Add rules for an unix domain socket for system_server
System_server will listen on incoming packets from zygotes.
Bug: 136036078
Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest
Change-Id: I42feaa317615b90c5277cd82191e677548888a71
diff --git a/private/system_server.te b/private/system_server.te
index 8d4e4f8..64419fe 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,9 @@
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
@@ -657,6 +660,9 @@
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -975,6 +981,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+ domain
+ -init
+ -system_server
+ -zygote
+ -app_zygote
+ -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain