Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4ff233326b7f157dc32012460c89e3cc6b103666 / . / private / system_server.te
blob: 2c132ea460308dd94c60588ff46b75821f5fe3e6 [file] [log] [blame]
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5
6typeattribute system_server domain_deprecated;
7typeattribute system_server mlstrustedsubject;
8
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]9# Define a type for tmpfs-backed ashmem regions.
10tmpfs_domain(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]11
Josh Gaocb3eb4e2016-10-19 14:39:30 -0700[diff] [blame]12# Create a socket for connections from crash_dump.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]13type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]14
15allow system_server zygote_tmpfs:file read;
16
17# Create a socket for receiving info from wpa.
18type_transition system_server wifi_data_file:sock_file system_wpa_socket;
19type_transition system_server wpa_socket:sock_file system_wpa_socket;
20
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]21# For art.
22allow system_server dalvikcache_data_file:dir r_dir_perms;
23allow system_server dalvikcache_data_file:file { r_file_perms execute };
24
25# Enable system server to check the foreign dex usage markers.
26# We need search on top level directories so that we can get to the files
27allow system_server user_profile_data_file:dir search;
28allow system_server user_profile_data_file:file getattr;
29allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
30allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
31
32# /data/resource-cache
33allow system_server resourcecache_data_file:file r_file_perms;
34allow system_server resourcecache_data_file:dir r_dir_perms;
35
36# ptrace to processes in the same domain for debugging crashes.
37allow system_server self:process ptrace;
38
39# Child of the zygote.
40allow system_server zygote:fd use;
41allow system_server zygote:process sigchld;
42
43# May kill zygote on crashes.
44allow system_server zygote:process sigkill;
45allow system_server crash_dump:process sigkill;
46
47# Read /system/bin/app_process.
48allow system_server zygote_exec:file r_file_perms;
49
50# Needed to close the zygote socket, which involves getopt / getattr
51allow system_server zygote:unix_stream_socket { getopt getattr };
52
53# system server gets network and bluetooth permissions.
54net_domain(system_server)
55# in addition to ioctls whitelisted for all domains, also allow system_server
56# to use privileged ioctls commands. Needed to set up VPNs.
57allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
58bluetooth_domain(system_server)
59
60# These are the capabilities assigned by the zygote to the
61# system server.
62allow system_server self:capability {
63 ipc_lock
64 kill
65 net_admin
66 net_bind_service
67 net_broadcast
68 net_raw
69 sys_boot
70 sys_nice
Nick Kralevich44866952017-02-15 15:04:43 -0800[diff] [blame]71 sys_ptrace
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]72 sys_time
73 sys_tty_config
74};
75
76wakelock_use(system_server)
77
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]78# Trigger module auto-load.
79allow system_server kernel:system module_request;
80
81# Allow alarmtimers to be set
82allow system_server self:capability2 wake_alarm;
83
84# Use netlink uevent sockets.
85allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
86
87# Use generic netlink sockets.
88allow system_server self:netlink_socket create_socket_perms_no_ioctl;
89allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
90
91# Use generic "sockets" where the address family is not known
92# to the kernel. The ioctl permission is specifically omitted here, but may
93# be added to device specific policy along with the ioctl commands to be
94# whitelisted.
95allow system_server self:socket create_socket_perms_no_ioctl;
96
97# Set and get routes directly via netlink.
98allow system_server self:netlink_route_socket nlmsg_write;
99
100# Kill apps.
101allow system_server appdomain:process { sigkill signal };
102
103# Set scheduling info for apps.
104allow system_server appdomain:process { getsched setsched };
105allow system_server audioserver:process { getsched setsched };
106allow system_server hal_audio:process { getsched setsched };
107allow system_server cameraserver:process { getsched setsched };
Eino-Ville Talvala6d53c9e2017-02-15 13:38:25 -0800[diff] [blame]108allow system_server hal_camera:process { getsched setsched };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]109allow system_server mediaserver:process { getsched setsched };
110allow system_server bootanim:process { getsched setsched };
111
112# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
113# within system_server to keep track of memory and CPU usage for
114# all processes on the device. In addition, /proc/pid files access is needed
115# for dumping stack traces of native processes.
