Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9273c1bb5ca9b2ea71f2e35adbc170950fcdb9d1 / . / private / system_server.te
blob: 6f1579bf8734abf13b9b16bed374d46fd5cda0e9 [file] [log] [blame]
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]6typeattribute system_server coredomain;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]7typeattribute system_server domain_deprecated;
8typeattribute system_server mlstrustedsubject;
9
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]10# Define a type for tmpfs-backed ashmem regions.
11tmpfs_domain(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]12
Josh Gaocb3eb4e2016-10-19 14:39:30 -0700[diff] [blame]13# Create a socket for connections from crash_dump.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]14type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]15
16allow system_server zygote_tmpfs:file read;
17
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]18# For art.
19allow system_server dalvikcache_data_file:dir r_dir_perms;
20allow system_server dalvikcache_data_file:file { r_file_perms execute };
Jorge Lucangeli Obes665128f2017-04-11 10:34:23 -0400[diff] [blame]21userdebug_or_eng(`
22 # Report dalvikcache_data_file:file execute violations.
23 auditallow system_server dalvikcache_data_file:file execute;
24')
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]25
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]26# /data/resource-cache
27allow system_server resourcecache_data_file:file r_file_perms;
28allow system_server resourcecache_data_file:dir r_dir_perms;
29
30# ptrace to processes in the same domain for debugging crashes.
31allow system_server self:process ptrace;
32
33# Child of the zygote.
34allow system_server zygote:fd use;
35allow system_server zygote:process sigchld;
36
37# May kill zygote on crashes.
38allow system_server zygote:process sigkill;
39allow system_server crash_dump:process sigkill;
40
41# Read /system/bin/app_process.
42allow system_server zygote_exec:file r_file_perms;
43
44# Needed to close the zygote socket, which involves getopt / getattr
45allow system_server zygote:unix_stream_socket { getopt getattr };
46
47# system server gets network and bluetooth permissions.
48net_domain(system_server)
49# in addition to ioctls whitelisted for all domains, also allow system_server
50# to use privileged ioctls commands. Needed to set up VPNs.
51allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
52bluetooth_domain(system_server)
53
54# These are the capabilities assigned by the zygote to the
55# system server.
56allow system_server self:capability {
57 ipc_lock
58 kill
59 net_admin
60 net_bind_service
61 net_broadcast
62 net_raw
63 sys_boot
64 sys_nice
65 sys_resource
66 sys_time
67 sys_tty_config
68};
69
70wakelock_use(system_server)
71
72# Triggered by /proc/pid accesses, not allowed.
73dontaudit system_server self:capability sys_ptrace;
74
75# Trigger module auto-load.
76allow system_server kernel:system module_request;
77
78# Allow alarmtimers to be set
79allow system_server self:capability2 wake_alarm;
80
81# Use netlink uevent sockets.
82allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
83
84# Use generic netlink sockets.
85allow system_server self:netlink_socket create_socket_perms_no_ioctl;
86allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
87
88# Use generic "sockets" where the address family is not known
89# to the kernel. The ioctl permission is specifically omitted here, but may
90# be added to device specific policy along with the ioctl commands to be
91# whitelisted.
92allow system_server self:socket create_socket_perms_no_ioctl;
93
94# Set and get routes directly via netlink.
95allow system_server self:netlink_route_socket nlmsg_write;
96
97# Kill apps.
Tom Cherryc59eb4d2017-06-13 14:49:17 -0700[diff] [blame]98allow system_server appdomain:process { getpgid sigkill signal };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]99
100# Set scheduling info for apps.
101allow system_server appdomain:process { getsched setsched };
102allow system_server audioserver:process { getsched setsched };
103allow system_server hal_audio:process { getsched setsched };
Philip Cuadra6eee6eb2017-03-23 10:03:49 -0700[diff] [blame]104allow system_server hal_bluetooth:process { getsched setsched };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]105allow system_server cameraserver:process { getsched setsched };
Eino-Ville Talvala6d9be832017-02-15 13:38:25 -0800[diff] [blame]106allow system_server hal_camera:process { getsched setsched };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]107allow system_server mediaserver:process { getsched setsched };
108allow system_server bootanim:process { getsched setsched };
109
110# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
111# within system_server to keep track of memory and CPU usage for
112# all processes on the device. In addition, /proc/pid files access is needed
113# for dumping stack traces of native processes.
114r_dir_file(system_server, domain)
115
116# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
117allow system_server qtaguid_proc:file rw_file_perms;
118allow system_server qtaguid_device:chr_file rw_file_perms;
119
120# Read /proc/uid_cputime/show_uid_stat.
121allow system_server proc_uid_cputime_showstat:file r_file_perms;
122
123# Write /proc/uid_cputime/remove_uid_range.
124allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
125
126# Write /proc/uid_procstat/set.
127allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
128
Andres Oportus97b955d2017-06-07 10:39:11 -0700[diff] [blame]129# Read /proc/uid_time_in_state.
130allow system_server proc_uid_time_in_state:file r_file_perms;
131
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]132# Write to /proc/sysrq-trigger.
133allow system_server proc_sysrq:file rw_file_perms;
134
135# Read /proc/stat for CPU usage statistics
136allow system_server proc_stat:file r_file_perms;
137
138# Read /sys/kernel/debug/wakeup_sources.
139allow system_server debugfs:file r_file_perms;
140
141# The DhcpClient and WifiWatchdog use packet_sockets
142allow system_server self:packet_socket create_socket_perms_no_ioctl;
143
144# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
145# as raw sockets, but the kernel doesn't yet distinguish between the two.
146allow system_server node:rawip_socket node_bind;
147
148# 3rd party VPN clients require a tun_socket to be created
149allow system_server self:tun_socket create_socket_perms_no_ioctl;
150
151# Talk to init and various daemons via sockets.
152unix_socket_connect(system_server, lmkd, lmkd)
153unix_socket_connect(system_server, mtpd, mtp)
154unix_socket_connect(system_server, netd, netd)
155unix_socket_connect(system_server, vold, vold)
156unix_socket_connect(system_server, webview_zygote, webview_zygote)
157unix_socket_connect(system_server, zygote, zygote)
158unix_socket_connect(system_server, racoon, racoon)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]159unix_socket_connect(system_server, uncrypt, uncrypt)
160
161# Communicate over a socket created by surfaceflinger.
162allow system_server surfaceflinger:unix_stream_socket { read write setopt };
163
164# Perform Binder IPC.
165binder_use(system_server)
166binder_call(system_server, appdomain)
167binder_call(system_server, binderservicedomain)
168binder_call(system_server, dumpstate)
169binder_call(system_server, fingerprintd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]170binder_call(system_server, gatekeeperd)
171binder_call(system_server, installd)
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]172binder_call(system_server, incidentd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]173binder_call(system_server, netd)
174binder_call(system_server, wificond)
175binder_service(system_server)
176
177# Perform HwBinder IPC.
178hwbinder_use(system_server)
Alex Klyubin7cda44f2017-03-21 14:28:53 -0700[diff] [blame]179hal_client_domain(system_server, hal_allocator)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]180binder_call(system_server, hal_contexthub)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]181hal_client_domain(system_server, hal_contexthub)
Alex Klyubinf98650e2017-02-21 15:35:16 -0800[diff] [blame]182hal_client_domain(system_server, hal_fingerprint)
Yifan Hong3107a6c2017-03-15 13:38:28 -0700[diff] [blame]183binder_call(system_server, hal_gnss)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]184hal_client_domain(system_server, hal_gnss)
Yifan Hong3107a6c2017-03-15 13:38:28 -0700[diff] [blame]185binder_call(system_server, hal_graphics_allocator)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]186binder_call(system_server, hal_ir)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]187hal_client_domain(system_server, hal_ir)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]188binder_call(system_server, hal_light)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]189hal_client_domain(system_server, hal_light)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]190binder_call(system_server, hal_memtrack)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]191hal_client_domain(system_server, hal_memtrack)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]192binder_call(system_server, hal_power)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]193hal_client_domain(system_server, hal_power)
Alex Klyubin41518be2017-03-13 15:13:52 -0700[diff] [blame]194hal_client_domain(system_server, hal_sensors)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]195binder_call(system_server, hal_thermal)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]196hal_client_domain(system_server, hal_thermal)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]197binder_call(system_server, hal_usb)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]198hal_client_domain(system_server, hal_usb)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]199binder_call(system_server, hal_vibrator)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]200hal_client_domain(system_server, hal_vibrator)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]201binder_call(system_server, hal_vr)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]202hal_client_domain(system_server, hal_vr)
Alex Klyubin1d2a1472017-02-22 15:12:19 -0800[diff] [blame]203hal_client_domain(system_server, hal_wifi)
Roshan Piusa976e642017-02-18 21:32:32 -0800[diff] [blame]204hal_client_domain(system_server, hal_wifi_supplicant)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]205
206# Talk to tombstoned to get ANR traces.
207unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
208
209# Send signals to trigger ANR traces.
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]210allow system_server {
Steven Morelandfac31442017-03-24 09:37:17 -0700[diff] [blame]211 # This is derived from the list that system server defines as interesting native processes
212 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
213 # frameworks/base/services/core/java/com/android/server/Watchdog.java.
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]214 audioserver
215 cameraserver
216 drmserver
217 inputflinger
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]218 mediadrmserver
219 mediaextractor
220 mediaserver
221 mediametrics
222 sdcardd
223 surfaceflinger
Steven Morelandfac31442017-03-24 09:37:17 -0700[diff] [blame]224
225 # This list comes from HAL_INTERFACES_OF_INTEREST in
226 # frameworks/base/services/core/java/com/android/server/Watchdog.java.
227 hal_audio_server
228 hal_bluetooth_server
229 hal_camera_server
230 hal_vr_server
231 mediacodec # TODO(b/36375899): hal_omx_server
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]232}:process { signal };
233
234# Use sockets received over binder from various services.
235allow system_server audioserver:tcp_socket rw_socket_perms;
236allow system_server audioserver:udp_socket rw_socket_perms;
237allow system_server mediaserver:tcp_socket rw_socket_perms;
238allow system_server mediaserver:udp_socket rw_socket_perms;
239
240# Use sockets received over binder from various services.
241allow system_server mediadrmserver:tcp_socket rw_socket_perms;
242allow system_server mediadrmserver:udp_socket rw_socket_perms;
243
244# Check SELinux permissions.
245selinux_check_access(system_server)
246
247# XXX Label sysfs files with a specific type?
248allow system_server sysfs:file rw_file_perms;
249allow system_server sysfs_nfc_power_writable:file rw_file_perms;
250allow system_server sysfs_devices_system_cpu:file w_file_perms;
251allow system_server sysfs_mac_address:file r_file_perms;
252allow system_server sysfs_thermal:dir search;
253allow system_server sysfs_thermal:file r_file_perms;
254
255# TODO: Remove when HALs are forced into separate processes
256allow system_server sysfs_vibrator:file { write append };
257
258# TODO: added to match above sysfs rule. Remove me?
259allow system_server sysfs_usb:file w_file_perms;
260
261# Access devices.
262allow system_server device:dir r_dir_perms;
263allow system_server mdns_socket:sock_file rw_file_perms;
264allow system_server alarm_device:chr_file rw_file_perms;
265allow system_server gpu_device:chr_file rw_file_perms;
266allow system_server iio_device:chr_file rw_file_perms;
267allow system_server input_device:dir r_dir_perms;
268allow system_server input_device:chr_file rw_file_perms;
269allow system_server radio_device:chr_file r_file_perms;
270allow system_server tty_device:chr_file rw_file_perms;
271allow system_server usbaccessory_device:chr_file rw_file_perms;
272allow system_server video_device:dir r_dir_perms;
273allow system_server video_device:chr_file rw_file_perms;
274allow system_server adbd_socket:sock_file rw_file_perms;
275allow system_server rtc_device:chr_file rw_file_perms;
276allow system_server audio_device:dir r_dir_perms;
277
278# write access needed for MIDI
279allow system_server audio_device:chr_file rw_file_perms;
280
281# tun device used for 3rd party vpn apps
282allow system_server tun_device:chr_file rw_file_perms;
283
284# Manage system data files.
285allow system_server system_data_file:dir create_dir_perms;
286allow system_server system_data_file:notdevfile_class_set create_file_perms;
287allow system_server keychain_data_file:dir create_dir_perms;
288allow system_server keychain_data_file:file create_file_perms;
289allow system_server keychain_data_file:lnk_file create_file_perms;
290
291# Manage /data/app.
