Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
diff --git a/private/app_zygote.te b/private/app_zygote.te
index c111ac8..5f20086 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -70,6 +70,9 @@
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
+# Send unsolicited message to system_server
+unix_socket_send(app_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
@@ -136,6 +139,7 @@
domain
-app_zygote
-logd
+ -system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_dgram_socket *;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index d761865..7693585 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -65,6 +65,7 @@
system_group_file
system_jvmti_agent_prop
system_passwd_file
+ system_unsolzygote_socket
tethering_service
timezonedetector_service
usb_serial_device
diff --git a/private/file_contexts b/private/file_contexts
index 560d190..96fd35b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -465,6 +465,7 @@
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 8d4e4f8..64419fe 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,9 @@
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
@@ -657,6 +660,9 @@
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -975,6 +981,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+ domain
+ -init
+ -system_server
+ -zygote
+ -app_zygote
+ -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 8fe9733..c618253 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -77,6 +77,9 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+# Send unsolicited message to system_server
+unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
diff --git a/private/zygote.te b/private/zygote.te
index 6ad6db4..da06837 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -176,6 +176,9 @@
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
+# Send unsolicited message to system_server
+unix_socket_send(zygote, system_unsolzygote, system_server)
+
###
### neverallow rules
###