:dir search; 599 allow system_server sysfs_zram:file r_file_perms; 600 601 add_service(system_server, system_server_service); 602 allow system_server audioserver_service:service_manager find; 603 allow system_server batteryproperties_service:service_manager find; 604 allow system_server cameraserver_service:service_manager find; 605 allow system_server drmserver_service:service_manager find; 606 allow system_server dumpstate_service:service_manager find; 607 allow system_server fingerprintd_service:service_manager find; 608 allow system_server hal_fingerprint_service:service_manager find; 609 allow system_server gatekeeper_service:service_manager find; 610 allow system_server incident_service:service_manager find; 611 allow system_server installd_service:service_manager find; 612 allow system_server keystore_service:service_manager find; 613 allow system_server mediaserver_service:service_manager find; 614 allow system_server mediametrics_service:service_manager find; 615 allow system_server mediaextractor_service:service_manager find; 616 allow system_server mediacodec_service:service_manager find; 617 allow system_server mediadrmserver_service:service_manager find; 618 allow system_server netd_service:service_manager find; 619 allow system_server nfc_service:service_manager find; 620 allow system_server radio_service:service_manager find; 621 allow system_server stats_service:service_manager find; 622 allow system_server storaged_service:service_manager find; 623 allow system_server surfaceflinger_service:service_manager find; 624 allow system_server vold_service:service_manager find; 625 allow system_server wificond_service:service_manager find; 626 627 add_service(system_server, batteryproperties_service) 628 629 allow system_server keystore:keystore_key { 630 get_state 631 get 632 insert 633 delete 634 exist 635 list 636 reset 637 password 638 lock 639 unlock 640 is_empty 641 sign 642 verify 643 grant 644 duplicate 645 clear_uid 646 add_auth 647 user_changed 648 }; 649 650 # Allow system server to search and write to the persistent factory reset 651 # protection partition. This block device does not get wiped in a factory reset. 652 allow system_server block_device:dir search; 653 allow system_server frp_block_device:blk_file rw_file_perms; 654 655 # Clean up old cgroups 656 allow system_server cgroup:dir { remove_name rmdir }; 657 658 # /oem access 659 r_dir_file(system_server, oemfs) 660 661 # Allow resolving per-user storage symlinks 662 allow system_server { mnt_user_file storage_file }:dir { getattr search }; 663 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 664 665 # Allow statfs() on storage devices, which happens fast enough that 666 # we shouldn't be killed during unsafe removal 667 allow system_server sdcard_type:dir { getattr search }; 668 669 # Traverse into expanded storage 670 allow system_server mnt_expand_file:dir r_dir_perms; 671 672 # Allow system process to relabel the fingerprint directory after mkdir 673 # and delete the directory and files when no longer needed 674 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 675 allow system_server fingerprintd_data_file:file { getattr unlink }; 676 677 # Allow system process to read network MAC address 678 allow system_server sysfs_mac_address:file r_file_perms; 679 680 userdebug_or_eng(` 681 # Allow system server to create and write method traces in /data/misc/trace. 682 allow system_server method_trace_data_file:dir w_dir_perms; 683 allow system_server method_trace_data_file:file { create w_file_perms }; 684 685 # Allow system server to read dmesg 686 allow system_server kernel:system syslog_read; 687 688 # Allow writing and removing window traces in /data/misc/wmtrace. 689 allow system_server wm_trace_data_file:dir rw_dir_perms; 690 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 691 ') 692 693 # For AppFuse. 694 allow system_server vold:fd use; 695 allow system_server fuse_device:chr_file { read write ioctl getattr }; 696 allow system_server app_fuse_file:dir rw_dir_perms; 697 allow system_server app_fuse_file:file { read write open getattr append }; 698 699 # For configuring sdcardfs 700 allow system_server configfs:dir { create_dir_perms }; 701 allow system_server configfs:file { getattr open create unlink write }; 702 703 # Connect to adbd and use a socket transferred from it. 704 # Used for e.g. jdwp. 705 allow system_server adbd:unix_stream_socket connectto; 706 allow system_server adbd:fd use; 707 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 708 709 # Allow invoking tools like "timeout" 710 allow system_server toolbox_exec:file rx_file_perms; 711 712 # Postinstall 713 # 714 # For OTA dexopt, allow calls coming from postinstall. 715 binder_call(system_server, postinstall) 716 717 allow system_server postinstall:fifo_file write; 718 allow system_server update_engine:fd use; 719 allow system_server update_engine:fifo_file write; 720 721 # Access to /data/preloads 722 allow system_server preloads_data_file:file { r_file_perms unlink }; 723 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 724 allow system_server preloads_media_file:file { r_file_perms unlink }; 725 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 726 727 r_dir_file(system_server, cgroup) 728 allow system_server ion_device:chr_file r_file_perms; 729 730 r_dir_file(system_server, proc_asound) 731 r_dir_file(system_server, proc_net) 732 r_dir_file(system_server, proc_qtaguid_stat) 733 allow system_server { 734 proc_loadavg 735 proc_meminfo 736 proc_pagetypeinfo 737 proc_pipe_conf 738 proc_stat 739 proc_uid_cputime_showstat 740 proc_uid_time_in_state 741 proc_uid_concurrent_active_time 742 proc_uid_concurrent_policy_time 743 proc_version 744 proc_vmallocinfo 745 }:file r_file_perms; 746 747 allow system_server proc_uid_time_in_state:dir r_dir_perms; 748 allow system_server proc_uid_cpupower:file r_file_perms; 749 750 r_dir_file(system_server, rootfs) 751 752 # Allow WifiService to start, stop, and read wifi-specific trace events. 753 allow system_server debugfs_tracing_instances:dir search; 754 allow system_server debugfs_wifi_tracing:dir search; 755 allow system_server debugfs_wifi_tracing:file rw_file_perms; 756 757 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 758 # asanwrapper. 759 with_asan(` 760 allow system_server shell_exec:file rx_file_perms; 761 allow system_server asanwrapper_exec:file rx_file_perms; 762 allow system_server zygote_exec:file rx_file_perms; 763 ') 764 765 # allow system_server to read the eBPF maps that stores the traffic stats information amd clean up 766 # the map after snapshot is recorded 767 allow system_server fs_bpf:dir search; 768 allow system_server fs_bpf:file read; 769 allow system_server netd:bpf map_read; 770 771 # ART Profiles. 772 # Allow system_server to open profile snapshots for read. 773 # System server never reads the actual content. It passes the descriptor to 774 # to privileged apps which acquire the permissions to inspect the profiles. 775 allow system_server user_profile_data_file:dir { getattr search }; 776 allow system_server user_profile_data_file:file { getattr open read }; 777 778 # System server may dump profile data for debuggable apps in the /data/misc/profman. 779 # As such it needs to be able create files but it should never read from them. 780 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 781 allow system_server profman_dump_data_file:dir w_dir_perms; 782 783 # On userdebug build we may profile system server. Allow it to write and create its own profile. 784 userdebug_or_eng(` 785 allow system_server user_profile_data_file:file create_file_perms; 786 ') 787 788 userdebug_or_eng(` 789 # Allow system server to notify mediaextractor of the plugin update. 790 allow system_server mediaextractor_update_service:service_manager find; 791 ') 792 793 # UsbDeviceManager uses /dev/usb-ffs 794 allow system_server functionfs:dir search; 795 allow system_server functionfs:file rw_file_perms; 796 797 ### 798 ### Neverallow rules 799 ### 800 ### system_server should NEVER do any of this 801 802 # Do not allow opening files from external storage as unsafe ejection 803 # could cause the kernel to kill the system_server. 804 neverallow system_server sdcard_type:dir { open read write }; 805 neverallow system_server sdcard_type:file rw_file_perms; 806 807 # system server should never be operating on zygote spawned app data 808 # files directly. Rather, they should always be passed via a 809 # file descriptor. 810 # Types extracted from seapp_contexts type= fields, excluding 811 # those types that system_server needs to open directly. 812 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; 813 814 # Forking and execing is inherently dangerous and racy. See, for 815 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 816 # Prevent the addition of new file execs to stop the problem from 817 # getting worse. b/28035297 818 neverallow system_server { 819 file_type 820 -toolbox_exec 821 -logcat_exec 822 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 823 }:file execute_no_trans; 824 825 # Ensure that system_server doesn't perform any domain transitions other than 826 # transitioning to the crash_dump domain when a crash occurs. 827 neverallow system_server { domain -crash_dump }:process transition; 828 neverallow system_server *:process dyntransition; 829 830 # Only allow crash_dump to connect to system_ndebug_socket. 831 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 832 833 # system_server should never be executing dex2oat. This is either 834 # a bug (for example, bug 16317188), or represents an attempt by 835 # system server to dynamically load a dex file, something we do not 836 # want to allow. 837 neverallow system_server dex2oat_exec:file no_x_file_perms; 838 839 # system_server should never execute or load executable shared libraries 840 # in /data 841 neverallow system_server data_file_type:file no_x_file_perms; 842 843 # The only block device system_server should be accessing is 844 # the frp_block_device. This helps avoid a system_server to root 845 # escalation by writing to raw block devices. 846 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 847 848 # system_server should never use JIT functionality 849 neverallow system_server self:process execmem; 850 neverallow system_server ashmem_device:chr_file execute; 851 852 # TODO: deal with tmpfs_domain pub/priv split properly 853 neverallow system_server system_server_tmpfs:file execute; 854 855 # dexoptanalyzer is currently used only for secondary dex files which 856 # system_server should never access. 857 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 858 859 # No ptracing others 860 neverallow system_server { domain -system_server }:process ptrace; 861 862 # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 863 # file read access. However, that is now unnecessary (b/34951864) 864 neverallow system_server system_server:global_capability_class_set sys_resource; 865