292allow system_server apk_data_file:dir create_dir_perms;
293allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
294allow system_server apk_tmp_file:dir create_dir_perms;
295allow system_server apk_tmp_file:file create_file_perms;
296
297# Manage /data/app-private.
298allow system_server apk_private_data_file:dir create_dir_perms;
299allow system_server apk_private_data_file:file create_file_perms;
300allow system_server apk_private_tmp_file:dir create_dir_perms;
301allow system_server apk_private_tmp_file:file create_file_perms;
302
303# Manage files within asec containers.
304allow system_server asec_apk_file:dir create_dir_perms;
305allow system_server asec_apk_file:file create_file_perms;
306allow system_server asec_public_file:file create_file_perms;
307
308# Manage /data/anr.
Narayan Kamathe628cb52017-05-15 18:39:16 +0100[diff] [blame]309#
310# TODO: Some of these permissions can be withdrawn once we've switched to the
311# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
312# the system_server should never need to create a new anr_data_file:file or write
313# to one, but it will still need to read and append to existing files.
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]314allow system_server anr_data_file:dir create_dir_perms;
315allow system_server anr_data_file:file create_file_perms;
316
Narayan Kamathe628cb52017-05-15 18:39:16 +0100[diff] [blame]317# New stack dumping scheme : request an output FD from tombstoned via a unix
318# domain socket.
319#
320# Allow system_server to connect and write to the tombstoned java trace socket in
Narayan Kamatha34781a2017-05-30 17:52:46 +0100[diff] [blame]321# order to dump its traces. Also allow the system server to write its traces to
322# dumpstate during bugreport capture.
Narayan Kamathe628cb52017-05-15 18:39:16 +0100[diff] [blame]323unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
324allow system_server tombstoned:fd use;
Narayan Kamatha34781a2017-05-30 17:52:46 +0100[diff] [blame]325allow system_server dumpstate:fifo_file append;
Narayan Kamathe628cb52017-05-15 18:39:16 +0100[diff] [blame]326
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]327# Read /data/misc/incidents - only read. The fd will be sent over binder,
328# with no DAC access to it, for dropbox to read.
329allow system_server incident_data_file:file read;
330
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]331# Manage /data/backup.
332allow system_server backup_data_file:dir create_dir_perms;
333allow system_server backup_data_file:file create_file_perms;
334
335# Write to /data/system/heapdump
336allow system_server heapdump_data_file:dir rw_dir_perms;
337allow system_server heapdump_data_file:file create_file_perms;
338
339# Manage /data/misc/adb.
340allow system_server adb_keys_file:dir create_dir_perms;
341allow system_server adb_keys_file:file create_file_perms;
342
343# Manage /data/misc/sms.
344# TODO: Split into a separate type?
345allow system_server radio_data_file:dir create_dir_perms;
346allow system_server radio_data_file:file create_file_perms;
347
348# Manage /data/misc/systemkeys.
349allow system_server systemkeys_data_file:dir create_dir_perms;
350allow system_server systemkeys_data_file:file create_file_perms;
351
352# Access /data/tombstones.
353allow system_server tombstone_data_file:dir r_dir_perms;
354allow system_server tombstone_data_file:file r_file_perms;
355
356# Manage /data/misc/vpn.
357allow system_server vpn_data_file:dir create_dir_perms;
358allow system_server vpn_data_file:file create_file_perms;
359
360# Manage /data/misc/wifi.
361allow system_server wifi_data_file:dir create_dir_perms;
362allow system_server wifi_data_file:file create_file_perms;
363
364# Manage /data/misc/zoneinfo.
365allow system_server zoneinfo_data_file:dir create_dir_perms;
366allow system_server zoneinfo_data_file:file create_file_perms;
367
368# Walk /data/data subdirectories.
369# Types extracted from seapp_contexts type= fields.
370allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
371# Also permit for unlabeled /data/data subdirectories and
372# for unlabeled asec containers on upgrades from 4.2.
373allow system_server unlabeled:dir r_dir_perms;
374# Read pkg.apk file before it has been relabeled by vold.
375allow system_server unlabeled:file r_file_perms;
376
377# Populate com.android.providers.settings/databases/settings.db.
378allow system_server system_app_data_file:dir create_dir_perms;
379allow system_server system_app_data_file:file create_file_perms;
380
381# Receive and use open app data files passed over binder IPC.
382# Types extracted from seapp_contexts type= fields.
383allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
384
385# Access to /data/media for measuring disk usage.
386allow system_server media_rw_data_file:dir { search getattr open read };
387
388# Receive and use open /data/media files passed over binder IPC.
389# Also used for measuring disk usage.
390allow system_server media_rw_data_file:file { getattr read write append };
391
392# Relabel apk files.
393allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
394allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
395
396# Relabel wallpaper.
397allow system_server system_data_file:file relabelfrom;
398allow system_server wallpaper_file:file relabelto;
399allow system_server wallpaper_file:file { rw_file_perms rename unlink };
400
401# Backup of wallpaper imagery uses temporary hard links to avoid data churn
402allow system_server { system_data_file wallpaper_file }:file link;
403
404# ShortcutManager icons
405allow system_server system_data_file:dir relabelfrom;
406allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
407allow system_server shortcut_manager_icons:file create_file_perms;
408
409# Manage ringtones.
410allow system_server ringtone_file:dir { create_dir_perms relabelto };
411allow system_server ringtone_file:file create_file_perms;
412
413# Relabel icon file.
414allow system_server icon_file:file relabelto;
415allow system_server icon_file:file { rw_file_perms unlink };
416
417# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
418allow system_server system_data_file:dir relabelfrom;
419
420# Property Service write
421set_prop(system_server, system_prop)
422set_prop(system_server, safemode_prop)
423set_prop(system_server, dhcp_prop)
424set_prop(system_server, net_radio_prop)
Nick Kralevich4e404292017-02-09 16:08:11 -0800[diff] [blame]425set_prop(system_server, net_dns_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]426set_prop(system_server, system_radio_prop)
427set_prop(system_server, debug_prop)
428set_prop(system_server, powerctl_prop)
429set_prop(system_server, fingerprint_prop)
430set_prop(system_server, device_logging_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]431set_prop(system_server, dumpstate_options_prop)
432set_prop(system_server, overlay_prop)
433userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
434
435# ctl interface
436set_prop(system_server, ctl_default_prop)
437set_prop(system_server, ctl_bugreport_prop)
438
439# cppreopt property
440set_prop(system_server, cppreopt_prop)
441
442# Collect metrics on boot time created by init
443get_prop(system_server, boottime_prop)
444
445# Read device's serial number from system properties
446get_prop(system_server, serialno_prop)
447
448# Read/write the property which keeps track of whether this is the first start of system_server
449set_prop(system_server, firstboot_prop)
450
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]451# Create a socket for connections from debuggerd.
452allow system_server system_ndebug_socket:sock_file create_file_perms;
453
454# Manage cache files.
455allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
456allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
457allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
458
459allow system_server system_file:dir r_dir_perms;
460allow system_server system_file:lnk_file r_file_perms;
461
462# LocationManager(e.g, GPS) needs to read and write
463# to uart driver and ctrl proc entry
464allow system_server gps_control:file rw_file_perms;
465
466# Allow system_server to use app-created sockets and pipes.
467allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
468allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
469
470# Allow abstract socket connection
471allow system_server rild:unix_stream_socket connectto;
472
473# BackupManagerService needs to manipulate backup data files
474allow system_server cache_backup_file:dir rw_dir_perms;
475allow system_server cache_backup_file:file create_file_perms;
476# LocalTransport works inside /cache/backup
477allow system_server cache_private_backup_file:dir create_dir_perms;
478allow system_server cache_private_backup_file:file create_file_perms;
479
480# Allow system to talk to usb device
481allow system_server usb_device:chr_file rw_file_perms;
482allow system_server usb_device:dir r_dir_perms;
483
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]484# Read from HW RNG (needed by EntropyMixer).
485allow system_server hw_random_device:chr_file r_file_perms;
486
487# Read and delete files under /dev/fscklogs.
488r_dir_file(system_server, fscklogs)
489allow system_server fscklogs:dir { write remove_name };
490allow system_server fscklogs:file unlink;
491
492# logd access, system_server inherit logd write socket
493# (urge is to deprecate this long term)
494allow system_server zygote:unix_dgram_socket write;
495
496# Read from log daemon.
