Home | History | Annotate | Download | only in private 
      1 #
      2 # System Server aka system_server spawned by zygote.
      3 # Most of the framework services run in this process.
      4 #
      5 
      6 typeattribute system_server coredomain;
      7 typeattribute system_server mlstrustedsubject;
      8 
      9 # Define a type for tmpfs-backed ashmem regions.
     10 tmpfs_domain(system_server)
     11 
     12 # Create a socket for connections from crash_dump.
     13 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
     14 
     15 allow system_server zygote_tmpfs:file read;
     16 
     17 # For art.
     18 allow system_server dalvikcache_data_file:dir r_dir_perms;
     19 allow system_server dalvikcache_data_file:file r_file_perms;
     20 
     21 # When running system server under --invoke-with, we'll try to load the boot image under the
     22 # system server domain, following links to the system partition.
     23 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
     24 
     25 # /data/resource-cache
     26 allow system_server resourcecache_data_file:file r_file_perms;
     27 allow system_server resourcecache_data_file:dir r_dir_perms;
     28 
     29 # ptrace to processes in the same domain for debugging crashes.
     30 allow system_server self:process ptrace;
     31 
     32 # Child of the zygote.
     33 allow system_server zygote:fd use;
     34 allow system_server zygote:process sigchld;
     35 
     36 # May kill zygote on crashes.
     37 allow system_server zygote:process sigkill;
     38 allow system_server crash_dump:process sigkill;
     39 allow system_server webview_zygote:process sigkill;
     40 
     41 # Read /system/bin/app_process.
     42 allow system_server zygote_exec:file r_file_perms;
     43 
     44 # Needed to close the zygote socket, which involves getopt / getattr
     45 allow system_server zygote:unix_stream_socket { getopt getattr };
     46 
     47 # system server gets network and bluetooth permissions.
     48 net_domain(system_server)
     49 # in addition to ioctls whitelisted for all domains, also allow system_server
     50 # to use privileged ioctls commands. Needed to set up VPNs.
     51 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
     52 bluetooth_domain(system_server)
     53 
     54 # These are the capabilities assigned by the zygote to the
     55 # system server.
     56 allow system_server self:global_capability_class_set {
     57     ipc_lock
     58     kill
     59     net_admin
     60     net_bind_service
     61     net_broadcast
     62     net_raw
     63     sys_boot
     64     sys_nice
     65     sys_ptrace
     66     sys_time
     67     sys_tty_config
     68 };
     69 
     70 wakelock_use(system_server)
     71 
     72 # Trigger module auto-load.
     73 allow system_server kernel:system module_request;
     74 
     75 # Allow alarmtimers to be set
     76 allow system_server self:global_capability2_class_set wake_alarm;
     77 
     78 # Create and share netlink_netfilter_sockets for tetheroffload.
     79 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
     80 
     81 # Use netlink uevent sockets.
     82 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
     83 
     84 # Use generic netlink sockets.
     85 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
     86 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
     87 
     88 # libvintf reads the kernel config to verify vendor interface compatibility.
     89 allow system_server config_gz:file { read open };
     90 
     91 # Use generic "sockets" where the address family is not known
     92 # to the kernel. The ioctl permission is specifically omitted here, but may
     93 # be added to device specific policy along with the ioctl commands to be
     94 # whitelisted.
     95 allow system_server self:socket create_socket_perms_no_ioctl;
     96 
     97 # Set and get routes directly via netlink.
     98 allow system_server self:netlink_route_socket nlmsg_write;
     99 
    100 # Kill apps.
    101 allow system_server appdomain:process { getpgid sigkill signal };
    102 
    103 # Set scheduling info for apps.
    104 allow system_server appdomain:process { getsched setsched };
    105 allow system_server audioserver:process { getsched setsched };
    106 allow system_server hal_audio:process { getsched setsched };
    107 allow system_server hal_bluetooth:process { getsched setsched };
    108 allow system_server mediacodec:process { getsched setsched };
    109 allow system_server cameraserver:process { getsched setsched };
    110 allow system_server hal_camera:process { getsched setsched };
    111 allow system_server mediaserver:process { getsched setsched };
    112 allow system_server bootanim:process { getsched setsched };
    113 
    114 # Allow system_server to write to /proc/<pid>/timerslack_ns
    115 allow system_server appdomain:file w_file_perms;
    116 allow system_server audioserver:file w_file_perms;
    117 allow system_server mediacodec:file w_file_perms;
    118 allow system_server cameraserver:file w_file_perms;
    119 allow system_server hal_audio_server:file w_file_perms;
    120 
    121 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
    122 # within system_server to keep track of memory and CPU usage for
    123 # all processes on the device. In addition, /proc/pid files access is needed
    124 # for dumping stack traces of native processes.
    125 r_dir_file(system_server, domain)
    126 
    127 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
    128 allow system_server qtaguid_proc:file rw_file_perms;
    129 allow system_server qtaguid_device:chr_file rw_file_perms;
    130 
    131 # Write /proc/uid_cputime/remove_uid_range.
    132 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
    133 
    134 # Write /proc/uid_procstat/set.
    135 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
    136 
    137 # Write to /proc/sysrq-trigger.
    138 allow system_server proc_sysrq:file rw_file_perms;
    139 
    140 # Read /sys/kernel/debug/wakeup_sources.
    141 allow system_server debugfs:file r_file_perms;
    142 allow system_server debugfs_wakeup_sources:file r_file_perms;
    143 
    144 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
    145 allow system_server stats_data_file:dir { open read remove_name search write };
    146 allow system_server stats_data_file:file unlink;
    147 
    148 # The DhcpClient and WifiWatchdog use packet_sockets
    149 allow system_server self:packet_socket create_socket_perms_no_ioctl;
    150 
    151 # NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
    152 # as raw sockets, but the kernel doesn't yet distinguish between the two.
    153 allow system_server node:rawip_socket node_bind;
    154 
    155 # 3rd party VPN clients require a tun_socket to be created
    156 allow system_server self:tun_socket create_socket_perms_no_ioctl;
    157 
    158 # Talk to init and various daemons via sockets.
    159 unix_socket_connect(system_server, lmkd, lmkd)
    160 unix_socket_connect(system_server, mtpd, mtp)
    161 unix_socket_connect(system_server, netd, netd)
    162 unix_socket_connect(system_server, zygote, zygote)
    163 unix_socket_connect(system_server, racoon, racoon)
    164 unix_socket_connect(system_server, uncrypt, uncrypt)
    165 
    166 # Communicate over a socket created by surfaceflinger.
    167 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
    168 
    169 # Communicate over a socket created by webview_zygote.
    170 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
    171 
    172 # Perform Binder IPC.
    173 binder_use(system_server)
    174 binder_call(system_server, appdomain)
    175 binder_call(system_server, binderservicedomain)
    176 binder_call(system_server, dumpstate)
    177 binder_call(system_server, fingerprintd)
    178 binder_call(system_server, gatekeeperd)
    179 binder_call(system_server, installd)
    180 binder_call(system_server, incidentd)
    181 binder_call(system_server, netd)
    182 binder_call(system_server, statsd)
    183 binder_call(system_server, storaged)
    184 binder_call(system_server, vold)
    185 binder_call(system_server, wificond)
    186 binder_call(system_server, wpantund)
    187 binder_service(system_server)
    188 
    189 # Use HALs
    190 hal_client_domain(system_server, hal_allocator)
    191 hal_client_domain(system_server, hal_authsecret)
    192 hal_client_domain(system_server, hal_broadcastradio)
    193 hal_client_domain(system_server, hal_configstore)
    194 hal_client_domain(system_server, hal_contexthub)
    195 hal_client_domain(system_server, hal_fingerprint)
    196 hal_client_domain(system_server, hal_gnss)
    197 hal_client_domain(system_server, hal_graphics_allocator)
    198 hal_client_domain(system_server, hal_health)
    199 hal_client_domain(system_server, hal_ir)
    200 hal_client_domain(system_server, hal_light)
    201 hal_client_domain(system_server, hal_memtrack)
    202 hal_client_domain(system_server, hal_neuralnetworks)
    203 hal_client_domain(system_server, hal_oemlock)
    204 allow system_server hal_codec2_hwservice:hwservice_manager find;
    205 allow system_server hal_omx_hwservice:hwservice_manager find;
    206 allow system_server hidl_token_hwservice:hwservice_manager find;
    207 hal_client_domain(system_server, hal_power)
    208 hal_client_domain(system_server, hal_sensors)
    209 hal_client_domain(system_server, hal_tetheroffload)
    210 hal_client_domain(system_server, hal_thermal)
    211 hal_client_domain(system_server, hal_tv_cec)
    212 hal_client_domain(system_server, hal_tv_input)
    213 hal_client_domain(system_server, hal_usb)
    214 hal_client_domain(system_server, hal_usb_gadget)
    215 hal_client_domain(system_server, hal_vibrator)
    216 hal_client_domain(system_server, hal_vr)
    217 hal_client_domain(system_server, hal_weaver)
    218 hal_client_domain(system_server, hal_wifi)
    219 hal_client_domain(system_server, hal_wifi_hostapd)
    220 hal_client_domain(system_server, hal_wifi_offload)
    221 hal_client_domain(system_server, hal_wifi_supplicant)
    222 
    223 binder_call(system_server, mediacodec)
    224 
    225 # Talk with graphics composer fences
    226 allow system_server hal_graphics_composer:fd use;
    227 
    228 # Use RenderScript always-passthrough HAL
    229 allow system_server hal_renderscript_hwservice:hwservice_manager find;
    230 
    231 # Offer HwBinder services
    232 add_hwservice(system_server, fwk_scheduler_hwservice)
    233 add_hwservice(system_server, fwk_sensor_hwservice)
    234 
    235 # Talk to tombstoned to get ANR traces.
    236 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
    237 
    238 # List HAL interfaces to get ANR traces.
    239 allow system_server hwservicemanager:hwservice_manager list;
    240 
    241 # Send signals to trigger ANR traces.
    242 allow system_server {
    243   # This is derived from the list that system server defines as interesting native processes
    244   # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
    245   # frameworks/base/services/core/java/com/android/server/Watchdog.java.
    246   audioserver
    247   cameraserver
    248   drmserver
    249   inputflinger
    250   mediadrmserver
    251   mediaextractor
    252   mediaserver
    253   mediametrics
    254   sdcardd
    255   statsd
    256   surfaceflinger
    257 
    258   # This list comes from HAL_INTERFACES_OF_INTEREST in
    259   # frameworks/base/services/core/java/com/android/server/Watchdog.java.
    260   hal_audio_server
    261   hal_bluetooth_server
    262   hal_camera_server
    263   hal_graphics_composer_server
    264   hal_sensors_server
    265   hal_vr_server
    266   mediacodec # TODO(b/36375899): hal_omx_server
    267 }:process { signal };
    268 
    269 # Use sockets received over binder from various services.
    270 allow system_server audioserver:tcp_socket rw_socket_perms;
    271 allow system_server audioserver:udp_socket rw_socket_perms;
    272 allow system_server mediaserver:tcp_socket rw_socket_perms;
    273 allow system_server mediaserver:udp_socket rw_socket_perms;
    274 
    275 # Use sockets received over binder from various services.
    276 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
    277 allow system_server mediadrmserver:udp_socket rw_socket_perms;
    278 
    279 # Get file context
    280 allow system_server file_contexts_file:file r_file_perms;
    281 # access for mac_permissions
    282 allow system_server mac_perms_file: file r_file_perms;
    283 # Check SELinux permissions.
    284 selinux_check_access(system_server)
    285 
    286 allow system_server sysfs_type:dir search;
    287 
    288 r_dir_file(system_server, sysfs_android_usb)
    289 allow system_server sysfs_android_usb:file w_file_perms;
    290 
    291 r_dir_file(system_server, sysfs_ipv4)
    292 allow system_server sysfs_ipv4:file w_file_perms;
    293 
    294 r_dir_file(system_server, sysfs_rtc)
    295 r_dir_file(system_server, sysfs_switch)
    296 r_dir_file(system_server, sysfs_wakeup_reasons)
    297 
    298 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
    299 allow system_server sysfs_mac_address:file r_file_perms;
    300 allow system_server sysfs_power:dir search;
    301 allow system_server sysfs_power:file rw_file_perms;
    302 allow system_server sysfs_thermal:dir search;
    303 allow system_server sysfs_thermal:file r_file_perms;
    304 
    305 # TODO: Remove when HALs are forced into separate processes
    306 allow system_server sysfs_vibrator:file { write append };
    307 
    308 # TODO: added to match above sysfs rule. Remove me?
    309 allow system_server sysfs_usb:file w_file_perms;
    310 
    311 # Access devices.
    312 allow system_server device:dir r_dir_perms;
    313 allow system_server mdns_socket:sock_file rw_file_perms;
    314 allow system_server alarm_device:chr_file rw_file_perms;
    315 allow system_server gpu_device:chr_file rw_file_perms;
    316 allow system_server iio_device:chr_file rw_file_perms;
    317 allow system_server input_device:dir r_dir_perms;
    318 allow system_server input_device:chr_file rw_file_perms;
    319 allow system_server radio_device:chr_file r_file_perms;
    320 allow system_server tty_device:chr_file rw_file_perms;
    321 allow system_server usbaccessory_device:chr_file rw_file_perms;
    322 allow system_server video_device:dir r_dir_perms;
    323 allow system_server video_device:chr_file rw_file_perms;
    324 allow system_server adbd_socket:sock_file rw_file_perms;
    325 allow system_server rtc_device:chr_file rw_file_perms;
    326 allow system_server audio_device:dir r_dir_perms;
    327 
    328 # write access needed for MIDI
    329 allow system_server audio_device:chr_file rw_file_perms;
    330 
    331 # tun device used for 3rd party vpn apps
    332 allow system_server tun_device:chr_file rw_file_perms;
    333 
    334 # Manage system data files.
