Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 448669540c0b7c22ee8b8293217818f8f92238b6 / . / private / system_server.te
blob: 4c44d9dd8ff8e1de1b1cf409b894dff1bc42bc99 [file] [log] [blame]
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5
6typeattribute system_server domain_deprecated;
7typeattribute system_server mlstrustedsubject;
8
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]9# Define a type for tmpfs-backed ashmem regions.
10tmpfs_domain(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]11
Josh Gaocb3eb4e2016-10-19 14:39:30 -0700[diff] [blame]12# Create a socket for connections from crash_dump.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]13type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]14
15allow system_server zygote_tmpfs:file read;
16
17# Create a socket for receiving info from wpa.
18type_transition system_server wifi_data_file:sock_file system_wpa_socket;
19type_transition system_server wpa_socket:sock_file system_wpa_socket;
20
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]21# For art.
22allow system_server dalvikcache_data_file:dir r_dir_perms;
23allow system_server dalvikcache_data_file:file { r_file_perms execute };
24
25# Enable system server to check the foreign dex usage markers.
26# We need search on top level directories so that we can get to the files
27allow system_server user_profile_data_file:dir search;
28allow system_server user_profile_data_file:file getattr;
29allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
30allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
31
32# /data/resource-cache
33allow system_server resourcecache_data_file:file r_file_perms;
34allow system_server resourcecache_data_file:dir r_dir_perms;
35
36# ptrace to processes in the same domain for debugging crashes.
37allow system_server self:process ptrace;
38
39# Child of the zygote.
40allow system_server zygote:fd use;
41allow system_server zygote:process sigchld;
42
43# May kill zygote on crashes.
44allow system_server zygote:process sigkill;
45allow system_server crash_dump:process sigkill;
46
47# Read /system/bin/app_process.
48allow system_server zygote_exec:file r_file_perms;
49
50# Needed to close the zygote socket, which involves getopt / getattr
51allow system_server zygote:unix_stream_socket { getopt getattr };
52
53# system server gets network and bluetooth permissions.
54net_domain(system_server)
55# in addition to ioctls whitelisted for all domains, also allow system_server
56# to use privileged ioctls commands. Needed to set up VPNs.
57allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
58bluetooth_domain(system_server)
59
60# These are the capabilities assigned by the zygote to the
61# system server.
62allow system_server self:capability {
63 ipc_lock
64 kill
65 net_admin
66 net_bind_service
67 net_broadcast
68 net_raw
69 sys_boot
70 sys_nice
Nick Kralevich44866952017-02-15 15:04:43 -0800[diff] [blame^]71 sys_ptrace
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]72 sys_time
73 sys_tty_config
74};
75
76wakelock_use(system_server)
77
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]78# Trigger module auto-load.
79allow system_server kernel:system module_request;
80
81# Allow alarmtimers to be set
82allow system_server self:capability2 wake_alarm;
83
84# Use netlink uevent sockets.
85allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
86
87# Use generic netlink sockets.
88allow system_server self:netlink_socket create_socket_perms_no_ioctl;
89allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
90
91# Use generic "sockets" where the address family is not known
92# to the kernel. The ioctl permission is specifically omitted here, but may
93# be added to device specific policy along with the ioctl commands to be
94# whitelisted.
95allow system_server self:socket create_socket_perms_no_ioctl;
96
97# Set and get routes directly via netlink.
98allow system_server self:netlink_route_socket nlmsg_write;
99
100# Kill apps.
101allow system_server appdomain:process { sigkill signal };
102
103# Set scheduling info for apps.
104allow system_server appdomain:process { getsched setsched };
105allow system_server audioserver:process { getsched setsched };
106allow system_server hal_audio:process { getsched setsched };
107allow system_server cameraserver:process { getsched setsched };
108allow system_server mediaserver:process { getsched setsched };
109allow system_server bootanim:process { getsched setsched };
110
111# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
112# within system_server to keep track of memory and CPU usage for
113# all processes on the device. In addition, /proc/pid files access is needed
114# for dumping stack traces of native processes.
115r_dir_file(system_server, domain)
116
117# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
118allow system_server qtaguid_proc:file rw_file_perms;
119allow system_server qtaguid_device:chr_file rw_file_perms;
120
121# Read /proc/uid_cputime/show_uid_stat.
122allow system_server proc_uid_cputime_showstat:file r_file_perms;
123
124# Write /proc/uid_cputime/remove_uid_range.
125allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
126
127# Write /proc/uid_procstat/set.
128allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
129
130# Write to /proc/sysrq-trigger.
131allow system_server proc_sysrq:file rw_file_perms;
132
133# Read /proc/stat for CPU usage statistics
134allow system_server proc_stat:file r_file_perms;
135
136# Read /sys/kernel/debug/wakeup_sources.
137allow system_server debugfs:file r_file_perms;
138
139# The DhcpClient and WifiWatchdog use packet_sockets
140allow system_server self:packet_socket create_socket_perms_no_ioctl;
141
142# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
143# as raw sockets, but the kernel doesn't yet distinguish between the two.
144allow system_server node:rawip_socket node_bind;
145
146# 3rd party VPN clients require a tun_socket to be created
147allow system_server self:tun_socket create_socket_perms_no_ioctl;
148
149# Talk to init and various daemons via sockets.
150unix_socket_connect(system_server, lmkd, lmkd)
151unix_socket_connect(system_server, mtpd, mtp)
152unix_socket_connect(system_server, netd, netd)
153unix_socket_connect(system_server, vold, vold)
154unix_socket_connect(system_server, webview_zygote, webview_zygote)
155unix_socket_connect(system_server, zygote, zygote)
156unix_socket_connect(system_server, racoon, racoon)
157unix_socket_send(system_server, wpa, wpa)
158unix_socket_connect(system_server, uncrypt, uncrypt)
159
160# Communicate over a socket created by surfaceflinger.
161allow system_server surfaceflinger:unix_stream_socket { read write setopt };
162
163# Perform Binder IPC.
164binder_use(system_server)
165binder_call(system_server, appdomain)
166binder_call(system_server, binderservicedomain)
167binder_call(system_server, dumpstate)
168binder_call(system_server, fingerprintd)
169binder_call(system_server, hal_fingerprint)
170binder_call(system_server, gatekeeperd)
171binder_call(system_server, installd)
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]172binder_call(system_server, incidentd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]173binder_call(system_server, netd)
174binder_call(system_server, wificond)
175binder_service(system_server)
176
177# Perform HwBinder IPC.
178hwbinder_use(system_server)
Pawin Vongmasa5559d212017-01-24 02:45:16 -0800[diff] [blame]179hwallocator_use(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]180binder_call(system_server, hal_bluetooth)
181binder_call(system_server, hal_boot)
182binder_call(system_server, hal_contexthub)
183binder_call(system_server, hal_fingerprint)
184binder_call(system_server, hal_gnss);
185binder_call(system_server, hal_ir)
186binder_call(system_server, hal_light)
187binder_call(system_server, hal_memtrack)
188binder_call(system_server, hal_power)
189binder_call(system_server, hal_sensors)
190binder_call(system_server, hal_thermal)
191binder_call(system_server, hal_usb)
192binder_call(system_server, hal_vibrator)
193binder_call(system_server, hal_vr)
194binder_call(system_server, hal_wifi)
195binder_call(system_server, hal_drm)
196binder_call(system_server, wpa)
197
198# Talk to tombstoned to get ANR traces.
199unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
200
201# Send signals to trigger ANR traces.
202# This is derived from the list that system server defines as interesting native processes
203# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
204# frameworks/base/services/core/java/com/android/server/Watchdog.java.
205allow system_server {
206 audioserver
207 cameraserver
208 drmserver
209 inputflinger
210 mediacodec
211 mediadrmserver
212 mediaextractor
213 mediaserver
214 mediametrics
215 sdcardd
216 surfaceflinger
217}:process { signal };
218
219# Use sockets received over binder from various services.
220allow system_server audioserver:tcp_socket rw_socket_perms;
221allow system_server audioserver:udp_socket rw_socket_perms;
222allow system_server mediaserver:tcp_socket rw_socket_perms;
223allow system_server mediaserver:udp_socket rw_socket_perms;
224
225# Use sockets received over binder from various services.
226allow system_server mediadrmserver:tcp_socket rw_socket_perms;
227allow system_server mediadrmserver:udp_socket rw_socket_perms;
228
229# Check SELinux permissions.
230selinux_check_access(system_server)
231
232# XXX Label sysfs files with a specific type?
233allow system_server sysfs:file rw_file_perms;
234allow system_server sysfs_nfc_power_writable:file rw_file_perms;
235allow system_server sysfs_devices_system_cpu:file w_file_perms;
236allow system_server sysfs_mac_address:file r_file_perms;
237allow system_server sysfs_thermal:dir search;
238allow system_server sysfs_thermal:file r_file_perms;
239
240# TODO: Remove when HALs are forced into separate processes
241allow system_server sysfs_vibrator:file { write append };
242
243# TODO: added to match above sysfs rule. Remove me?
244allow system_server sysfs_usb:file w_file_perms;
245
246# Access devices.
247allow system_server device:dir r_dir_perms;
248allow system_server mdns_socket:sock_file rw_file_perms;
249allow system_server alarm_device:chr_file rw_file_perms;
250allow system_server gpu_device:chr_file rw_file_perms;
251allow system_server iio_device:chr_file rw_file_perms;
252allow system_server input_device:dir r_dir_perms;
253allow system_server input_device:chr_file rw_file_perms;
254allow system_server radio_device:chr_file r_file_perms;
255allow system_server tty_device:chr_file rw_file_perms;
256allow system_server usbaccessory_device:chr_file rw_file_perms;
257allow system_server video_device:dir r_dir_perms;
258allow system_server video_device:chr_file rw_file_perms;
259allow system_server adbd_socket:sock_file rw_file_perms;
260allow system_server rtc_device:chr_file rw_file_perms;
261allow system_server audio_device:dir r_dir_perms;
262
263# write access needed for MIDI
264allow system_server audio_device:chr_file rw_file_perms;
265
266# tun device used for 3rd party vpn apps
267allow system_server tun_device:chr_file rw_file_perms;
268
269# Manage system data files.
270allow system_server system_data_file:dir create_dir_perms;
271allow system_server system_data_file:notdevfile_class_set create_file_perms;
272allow system_server keychain_data_file:dir create_dir_perms;
273allow system_server keychain_data_file:file create_file_perms;
274allow system_server keychain_data_file:lnk_file create_file_perms;
275
276# Manage /data/app.
277allow system_server apk_data_file:dir create_dir_perms;
278allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
279allow system_server apk_tmp_file:dir create_dir_perms;
280allow system_server apk_tmp_file:file create_file_perms;
281
282# Manage /data/app-private.
283allow system_server apk_private_data_file:dir create_dir_perms;
284allow system_server apk_private_data_file:file create_file_perms;
285allow system_server apk_private_tmp_file:dir create_dir_perms;
286allow system_server apk_private_tmp_file:file create_file_perms;
287
288# Manage files within asec containers.
289allow system_server asec_apk_file:dir create_dir_perms;
290allow system_server asec_apk_file:file create_file_perms;
291allow system_server asec_public_file:file create_file_perms;
292
293# Manage /data/anr.
294allow system_server anr_data_file:dir create_dir_perms;
295allow system_server anr_data_file:file create_file_perms;
296
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]297# Read /data/misc/incidents - only read. The fd will be sent over binder,
298# with no DAC access to it, for dropbox to read.
299allow system_server incident_data_file:file read;
300
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]301# Manage /data/backup.
302allow system_server backup_data_file:dir create_dir_perms;
303allow system_server backup_data_file:file create_file_perms;
304
305# Write to /data/system/heapdump
306allow system_server heapdump_data_file:dir rw_dir_perms;
307allow system_server heapdump_data_file:file create_file_perms;
308
309# Manage /data/misc/adb.
310allow system_server adb_keys_file:dir create_dir_perms;
311allow system_server adb_keys_file:file create_file_perms;
312
313# Manage /data/misc/sms.
314# TODO: Split into a separate type?
315allow system_server radio_data_file:dir create_dir_perms;
316allow system_server radio_data_file:file create_file_perms;
317
318# Manage /data/misc/systemkeys.
319allow system_server systemkeys_data_file:dir create_dir_perms;
320allow system_server systemkeys_data_file:file create_file_perms;
321
322# Access /data/tombstones.
323allow system_server tombstone_data_file:dir r_dir_perms;
324allow system_server tombstone_data_file:file r_file_perms;
325
326# Manage /data/misc/vpn.
327allow system_server vpn_data_file:dir create_dir_perms;
328allow system_server vpn_data_file:file create_file_perms;
329
330# Manage /data/misc/wifi.
331allow system_server wifi_data_file:dir create_dir_perms;
332allow system_server wifi_data_file:file create_file_perms;
333
334# Manage /data/misc/zoneinfo.
335allow system_server zoneinfo_data_file:dir create_dir_perms;
336allow system_server zoneinfo_data_file:file create_file_perms;
337
338# Walk /data/data subdirectories.
339# Types extracted from seapp_contexts type= fields.
340allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
341# Also permit for unlabeled /data/data subdirectories and
342# for unlabeled asec containers on upgrades from 4.2.
343allow system_server unlabeled:dir r_dir_perms;
344# Read pkg.apk file before it has been relabeled by vold.
345allow system_server unlabeled:file r_file_perms;
346
347# Populate com.android.providers.settings/databases/settings.db.
348allow system_server system_app_data_file:dir create_dir_perms;
349allow system_server system_app_data_file:file create_file_perms;
350
351# Receive and use open app data files passed over binder IPC.
352# Types extracted from seapp_contexts type= fields.
353allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
354
355# Access to /data/media for measuring disk usage.
356allow system_server media_rw_data_file:dir { search getattr open read };
357
358# Receive and use open /data/media files passed over binder IPC.
359# Also used for measuring disk usage.
360allow system_server media_rw_data_file:file { getattr read write append };
361
362# Relabel apk files.
363allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
364allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
365
366# Relabel wallpaper.
367allow system_server system_data_file:file relabelfrom;
368allow system_server wallpaper_file:file relabelto;
369allow system_server wallpaper_file:file { rw_file_perms rename unlink };
370
371# Backup of wallpaper imagery uses temporary hard links to avoid data churn
372allow system_server { system_data_file wallpaper_file }:file link;
373
374# ShortcutManager icons
375allow system_server system_data_file:dir relabelfrom;
376allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
377allow system_server shortcut_manager_icons:file create_file_perms;
378
379# Manage ringtones.
380allow system_server ringtone_file:dir { create_dir_perms relabelto };
381allow system_server ringtone_file:file create_file_perms;
382
383# Relabel icon file.
384allow system_server icon_file:file relabelto;
385allow system_server icon_file:file { rw_file_perms unlink };
386
387# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
388allow system_server system_data_file:dir relabelfrom;
389
390# Property Service write
391set_prop(system_server, system_prop)
392set_prop(system_server, safemode_prop)
393set_prop(system_server, dhcp_prop)
394set_prop(system_server, net_radio_prop)
Nick Kralevich4e404292017-02-09 16:08:11 -0800[diff] [blame]395set_prop(system_server, net_dns_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]396set_prop(system_server, system_radio_prop)
397set_prop(system_server, debug_prop)
398set_prop(system_server, powerctl_prop)
399set_prop(system_server, fingerprint_prop)
400set_prop(system_server, device_logging_prop)
401set_prop(system_server, wifi_prop)
402set_prop(system_server, dumpstate_options_prop)
403set_prop(system_server, overlay_prop)
404userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
405
406# ctl interface
407set_prop(system_server, ctl_default_prop)
408set_prop(system_server, ctl_bugreport_prop)
409
410# cppreopt property
411set_prop(system_server, cppreopt_prop)
412
413# Collect metrics on boot time created by init
414get_prop(system_server, boottime_prop)
415
416# Read device's serial number from system properties
417get_prop(system_server, serialno_prop)
418
419# Read/write the property which keeps track of whether this is the first start of system_server
420set_prop(system_server, firstboot_prop)
421
422# Create a socket for receiving info from wpa.
423allow system_server wpa_socket:dir rw_dir_perms;
424allow system_server system_wpa_socket:sock_file create_file_perms;
425
426# Remove sockets created by wpa_supplicant
427allow system_server wpa_socket:sock_file unlink;
428
429# Create a socket for connections from debuggerd.
430allow system_server system_ndebug_socket:sock_file create_file_perms;
431
432# Manage cache files.
433allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
434allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
435allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
436
437allow system_server system_file:dir r_dir_perms;
438allow system_server system_file:lnk_file r_file_perms;
439
440# LocationManager(e.g, GPS) needs to read and write
441# to uart driver and ctrl proc entry
442allow system_server gps_control:file rw_file_perms;
443
444# Allow system_server to use app-created sockets and pipes.
445allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
446allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
447
448# Allow abstract socket connection
449allow system_server rild:unix_stream_socket connectto;
450
451# BackupManagerService needs to manipulate backup data files
452allow system_server cache_backup_file:dir rw_dir_perms;
453allow system_server cache_backup_file:file create_file_perms;
454# LocalTransport works inside /cache/backup
455allow system_server cache_private_backup_file:dir create_dir_perms;
456allow system_server cache_private_backup_file:file create_file_perms;
457
458# Allow system to talk to usb device
459allow system_server usb_device:chr_file rw_file_perms;
460allow system_server usb_device:dir r_dir_perms;
461
462# Allow system to talk to sensors
463allow system_server sensors_device:chr_file rw_file_perms;
464
465# Read from HW RNG (needed by EntropyMixer).