116r_dir_file(system_server, domain)
117
118# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
119allow system_server qtaguid_proc:file rw_file_perms;
120allow system_server qtaguid_device:chr_file rw_file_perms;
121
122# Read /proc/uid_cputime/show_uid_stat.
123allow system_server proc_uid_cputime_showstat:file r_file_perms;
124
125# Write /proc/uid_cputime/remove_uid_range.
126allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
127
128# Write /proc/uid_procstat/set.
129allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
130
131# Write to /proc/sysrq-trigger.
132allow system_server proc_sysrq:file rw_file_perms;
133
134# Read /proc/stat for CPU usage statistics
135allow system_server proc_stat:file r_file_perms;
136
137# Read /sys/kernel/debug/wakeup_sources.
138allow system_server debugfs:file r_file_perms;
139
140# The DhcpClient and WifiWatchdog use packet_sockets
141allow system_server self:packet_socket create_socket_perms_no_ioctl;
142
143# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
144# as raw sockets, but the kernel doesn't yet distinguish between the two.
145allow system_server node:rawip_socket node_bind;
146
147# 3rd party VPN clients require a tun_socket to be created
148allow system_server self:tun_socket create_socket_perms_no_ioctl;
149
150# Talk to init and various daemons via sockets.
151unix_socket_connect(system_server, lmkd, lmkd)
152unix_socket_connect(system_server, mtpd, mtp)
153unix_socket_connect(system_server, netd, netd)
154unix_socket_connect(system_server, vold, vold)
155unix_socket_connect(system_server, webview_zygote, webview_zygote)
156unix_socket_connect(system_server, zygote, zygote)
157unix_socket_connect(system_server, racoon, racoon)
158unix_socket_send(system_server, wpa, wpa)
159unix_socket_connect(system_server, uncrypt, uncrypt)
160
161# Communicate over a socket created by surfaceflinger.
162allow system_server surfaceflinger:unix_stream_socket { read write setopt };
163
164# Perform Binder IPC.
165binder_use(system_server)
166binder_call(system_server, appdomain)
167binder_call(system_server, binderservicedomain)
168binder_call(system_server, dumpstate)
169binder_call(system_server, fingerprintd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]170binder_call(system_server, gatekeeperd)
171binder_call(system_server, installd)
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]172binder_call(system_server, incidentd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]173binder_call(system_server, netd)
174binder_call(system_server, wificond)
175binder_service(system_server)
176
177# Perform HwBinder IPC.
178hwbinder_use(system_server)
Pawin Vongmasa5559d212017-01-24 02:45:16 -0800[diff] [blame]179hwallocator_use(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]180binder_call(system_server, hal_boot)
181binder_call(system_server, hal_contexthub)
Alex Klyubinf98650e2017-02-21 15:35:16 -0800[diff] [blame]182hal_client_domain(system_server, hal_fingerprint)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]183binder_call(system_server, hal_gnss);
184binder_call(system_server, hal_ir)
185binder_call(system_server, hal_light)
186binder_call(system_server, hal_memtrack)
187binder_call(system_server, hal_power)
188binder_call(system_server, hal_sensors)
189binder_call(system_server, hal_thermal)
190binder_call(system_server, hal_usb)
191binder_call(system_server, hal_vibrator)
192binder_call(system_server, hal_vr)
Alex Klyubin1d2a1472017-02-22 15:12:19 -0800[diff] [blame]193hal_client_domain(system_server, hal_wifi)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]194binder_call(system_server, wpa)
195
196# Talk to tombstoned to get ANR traces.
197unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
198
199# Send signals to trigger ANR traces.
200# This is derived from the list that system server defines as interesting native processes
201# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
202# frameworks/base/services/core/java/com/android/server/Watchdog.java.
203allow system_server {
204 audioserver
205 cameraserver
206 drmserver
207 inputflinger
208 mediacodec
209 mediadrmserver
210 mediaextractor
211 mediaserver
212 mediametrics
213 sdcardd
214 surfaceflinger
215}:process { signal };
216
217# Use sockets received over binder from various services.
218allow system_server audioserver:tcp_socket rw_socket_perms;
219allow system_server audioserver:udp_socket rw_socket_perms;
220allow system_server mediaserver:tcp_socket rw_socket_perms;
221allow system_server mediaserver:udp_socket rw_socket_perms;
222
223# Use sockets received over binder from various services.
224allow system_server mediadrmserver:tcp_socket rw_socket_perms;
225allow system_server mediadrmserver:udp_socket rw_socket_perms;
226
227# Check SELinux permissions.
228selinux_check_access(system_server)
229
230# XXX Label sysfs files with a specific type?
231allow system_server sysfs:file rw_file_perms;
232allow system_server sysfs_nfc_power_writable:file rw_file_perms;
233allow system_server sysfs_devices_system_cpu:file w_file_perms;
234allow system_server sysfs_mac_address:file r_file_perms;
235allow system_server sysfs_thermal:dir search;
236allow system_server sysfs_thermal:file r_file_perms;
237
238# TODO: Remove when HALs are forced into separate processes
239allow system_server sysfs_vibrator:file { write append };
240
241# TODO: added to match above sysfs rule. Remove me?
242allow system_server sysfs_usb:file w_file_perms;
243
244# Access devices.
245allow system_server device:dir r_dir_perms;
246allow system_server mdns_socket:sock_file rw_file_perms;
247allow system_server alarm_device:chr_file rw_file_perms;
248allow system_server gpu_device:chr_file rw_file_perms;
249allow system_server iio_device:chr_file rw_file_perms;
250allow system_server input_device:dir r_dir_perms;
251allow system_server input_device:chr_file rw_file_perms;
252allow system_server radio_device:chr_file r_file_perms;
253allow system_server tty_device:chr_file rw_file_perms;
254allow system_server usbaccessory_device:chr_file rw_file_perms;
255allow system_server video_device:dir r_dir_perms;
256allow system_server video_device:chr_file rw_file_perms;
257allow system_server adbd_socket:sock_file rw_file_perms;
258allow system_server rtc_device:chr_file rw_file_perms;
259allow system_server audio_device:dir r_dir_perms;
260
261# write access needed for MIDI
262allow system_server audio_device:chr_file rw_file_perms;
263
264# tun device used for 3rd party vpn apps
265allow system_server tun_device:chr_file rw_file_perms;
266
267# Manage system data files.
268allow system_server system_data_file:dir create_dir_perms;
269allow system_server system_data_file:notdevfile_class_set create_file_perms;
270allow system_server keychain_data_file:dir create_dir_perms;
271allow system_server keychain_data_file:file create_file_perms;
272allow system_server keychain_data_file:lnk_file create_file_perms;
273
274# Manage /data/app.
275allow system_server apk_data_file:dir create_dir_perms;
276allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
277allow system_server apk_tmp_file:dir create_dir_perms;
278allow system_server apk_tmp_file:file create_file_perms;
279
280# Manage /data/app-private.
281allow system_server apk_private_data_file:dir create_dir_perms;
282allow system_server apk_private_data_file:file create_file_perms;
283allow system_server apk_private_tmp_file:dir create_dir_perms;
284allow system_server apk_private_tmp_file:file create_file_perms;
285
286# Manage files within asec containers.
287allow system_server asec_apk_file:dir create_dir_perms;
288allow system_server asec_apk_file:file create_file_perms;
289allow system_server asec_public_file:file create_file_perms;
290
291# Manage /data/anr.
292allow system_server anr_data_file:dir create_dir_perms;
293allow system_server anr_data_file:file create_file_perms;
294
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]295# Read /data/misc/incidents - only read. The fd will be sent over binder,
296# with no DAC access to it, for dropbox to read.
297allow system_server incident_data_file:file read;
298
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]299# Manage /data/backup.
300allow system_server backup_data_file:dir create_dir_perms;
301allow system_server backup_data_file:file create_file_perms;
302
303# Write to /data/system/heapdump
304allow system_server heapdump_data_file:dir rw_dir_perms;
305allow system_server heapdump_data_file:file create_file_perms;
306
307# Manage /data/misc/adb.
308allow system_server adb_keys_file:dir create_dir_perms;
309allow system_server adb_keys_file:file create_file_perms;
310
311# Manage /data/misc/sms.
312# TODO: Split into a separate type?
313allow system_server radio_data_file:dir create_dir_perms;
314allow system_server radio_data_file:file create_file_perms;
315
316# Manage /data/misc/systemkeys.
317allow system_server systemkeys_data_file:dir create_dir_perms;
318allow system_server systemkeys_data_file:file create_file_perms;
319
320# Access /data/tombstones.
321allow system_server tombstone_data_file:dir r_dir_perms;
322allow system_server tombstone_data_file:file r_file_perms;
323
324# Manage /data/misc/vpn.
325allow system_server vpn_data_file:dir create_dir_perms;
326allow system_server vpn_data_file:file create_file_perms;
327
328# Manage /data/misc/wifi.
329allow system_server wifi_data_file:dir create_dir_perms;
330allow system_server wifi_data_file:file create_file_perms;
331
332# Manage /data/misc/zoneinfo.
333allow system_server zoneinfo_data_file:dir create_dir_perms;
334allow system_server zoneinfo_data_file:file create_file_perms;
335
336# Walk /data/data subdirectories.
337# Types extracted from seapp_contexts type= fields.
338allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
339# Also permit for unlabeled /data/data subdirectories and
340# for unlabeled asec containers on upgrades from 4.2.
341allow system_server unlabeled:dir r_dir_perms;
342# Read pkg.apk file before it has been relabeled by vold.
343allow system_server unlabeled:file r_file_perms;
344
345# Populate com.android.providers.settings/databases/settings.db.
346allow system_server system_app_data_file:dir create_dir_perms;
347allow system_server system_app_data_file:file create_file_perms;
348
349# Receive and use open app data files passed over binder IPC.
350# Types extracted from seapp_contexts type= fields.
351allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
352
353# Access to /data/media for measuring disk usage.
354allow system_server media_rw_data_file:dir { search getattr open read };
355
356# Receive and use open /data/media files passed over binder IPC.
357# Also used for measuring disk usage.
358allow system_server media_rw_data_file:file { getattr read write append };
359
360# Relabel apk files.
361allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
362allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
363
364# Relabel wallpaper.
365allow system_server system_data_file:file relabelfrom;
366allow system_server wallpaper_file:file relabelto;
367allow system_server wallpaper_file:file { rw_file_perms rename unlink };
368
369# Backup of wallpaper imagery uses temporary hard links to avoid data churn
370allow system_server { system_data_file wallpaper_file }:file link;
371
372# ShortcutManager icons
373allow system_server system_data_file:dir relabelfrom;
374allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
375allow system_server shortcut_manager_icons:file create_file_perms;
376
377# Manage ringtones.
378allow system_server ringtone_file:dir { create_dir_perms relabelto };
379allow system_server ringtone_file:file create_file_perms;
380
381# Relabel icon file.
382allow system_server icon_file:file relabelto;
383allow system_server icon_file:file { rw_file_perms unlink };
384
385# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
386allow system_server system_data_file:dir relabelfrom;
387
388# Property Service write
389set_prop(system_server, system_prop)
390set_prop(system_server, safemode_prop)
391set_prop(system_server, dhcp_prop)
392set_prop(system_server, net_radio_prop)
Nick Kralevich4e404292017-02-09 16:08:11 -0800[diff] [blame]393set_prop(system_server, net_dns_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]394set_prop(system_server, system_radio_prop)
395set_prop(system_server, debug_prop)
396set_prop(system_server, powerctl_prop)
397set_prop(system_server, fingerprint_prop)
398set_prop(system_server, device_logging_prop)
399set_prop(system_server, wifi_prop)
400set_prop(system_server, dumpstate_options_prop)
401set_prop(system_server, overlay_prop)
402userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
403
404# ctl interface
405set_prop(system_server, ctl_default_prop)
406set_prop(system_server, ctl_bugreport_prop)
407
408# cppreopt property
409set_prop(system_server, cppreopt_prop)
410
411# Collect metrics on boot time created by init
412get_prop(system_server, boottime_prop)
413
414# Read device's serial number from system properties
415get_prop(system_server, serialno_prop)
416
417# Read/write the property which keeps track of whether this is the first start of system_server
418set_prop(system_server, firstboot_prop)
419
420# Create a socket for receiving info from wpa.
421allow system_server wpa_socket:dir rw_dir_perms;
422allow system_server system_wpa_socket:sock_file create_file_perms;
423
424# Remove sockets created by wpa_supplicant
425allow system_server wpa_socket:sock_file unlink;
426
427# Create a socket for connections from debuggerd.
428allow system_server system_ndebug_socket:sock_file create_file_perms;
429
430# Manage cache files.
431allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
432allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
433allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
434
435allow system_server system_file:dir r_dir_perms;
436allow system_server system_file:lnk_file r_file_perms;
437
438# LocationManager(e.g, GPS) needs to read and write
439# to uart driver and ctrl proc entry
440allow system_server gps_control:file rw_file_perms;
441
442# Allow system_server to use app-created sockets and pipes.
443allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
444allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
445
446# Allow abstract socket connection
447allow system_server rild:unix_stream_socket connectto;
448
449# BackupManagerService needs to manipulate backup data files
450allow system_server cache_backup_file:dir rw_dir_perms;
451allow system_server cache_backup_file:file create_file_perms;
452# LocalTransport works inside /cache/backup
453allow system_server cache_private_backup_file:dir create_dir_perms;
454allow system_server cache_private_backup_file:file create_file_perms;
455
456# Allow system to talk to usb device
457allow system_server usb_device:chr_file rw_file_perms;
458allow system_server usb_device:dir r_dir_perms;
459
460# Allow system to talk to sensors
461allow system_server sensors_device:chr_file rw_file_perms;
462
463# Read from HW RNG (needed by EntropyMixer).
464allow system_server hw_random_device:chr_file r_file_perms;
465
466# Read and delete files under /dev/fscklogs.
467r_dir_file(system_server, fscklogs)
468allow system_server fscklogs:dir { write remove_name };
469allow system_server fscklogs:file unlink;
470
471# logd access, system_server inherit logd write socket
472# (urge is to deprecate this long term)
473allow system_server zygote:unix_dgram_socket write;
474
475# Read from log daemon.