    335 allow system_server system_data_file:dir create_dir_perms;
    336 allow system_server system_data_file:notdevfile_class_set create_file_perms;
    337 allow system_server keychain_data_file:dir create_dir_perms;
    338 allow system_server keychain_data_file:file create_file_perms;
    339 allow system_server keychain_data_file:lnk_file create_file_perms;
    340 
    341 # Manage /data/app.
    342 allow system_server apk_data_file:dir create_dir_perms;
    343 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
    344 allow system_server apk_tmp_file:dir create_dir_perms;
    345 allow system_server apk_tmp_file:file create_file_perms;
    346 
    347 # Access /vendor/{app,framework,overlay}
    348 r_dir_file(system_server, vendor_app_file)
    349 r_dir_file(system_server, vendor_framework_file)
    350 r_dir_file(system_server, vendor_overlay_file)
    351 
    352 # Manage /data/app-private.
    353 allow system_server apk_private_data_file:dir create_dir_perms;
    354 allow system_server apk_private_data_file:file create_file_perms;
    355 allow system_server apk_private_tmp_file:dir create_dir_perms;
    356 allow system_server apk_private_tmp_file:file create_file_perms;
    357 
    358 # Manage files within asec containers.
    359 allow system_server asec_apk_file:dir create_dir_perms;
    360 allow system_server asec_apk_file:file create_file_perms;
    361 allow system_server asec_public_file:file create_file_perms;
    362 
    363 # Manage /data/anr.
    364 #
    365 # TODO: Some of these permissions can be withdrawn once we've switched to the
    366 # new stack dumping mechanism, see b/32064548 and the rules below. In particular,
    367 # the system_server should never need to create a new anr_data_file:file or write
    368 # to one, but it will still need to read and append to existing files.
    369 allow system_server anr_data_file:dir create_dir_perms;
    370 allow system_server anr_data_file:file create_file_perms;
    371 
    372 # New stack dumping scheme : request an output FD from tombstoned via a unix
    373 # domain socket.
    374 #
    375 # Allow system_server to connect and write to the tombstoned java trace socket in
    376 # order to dump its traces. Also allow the system server to write its traces to
    377 # dumpstate during bugreport capture and incidentd during incident collection.
    378 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
    379 allow system_server tombstoned:fd use;
    380 allow system_server dumpstate:fifo_file append;
    381 allow system_server incidentd:fifo_file append;
    382 
    383 # Read /data/misc/incidents - only read. The fd will be sent over binder,
    384 # with no DAC access to it, for dropbox to read.
    385 allow system_server incident_data_file:file read;
    386 
    387 # Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
    388 # binder.
    389 allow system_server perfetto_traces_data_file:file read;
    390 allow system_server perfetto:fd use;
    391 
    392 # Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
    393 userdebug_or_eng(`
    394   allow system_server perfprofd_data_file:file read;
    395   allow system_server perfprofd:fd use;
    396 ')
    397 
    398 # Manage /data/backup.
    399 allow system_server backup_data_file:dir create_dir_perms;
    400 allow system_server backup_data_file:file create_file_perms;
    401 
    402 # Write to /data/system/heapdump
    403 allow system_server heapdump_data_file:dir rw_dir_perms;
    404 allow system_server heapdump_data_file:file create_file_perms;
    405 
    406 # Manage /data/misc/adb.
    407 allow system_server adb_keys_file:dir create_dir_perms;
    408 allow system_server adb_keys_file:file create_file_perms;
    409 
    410 # Manage /data/misc/network_watchlist
    411 allow system_server network_watchlist_data_file:dir create_dir_perms;
    412 allow system_server network_watchlist_data_file:file create_file_perms;
    413 
    414 # Manage /data/misc/sms.
    415 # TODO:  Split into a separate type?
    416 allow system_server radio_data_file:dir create_dir_perms;
    417 allow system_server radio_data_file:file create_file_perms;
    418 
    419 # Manage /data/misc/systemkeys.
    420 allow system_server systemkeys_data_file:dir create_dir_perms;
    421 allow system_server systemkeys_data_file:file create_file_perms;
    422 
    423 # Manage /data/misc/textclassifier.
    424 allow system_server textclassifier_data_file:dir create_dir_perms;
    425 allow system_server textclassifier_data_file:file create_file_perms;
    426 
    427 # Access /data/tombstones.
    428 allow system_server tombstone_data_file:dir r_dir_perms;
    429 allow system_server tombstone_data_file:file r_file_perms;
    430 
    431 # Manage /data/misc/vpn.
    432 allow system_server vpn_data_file:dir create_dir_perms;
    433 allow system_server vpn_data_file:file create_file_perms;
    434 
    435 # Manage /data/misc/wifi.
    436 allow system_server wifi_data_file:dir create_dir_perms;
    437 allow system_server wifi_data_file:file create_file_perms;
    438 
    439 # Manage /data/misc/zoneinfo.
    440 allow system_server zoneinfo_data_file:dir create_dir_perms;
    441 allow system_server zoneinfo_data_file:file create_file_perms;
    442 
    443 # Walk /data/data subdirectories.
    444 # Types extracted from seapp_contexts type= fields.
    445 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
    446 # Also permit for unlabeled /data/data subdirectories and
    447 # for unlabeled asec containers on upgrades from 4.2.
    448 allow system_server unlabeled:dir r_dir_perms;
    449 # Read pkg.apk file before it has been relabeled by vold.
    450 allow system_server unlabeled:file r_file_perms;
    451 
    452 # Populate com.android.providers.settings/databases/settings.db.
    453 allow system_server system_app_data_file:dir create_dir_perms;
    454 allow system_server system_app_data_file:file create_file_perms;
    455 
    456 # Receive and use open app data files passed over binder IPC.
    457 # Types extracted from seapp_contexts type= fields.
    458 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
    459 
    460 # Access to /data/media for measuring disk usage.
    461 allow system_server media_rw_data_file:dir { search getattr open read };
    462 
    463 # Receive and use open /data/media files passed over binder IPC.
    464 # Also used for measuring disk usage.
    465 allow system_server media_rw_data_file:file { getattr read write append };
    466 
    467 # Relabel apk files.
    468 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
    469 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
    470 
    471 # Relabel wallpaper.
    472 allow system_server system_data_file:file relabelfrom;
    473 allow system_server wallpaper_file:file relabelto;
    474 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
    475 
    476 # Backup of wallpaper imagery uses temporary hard links to avoid data churn
    477 allow system_server { system_data_file wallpaper_file }:file link;
    478 
    479 # ShortcutManager icons
    480 allow system_server system_data_file:dir relabelfrom;
    481 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
    482 allow system_server shortcut_manager_icons:file create_file_perms;
    483 
    484 # Manage ringtones.
    485 allow system_server ringtone_file:dir { create_dir_perms relabelto };
    486 allow system_server ringtone_file:file create_file_perms;
    487 
    488 # Relabel icon file.
    489 allow system_server icon_file:file relabelto;
    490 allow system_server icon_file:file { rw_file_perms unlink };
    491 
    492 # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
    493 allow system_server system_data_file:dir relabelfrom;
    494 
    495 # Property Service write
    496 set_prop(system_server, system_prop)
    497 set_prop(system_server, exported_system_prop)
    498 set_prop(system_server, exported2_system_prop)
    499 set_prop(system_server, exported3_system_prop)
    500 set_prop(system_server, safemode_prop)
    501 set_prop(system_server, dhcp_prop)
    502 set_prop(system_server, net_radio_prop)
    503 set_prop(system_server, net_dns_prop)
    504 set_prop(system_server, system_radio_prop)
    505 set_prop(system_server, exported_system_radio_prop)
    506 set_prop(system_server, debug_prop)
    507 set_prop(system_server, powerctl_prop)
    508 set_prop(system_server, fingerprint_prop)
    509 set_prop(system_server, exported_fingerprint_prop)
    510 set_prop(system_server, device_logging_prop)
    511 set_prop(system_server, dumpstate_options_prop)
    512 set_prop(system_server, overlay_prop)
    513 set_prop(system_server, exported_overlay_prop)
    514 set_prop(system_server, pm_prop)
    515 set_prop(system_server, exported_pm_prop)
    516 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
    517 
    518 # ctl interface
    519 set_prop(system_server, ctl_default_prop)
    520 set_prop(system_server, ctl_bugreport_prop)
    521 
    522 # cppreopt property
    523 set_prop(system_server, cppreopt_prop)
    524 
    525 # BootReceiver to read ro.boot.bootreason
    526 get_prop(system_server, bootloader_boot_reason_prop)
    527 # PowerManager to read persist.sys.boot.reason
    528 get_prop(system_server, last_boot_reason_prop)
    529 
    530 # Collect metrics on boot time created by init
    531 get_prop(system_server, boottime_prop)
    532 
    533 # Read device's serial number from system properties
    534 get_prop(system_server, serialno_prop)
    535 
    536 # Read/write the property which keeps track of whether this is the first start of system_server
    537 set_prop(system_server, firstboot_prop)
    538 
    539 # Create a socket for connections from debuggerd.
    540 allow system_server system_ndebug_socket:sock_file create_file_perms;
    541 
    542 # Manage cache files.
    543 allow system_server cache_file:lnk_file r_file_perms;
    544 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
    545 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
    546 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
    547 
    548 allow system_server system_file:dir r_dir_perms;
    549 allow system_server system_file:lnk_file r_file_perms;
    550 
    551 # LocationManager(e.g, GPS) needs to read and write
    552 # to uart driver and ctrl proc entry
    553 allow system_server gps_control:file rw_file_perms;
    554 
    555 # Allow system_server to use app-created sockets and pipes.
    556 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
    557 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
    558 
    559 # BackupManagerService needs to manipulate backup data files
    560 allow system_server cache_backup_file:dir rw_dir_perms;
    561 allow system_server cache_backup_file:file create_file_perms;
    562 # LocalTransport works inside /cache/backup
    563 allow system_server cache_private_backup_file:dir create_dir_perms;
    564 allow system_server cache_private_backup_file:file create_file_perms;
    565 
    566 # Allow system to talk to usb device
    567 allow system_server usb_device:chr_file rw_file_perms;
    568 allow system_server usb_device:dir r_dir_perms;
    569 
    570 # Read from HW RNG (needed by EntropyMixer).
    571 allow system_server hw_random_device:chr_file r_file_perms;
    572 
    573 # Read and delete files under /dev/fscklogs.
    574 r_dir_file(system_server, fscklogs)
    575 allow system_server fscklogs:dir { write remove_name };
    576 allow system_server fscklogs:file unlink;
    577 
    578 # logd access, system_server inherit logd write socket
    579 # (urge is to deprecate this long term)
    580 allow system_server zygote:unix_dgram_socket write;
    581 
    582 # Read from log daemon.
    583 read_logd(system_server)
    584 read_runtime_log_tags(system_server)
    585 
    586 # Be consistent with DAC permissions. Allow system_server to write to
    587 # /sys/module/lowmemorykiller/parameters/adj
    588 # /sys/module/lowmemorykiller/parameters/minfree
    589 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
    590 
    591 # Read /sys/fs/pstore/console-ramoops
    592 # Don't worry about overly broad permissions for now, as there's
    593 # only one file in /sys/fs/pstore
    594 allow system_server pstorefs:dir r_dir_perms;
    595 allow system_server pstorefs:file r_file_perms;
    596 
    597 # /sys access
    598 allow system_server sysfs_zram:dir search;
    599 allow system_server sysfs_zram:file r_file_perms;
    600 
    601 add_service(system_server, system_server_service);
    602 allow system_server audioserver_service:service_manager find;
    603 allow system_server batteryproperties_service:service_manager find;
    604 allow system_server cameraserver_service:service_manager find;
    605 allow system_server drmserver_service:service_manager find;
    606 allow system_server dumpstate_service:service_manager find;
    607 allow system_server fingerprintd_service:service_manager find;
    608 allow system_server hal_fingerprint_service:service_manager find;
    609 allow system_server gatekeeper_service:service_manager find;
    610 allow system_server incident_service:service_manager find;
    611 allow system_server installd_service:service_manager find;
    612 allow system_server keystore_service:service_manager find;
    613 allow system_server mediaserver_service:service_manager find;
    614 allow system_server mediametrics_service:service_manager find;
    615 allow system_server mediaextractor_service:service_manager find;
    616 allow system_server mediacodec_service:service_manager find;
    617 allow system_server mediadrmserver_service:service_manager find;
    618 allow system_server netd_service:service_manager find;
    619 allow system_server nfc_service:service_manager find;
    620 allow system_server radio_service:service_manager find;
    621 allow system_server stats_service:service_manager find;
    622 allow system_server storaged_service:service_manager find;
    623 allow system_server surfaceflinger_service:service_manager find;
    624 allow system_server vold_service:service_manager find;
    625 allow system_server wificond_service:service_manager find;
    626 
    627 add_service(system_server, batteryproperties_service)
    628 
    629 allow system_server keystore:keystore_key {
    630 	get_state
    631 	get
    632 	insert
    633 	delete
    634 	exist
    635 	list
    636 	reset
    637 	password
    638 	lock
    639 	unlock
    640 	is_empty
    641 	sign
    642 	verify
    643 	grant
    644 	duplicate
    645 	clear_uid
    646 	add_auth
    647 	user_changed
    648 };
    649 
    650 # Allow system server to search and write to the persistent factory reset
    651 # protection partition. This block device does not get wiped in a factory reset.
    652 allow system_server block_device:dir search;
    653 allow system_server frp_block_device:blk_file rw_file_perms;
    654 
    655 # Clean up old cgroups
    656 allow system_server cgroup:dir { remove_name rmdir };
    657 
    658 # /oem access
    659 r_dir_file(system_server, oemfs)
    660 
    661 # Allow resolving per-user storage symlinks
    662 allow system_server { mnt_user_file storage_file }:dir { getattr search };
    663 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
    664 
    665 # Allow statfs() on storage devices, which happens fast enough that
    666 # we shouldn't be killed during unsafe removal
    667 allow system_server sdcard_type:dir { getattr search };
    668 
    669 # Traverse into expanded storage
    670 allow system_server mnt_expand_file:dir r_dir_perms;
    671 
    672 # Allow system process to relabel the fingerprint directory after mkdir
    673 # and delete the directory and files when no longer needed
    674 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
    675 allow system_server fingerprintd_data_file:file { getattr unlink };
    676 
    677 # Allow system process to read network MAC address
    678 allow system_server sysfs_mac_address:file r_file_perms;
    679 
    680 userdebug_or_eng(`
    681   # Allow system server to create and write method traces in /data/misc/trace.
    682   allow system_server method_trace_data_file:dir w_dir_perms;
    683   allow system_server method_trace_data_file:file { create w_file_perms };
    684 
    685   # Allow system server to read dmesg
    686   allow system_server kernel:system syslog_read;
    687 
    688   # Allow writing and removing window traces in /data/misc/wmtrace.
    689   allow system_server wm_trace_data_file:dir rw_dir_perms;
    690   allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
    691 ')
    692 
    693 # For AppFuse.
    694 allow system_server vold:fd use;
    695 allow system_server fuse_device:chr_file { read write ioctl getattr };
    696 allow system_server app_fuse_file:dir rw_dir_perms;
    697 allow system_server app_fuse_file:file { read write open getattr append };
    698 
    699 # For configuring sdcardfs
    700 allow system_server configfs:dir { create_dir_perms };
    701 allow system_server configfs:file { getattr open create unlink write };
    702 
    703 # Connect to adbd and use a socket transferred from it.
    704 # Used for e.g. jdwp.
    705 allow system_server adbd:unix_stream_socket connectto;
    706 allow system_server adbd:fd use;
    707 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
    708 
    709 # Allow invoking tools like "timeout"
    710 allow system_server toolbox_exec:file rx_file_perms;
    711 
    712 # Postinstall
    713 #
    714 # For OTA dexopt, allow calls coming from postinstall.
    715 binder_call(system_server, postinstall)
    716 
    717 allow system_server postinstall:fifo_file write;
    718 allow system_server update_engine:fd use;
    719 allow system_server update_engine:fifo_file write;
    720 
    721 # Access to /data/preloads
    722 allow system_server preloads_data_file:file { r_file_perms unlink };
    723 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
    724 allow system_server preloads_media_file:file { r_file_perms unlink };
    725 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
    726 
    727 r_dir_file(system_server, cgroup)
    728 allow system_server ion_device:chr_file r_file_perms;
    729 
    730 r_dir_file(system_server, proc_asound)
    731 r_dir_file(system_server, proc_net)
    732 r_dir_file(system_server, proc_qtaguid_stat)
    733 allow system_server {
    734   proc_loadavg
    735   proc_meminfo
    736   proc_pagetypeinfo
    737   proc_pipe_conf
    738   proc_stat
    739   proc_uid_cputime_showstat
    740   proc_uid_time_in_state
    741   proc_uid_concurrent_active_time
    742   proc_uid_concurrent_policy_time
    743   proc_version
    744   proc_vmallocinfo
    745 }:file r_file_perms;
    746 
    747 allow system_server proc_uid_time_in_state:dir r_dir_perms;
    748 allow system_server proc_uid_cpupower:file r_file_perms;
    749 
    750 r_dir_file(system_server, rootfs)
    751 
    752 # Allow WifiService to start, stop, and read wifi-specific trace events.
    753 allow system_server debugfs_tracing_instances:dir search;
    754 allow system_server debugfs_wifi_tracing:dir search;
    755 allow system_server debugfs_wifi_tracing:file rw_file_perms;
    756 
    757 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
    758 # asanwrapper.
    759 with_asan(`
    760   allow system_server shell_exec:file rx_file_perms;
    761   allow system_server asanwrapper_exec:file rx_file_perms;
    762   allow system_server zygote_exec:file rx_file_perms;
    763 ')
    764 
    765 # allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
    766 # the map after snapshot is recorded
    767 allow system_server fs_bpf:dir search;
    768 allow system_server fs_bpf:file read;
    769 allow system_server netd:bpf map_read;
    770 
    771 # ART Profiles.
    772 # Allow system_server to open profile snapshots for read.
    773 # System server never reads the actual content. It passes the descriptor to
    774 # to privileged apps which acquire the permissions to inspect the profiles.
    775 allow system_server user_profile_data_file:dir { getattr search };
    776 allow system_server user_profile_data_file:file { getattr open read };
    777 
    778 # System server may dump profile data for debuggable apps in the /data/misc/profman.
    779 # As such it needs to be able create files but it should never read from them.
    780 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
    781 allow system_server profman_dump_data_file:dir w_dir_perms;
    782 
    783 # On userdebug build we may profile system server. Allow it to write and create its own profile.
    784 userdebug_or_eng(`
    785   allow system_server user_profile_data_file:file create_file_perms;
    786 ')
    787 
    788 userdebug_or_eng(`
    789   # Allow system server to notify mediaextractor of the plugin update.
    790   allow system_server mediaextractor_update_service:service_manager find;
    791 ')
    792 
    793 # UsbDeviceManager uses /dev/usb-ffs
    794 allow system_server functionfs:dir search;
    795 allow system_server functionfs:file rw_file_perms;
    796 
    797 ###
    798 ### Neverallow rules
    799 ###
    800 ### system_server should NEVER do any of this
    801 
    802 # Do not allow opening files from external storage as unsafe ejection
    803 # could cause the kernel to kill the system_server.
    804 neverallow system_server sdcard_type:dir { open read write };
    805 neverallow system_server sdcard_type:file rw_file_perms;
    806 
    807 # system server should never be operating on zygote spawned app data
    808 # files directly. Rather, they should always be passed via a
    809 # file descriptor.
    810 # Types extracted from seapp_contexts type= fields, excluding
    811 # those types that system_server needs to open directly.
    812 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
    813 
    814 # Forking and execing is inherently dangerous and racy. See, for
    815 # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
    816 # Prevent the addition of new file execs to stop the problem from
    817 # getting worse. b/28035297
    818 neverallow system_server {
    819   file_type
    820   -toolbox_exec
    821   -logcat_exec
    822   with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
    823 }:file execute_no_trans;
    824 
    825 # Ensure that system_server doesn't perform any domain transitions other than
    826 # transitioning to the crash_dump domain when a crash occurs.
    827 neverallow system_server { domain -crash_dump }:process transition;
    828 neverallow system_server *:process dyntransition;
    829 
    830 # Only allow crash_dump to connect to system_ndebug_socket.
    831 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
    832 
    833 # system_server should never be executing dex2oat. This is either
    834 # a bug (for example, bug 16317188), or represents an attempt by
    835 # system server to dynamically load a dex file, something we do not
    836 # want to allow.
    837 neverallow system_server dex2oat_exec:file no_x_file_perms;
    838 
    839 # system_server should never execute or load executable shared libraries
    840 # in /data
    841 neverallow system_server data_file_type:file no_x_file_perms;
    842 
    843 # The only block device system_server should be accessing is
    844 # the frp_block_device. This helps avoid a system_server to root
    845 # escalation by writing to raw block devices.
    846 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
    847 
    848 # system_server should never use JIT functionality
    849 neverallow system_server self:process execmem;
    850 neverallow system_server ashmem_device:chr_file execute;
    851 
    852 # TODO: deal with tmpfs_domain pub/priv split properly
    853 neverallow system_server system_server_tmpfs:file execute;
    854 
    855 # dexoptanalyzer is currently used only for secondary dex files which
    856 # system_server should never access.
    857 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
    858 
    859 # No ptracing others
    860 neverallow system_server { domain -system_server }:process ptrace;
    861 
    862 # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
    863 # file read access. However, that is now unnecessary (b/34951864)
    864 neverallow system_server system_server:global_capability_class_set sys_resource;
    865