466allow system_server hw_random_device:chr_file r_file_perms;
467
468# Read and delete files under /dev/fscklogs.
469r_dir_file(system_server, fscklogs)
470allow system_server fscklogs:dir { write remove_name };
471allow system_server fscklogs:file unlink;
472
473# logd access, system_server inherit logd write socket
474# (urge is to deprecate this long term)
475allow system_server zygote:unix_dgram_socket write;
476
477# Read from log daemon.
478read_logd(system_server)
479read_runtime_log_tags(system_server)
480
481# Be consistent with DAC permissions. Allow system_server to write to
482# /sys/module/lowmemorykiller/parameters/adj
483# /sys/module/lowmemorykiller/parameters/minfree
484allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
485
486# Read /sys/fs/pstore/console-ramoops
487# Don't worry about overly broad permissions for now, as there's
488# only one file in /sys/fs/pstore
489allow system_server pstorefs:dir r_dir_perms;
490allow system_server pstorefs:file r_file_perms;
491
492# /sys access
493allow system_server sysfs_zram:dir search;
494allow system_server sysfs_zram:file r_file_perms;
495
496add_service(system_server, system_server_service);
497allow system_server audioserver_service:service_manager find;
498allow system_server batteryproperties_service:service_manager find;
499allow system_server cameraserver_service:service_manager find;
500allow system_server drmserver_service:service_manager find;
501allow system_server dumpstate_service:service_manager find;
502allow system_server fingerprintd_service:service_manager find;
503allow system_server hal_fingerprint_service:service_manager find;
504allow system_server gatekeeper_service:service_manager find;
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]505allow system_server incident_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]506allow system_server installd_service:service_manager find;
507allow system_server keystore_service:service_manager find;
508allow system_server mediaserver_service:service_manager find;
509allow system_server mediametrics_service:service_manager find;
510allow system_server mediaextractor_service:service_manager find;
511allow system_server mediacodec_service:service_manager find;
512allow system_server mediadrmserver_service:service_manager find;
513allow system_server netd_service:service_manager find;
514allow system_server nfc_service:service_manager find;
515allow system_server radio_service:service_manager find;
516allow system_server surfaceflinger_service:service_manager find;
517allow system_server wificond_service:service_manager find;
518
519allow system_server keystore:keystore_key {
520 get_state
521 get
522 insert
523 delete
524 exist
525 list
526 reset
527 password
528 lock
529 unlock
530 is_empty
531 sign
532 verify
533 grant
534 duplicate
535 clear_uid
536 add_auth
537 user_changed
538};
539
540# Allow system server to search and write to the persistent factory reset
541# protection partition. This block device does not get wiped in a factory reset.
542allow system_server block_device:dir search;
543allow system_server frp_block_device:blk_file rw_file_perms;
544
545# Clean up old cgroups
546allow system_server cgroup:dir { remove_name rmdir };
547
548# /oem access
549r_dir_file(system_server, oemfs)
550
551# Allow resolving per-user storage symlinks
552allow system_server { mnt_user_file storage_file }:dir { getattr search };
553allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
554
555# Allow statfs() on storage devices, which happens fast enough that
556# we shouldn't be killed during unsafe removal
557allow system_server sdcard_type:dir { getattr search };
558
559# Traverse into expanded storage
560allow system_server mnt_expand_file:dir r_dir_perms;
561
562# Allow system process to relabel the fingerprint directory after mkdir
563# and delete the directory and files when no longer needed
564allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
565allow system_server fingerprintd_data_file:file { getattr unlink };
566
567# Allow system process to read network MAC address
568allow system_server sysfs_mac_address:file r_file_perms;
569
570userdebug_or_eng(`
571 # Allow system server to create and write method traces in /data/misc/trace.
572 allow system_server method_trace_data_file:dir w_dir_perms;
573 allow system_server method_trace_data_file:file { create w_file_perms };
574
575 # Allow system server to read dmesg
576 allow system_server kernel:system syslog_read;
577')
578
579# For AppFuse.
580allow system_server vold:fd use;
581allow system_server fuse_device:chr_file { read write ioctl getattr };
582allow system_server app_fuse_file:dir rw_dir_perms;
583allow system_server app_fuse_file:file { read write open getattr append };
584
585# For configuring sdcardfs
586allow system_server configfs:dir { create_dir_perms };
587allow system_server configfs:file { getattr open unlink write };
588
589# Connect to adbd and use a socket transferred from it.
590# Used for e.g. jdwp.
591allow system_server adbd:unix_stream_socket connectto;
592allow system_server adbd:fd use;
593allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
594
595# Allow invoking tools like "timeout"
596allow system_server toolbox_exec:file rx_file_perms;
597
598# Postinstall
599#
600# For OTA dexopt, allow calls coming from postinstall.
601binder_call(system_server, postinstall)
602
603allow system_server postinstall:fifo_file write;
604allow system_server update_engine:fd use;
605allow system_server update_engine:fifo_file write;
606
607# Access to /data/preloads
608allow system_server preloads_data_file:file { r_file_perms unlink };
609allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
610
611r_dir_file(system_server, cgroup)
612allow system_server ion_device:chr_file r_file_perms;
613allow system_server hal_graphics_allocator:fd use;
614
615r_dir_file(system_server, proc)
616r_dir_file(system_server, proc_meminfo)
617r_dir_file(system_server, proc_net)
618r_dir_file(system_server, rootfs)
619r_dir_file(system_server, sysfs_type)
620
621# Allow system_server to make binder calls to hwservicemanager
622binder_call(system_server, hwservicemanager)
623
624### Rules needed when Light HAL runs inside system_server process.
625### These rules should eventually be granted only when needed.
626allow system_server sysfs_leds:lnk_file read;
627allow system_server sysfs_leds:file rw_file_perms;
628allow system_server sysfs_leds:dir r_dir_perms;
629###
630
631userdebug_or_eng(`
632 # Allow WifiService to start, stop, and read wifi-specific trace events.
633 allow system_server debugfs_tracing_instances:dir search;
634 allow system_server debugfs_wifi_tracing:file rw_file_perms;
635')
636
637###
638### Neverallow rules
639###
640### system_server should NEVER do any of this
641
642# Do not allow opening files from external storage as unsafe ejection
643# could cause the kernel to kill the system_server.
644neverallow system_server sdcard_type:dir { open read write };
645neverallow system_server sdcard_type:file rw_file_perms;
646
647# system server should never be operating on zygote spawned app data
648# files directly. Rather, they should always be passed via a
649# file descriptor.
650# Types extracted from seapp_contexts type= fields, excluding
651# those types that system_server needs to open directly.
652neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
653
654# Forking and execing is inherently dangerous and racy. See, for
655# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
656# Prevent the addition of new file execs to stop the problem from
657# getting worse. b/28035297
658neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
659
660# Ensure that system_server doesn't perform any domain transitions other than
661# transitioning to the crash_dump domain when a crash occurs.
662neverallow system_server { domain -crash_dump }:process transition;
663neverallow system_server *:process dyntransition;
664
665# Only allow crash_dump to connect to system_ndebug_socket.
666neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
667
668# system_server should never be executing dex2oat. This is either
669# a bug (for example, bug 16317188), or represents an attempt by
670# system server to dynamically load a dex file, something we do not
671# want to allow.
672neverallow system_server dex2oat_exec:file no_x_file_perms;
673
674# system_server should never execute or load executable shared libraries
675# in /data except for /data/dalvik-cache files.
676neverallow system_server {
677 data_file_type
678 -dalvikcache_data_file #mapping with PROT_EXEC
679}:file no_x_file_perms;
680
681# The only block device system_server should be accessing is
682# the frp_block_device. This helps avoid a system_server to root
683# escalation by writing to raw block devices.
684neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
685
686# system_server should never use JIT functionality
687neverallow system_server self:process execmem;
688neverallow system_server ashmem_device:chr_file execute;
689
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]690# TODO: deal with tmpfs_domain pub/priv split properly
Nick Kralevichb56e6ef2016-12-09 20:14:31 -0800[diff] [blame]691neverallow system_server system_server_tmpfs:file execute;
Calin Juravlee5a1f642017-01-17 20:31:31 -0800[diff] [blame]692
693# dexoptanalyzer is currently used only for secondary dex files which
694# system_server should never access.
695neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
Nick Kralevich44866952017-02-15 15:04:43 -0800[diff] [blame^]696
697# No ptracing others
698neverallow system_server { domain -system_server }:process ptrace;
699
700# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
701# file read access. However, that is now unnecessary (b/34951864)
702# This neverallow can be removed after b/34951864 is fixed.
703neverallow system_server system_server:capability sys_resource;