476read_logd(system_server)
477read_runtime_log_tags(system_server)
478
479# Be consistent with DAC permissions. Allow system_server to write to
480# /sys/module/lowmemorykiller/parameters/adj
481# /sys/module/lowmemorykiller/parameters/minfree
482allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
483
484# Read /sys/fs/pstore/console-ramoops
485# Don't worry about overly broad permissions for now, as there's
486# only one file in /sys/fs/pstore
487allow system_server pstorefs:dir r_dir_perms;
488allow system_server pstorefs:file r_file_perms;
489
490# /sys access
491allow system_server sysfs_zram:dir search;
492allow system_server sysfs_zram:file r_file_perms;
493
494add_service(system_server, system_server_service);
495allow system_server audioserver_service:service_manager find;
496allow system_server batteryproperties_service:service_manager find;
497allow system_server cameraserver_service:service_manager find;
498allow system_server drmserver_service:service_manager find;
499allow system_server dumpstate_service:service_manager find;
500allow system_server fingerprintd_service:service_manager find;
501allow system_server hal_fingerprint_service:service_manager find;
502allow system_server gatekeeper_service:service_manager find;
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]503allow system_server incident_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]504allow system_server installd_service:service_manager find;
505allow system_server keystore_service:service_manager find;
506allow system_server mediaserver_service:service_manager find;
507allow system_server mediametrics_service:service_manager find;
508allow system_server mediaextractor_service:service_manager find;
509allow system_server mediacodec_service:service_manager find;
510allow system_server mediadrmserver_service:service_manager find;
511allow system_server netd_service:service_manager find;
512allow system_server nfc_service:service_manager find;
513allow system_server radio_service:service_manager find;
514allow system_server surfaceflinger_service:service_manager find;
515allow system_server wificond_service:service_manager find;
516
517allow system_server keystore:keystore_key {
518 get_state
519 get
520 insert
521 delete
522 exist
523 list
524 reset
525 password
526 lock
527 unlock
528 is_empty
529 sign
530 verify
531 grant
532 duplicate
533 clear_uid
534 add_auth
535 user_changed
536};
537
538# Allow system server to search and write to the persistent factory reset
539# protection partition. This block device does not get wiped in a factory reset.
540allow system_server block_device:dir search;
541allow system_server frp_block_device:blk_file rw_file_perms;
542
543# Clean up old cgroups
544allow system_server cgroup:dir { remove_name rmdir };
545
546# /oem access
547r_dir_file(system_server, oemfs)
548
549# Allow resolving per-user storage symlinks
550allow system_server { mnt_user_file storage_file }:dir { getattr search };
551allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
552
553# Allow statfs() on storage devices, which happens fast enough that
554# we shouldn't be killed during unsafe removal
555allow system_server sdcard_type:dir { getattr search };
556
557# Traverse into expanded storage
558allow system_server mnt_expand_file:dir r_dir_perms;
559
560# Allow system process to relabel the fingerprint directory after mkdir
561# and delete the directory and files when no longer needed
562allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
563allow system_server fingerprintd_data_file:file { getattr unlink };
564
565# Allow system process to read network MAC address
566allow system_server sysfs_mac_address:file r_file_perms;
567
568userdebug_or_eng(`
569 # Allow system server to create and write method traces in /data/misc/trace.
570 allow system_server method_trace_data_file:dir w_dir_perms;
571 allow system_server method_trace_data_file:file { create w_file_perms };
572
573 # Allow system server to read dmesg
574 allow system_server kernel:system syslog_read;
575')
576
577# For AppFuse.
578allow system_server vold:fd use;
579allow system_server fuse_device:chr_file { read write ioctl getattr };
580allow system_server app_fuse_file:dir rw_dir_perms;
581allow system_server app_fuse_file:file { read write open getattr append };
582
583# For configuring sdcardfs
584allow system_server configfs:dir { create_dir_perms };
585allow system_server configfs:file { getattr open unlink write };
586
587# Connect to adbd and use a socket transferred from it.
588# Used for e.g. jdwp.
589allow system_server adbd:unix_stream_socket connectto;
590allow system_server adbd:fd use;
591allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
592
593# Allow invoking tools like "timeout"
594allow system_server toolbox_exec:file rx_file_perms;
595
596# Postinstall
597#
598# For OTA dexopt, allow calls coming from postinstall.
599binder_call(system_server, postinstall)
600
601allow system_server postinstall:fifo_file write;
602allow system_server update_engine:fd use;
603allow system_server update_engine:fifo_file write;
604
605# Access to /data/preloads
606allow system_server preloads_data_file:file { r_file_perms unlink };
607allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
608
609r_dir_file(system_server, cgroup)
610allow system_server ion_device:chr_file r_file_perms;
611allow system_server hal_graphics_allocator:fd use;
612
613r_dir_file(system_server, proc)
614r_dir_file(system_server, proc_meminfo)
615r_dir_file(system_server, proc_net)
616r_dir_file(system_server, rootfs)
617r_dir_file(system_server, sysfs_type)
618
619# Allow system_server to make binder calls to hwservicemanager
620binder_call(system_server, hwservicemanager)
621
622### Rules needed when Light HAL runs inside system_server process.
623### These rules should eventually be granted only when needed.
624allow system_server sysfs_leds:lnk_file read;
625allow system_server sysfs_leds:file rw_file_perms;
626allow system_server sysfs_leds:dir r_dir_perms;
627###
628
629userdebug_or_eng(`
630 # Allow WifiService to start, stop, and read wifi-specific trace events.
631 allow system_server debugfs_tracing_instances:dir search;
632 allow system_server debugfs_wifi_tracing:file rw_file_perms;
633')
634
635###
636### Neverallow rules
637###
638### system_server should NEVER do any of this
639
640# Do not allow opening files from external storage as unsafe ejection
641# could cause the kernel to kill the system_server.
642neverallow system_server sdcard_type:dir { open read write };
643neverallow system_server sdcard_type:file rw_file_perms;
644
645# system server should never be operating on zygote spawned app data
646# files directly. Rather, they should always be passed via a
647# file descriptor.
648# Types extracted from seapp_contexts type= fields, excluding
649# those types that system_server needs to open directly.
650neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
651
652# Forking and execing is inherently dangerous and racy. See, for
653# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
654# Prevent the addition of new file execs to stop the problem from
655# getting worse. b/28035297
656neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
657
658# Ensure that system_server doesn't perform any domain transitions other than
659# transitioning to the crash_dump domain when a crash occurs.
660neverallow system_server { domain -crash_dump }:process transition;
661neverallow system_server *:process dyntransition;
662
663# Only allow crash_dump to connect to system_ndebug_socket.
664neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
665
666# system_server should never be executing dex2oat. This is either
667# a bug (for example, bug 16317188), or represents an attempt by
668# system server to dynamically load a dex file, something we do not
669# want to allow.
670neverallow system_server dex2oat_exec:file no_x_file_perms;
671
672# system_server should never execute or load executable shared libraries
673# in /data except for /data/dalvik-cache files.
674neverallow system_server {
675 data_file_type
676 -dalvikcache_data_file #mapping with PROT_EXEC
677}:file no_x_file_perms;
678
679# The only block device system_server should be accessing is
680# the frp_block_device. This helps avoid a system_server to root
681# escalation by writing to raw block devices.
682neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
683
684# system_server should never use JIT functionality
685neverallow system_server self:process execmem;
686neverallow system_server ashmem_device:chr_file execute;
687
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]688# TODO: deal with tmpfs_domain pub/priv split properly
Nick Kralevichb56e6ef2016-12-09 20:14:31 -0800[diff] [blame]689neverallow system_server system_server_tmpfs:file execute;
Calin Juravlee5a1f642017-01-17 20:31:31 -0800[diff] [blame]690
691# dexoptanalyzer is currently used only for secondary dex files which
692# system_server should never access.
693neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
Nick Kralevich44866952017-02-15 15:04:43 -0800[diff] [blame]694
695# No ptracing others
696neverallow system_server { domain -system_server }:process ptrace;
697
698# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
699# file read access. However, that is now unnecessary (b/34951864)
700# This neverallow can be removed after b/34951864 is fixed.
701neverallow system_server system_server:capability sys_resource;