497read_logd(system_server)
498read_runtime_log_tags(system_server)
499
500# Be consistent with DAC permissions. Allow system_server to write to
501# /sys/module/lowmemorykiller/parameters/adj
502# /sys/module/lowmemorykiller/parameters/minfree
503allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
504
505# Read /sys/fs/pstore/console-ramoops
506# Don't worry about overly broad permissions for now, as there's
507# only one file in /sys/fs/pstore
508allow system_server pstorefs:dir r_dir_perms;
509allow system_server pstorefs:file r_file_perms;
510
511# /sys access
512allow system_server sysfs_zram:dir search;
513allow system_server sysfs_zram:file r_file_perms;
514
515add_service(system_server, system_server_service);
516allow system_server audioserver_service:service_manager find;
517allow system_server batteryproperties_service:service_manager find;
518allow system_server cameraserver_service:service_manager find;
519allow system_server drmserver_service:service_manager find;
520allow system_server dumpstate_service:service_manager find;
521allow system_server fingerprintd_service:service_manager find;
522allow system_server hal_fingerprint_service:service_manager find;
523allow system_server gatekeeper_service:service_manager find;
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]524allow system_server incident_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]525allow system_server installd_service:service_manager find;
526allow system_server keystore_service:service_manager find;
527allow system_server mediaserver_service:service_manager find;
528allow system_server mediametrics_service:service_manager find;
529allow system_server mediaextractor_service:service_manager find;
530allow system_server mediacodec_service:service_manager find;
531allow system_server mediadrmserver_service:service_manager find;
Chong Zhang72916412016-10-31 17:02:32 -0700[diff] [blame]532allow system_server mediacasserver_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]533allow system_server netd_service:service_manager find;
534allow system_server nfc_service:service_manager find;
535allow system_server radio_service:service_manager find;
536allow system_server surfaceflinger_service:service_manager find;
537allow system_server wificond_service:service_manager find;
538
539allow system_server keystore:keystore_key {
540 get_state
541 get
542 insert
543 delete
544 exist
545 list
546 reset
547 password
548 lock
549 unlock
550 is_empty
551 sign
552 verify
553 grant
554 duplicate
555 clear_uid
556 add_auth
557 user_changed
558};
559
560# Allow system server to search and write to the persistent factory reset
561# protection partition. This block device does not get wiped in a factory reset.
562allow system_server block_device:dir search;
563allow system_server frp_block_device:blk_file rw_file_perms;
564
565# Clean up old cgroups
566allow system_server cgroup:dir { remove_name rmdir };
567
568# /oem access
569r_dir_file(system_server, oemfs)
570
571# Allow resolving per-user storage symlinks
572allow system_server { mnt_user_file storage_file }:dir { getattr search };
573allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
574
575# Allow statfs() on storage devices, which happens fast enough that
576# we shouldn't be killed during unsafe removal
577allow system_server sdcard_type:dir { getattr search };
578
579# Traverse into expanded storage
580allow system_server mnt_expand_file:dir r_dir_perms;
581
582# Allow system process to relabel the fingerprint directory after mkdir
583# and delete the directory and files when no longer needed
584allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
585allow system_server fingerprintd_data_file:file { getattr unlink };
586
587# Allow system process to read network MAC address
588allow system_server sysfs_mac_address:file r_file_perms;
589
590userdebug_or_eng(`
591 # Allow system server to create and write method traces in /data/misc/trace.
592 allow system_server method_trace_data_file:dir w_dir_perms;
593 allow system_server method_trace_data_file:file { create w_file_perms };
594
595 # Allow system server to read dmesg
596 allow system_server kernel:system syslog_read;
597')
598
599# For AppFuse.
600allow system_server vold:fd use;
601allow system_server fuse_device:chr_file { read write ioctl getattr };
602allow system_server app_fuse_file:dir rw_dir_perms;
603allow system_server app_fuse_file:file { read write open getattr append };
604
605# For configuring sdcardfs
606allow system_server configfs:dir { create_dir_perms };
607allow system_server configfs:file { getattr open unlink write };
608
609# Connect to adbd and use a socket transferred from it.
610# Used for e.g. jdwp.
611allow system_server adbd:unix_stream_socket connectto;
612allow system_server adbd:fd use;
613allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
614
615# Allow invoking tools like "timeout"
616allow system_server toolbox_exec:file rx_file_perms;
617
618# Postinstall
619#
620# For OTA dexopt, allow calls coming from postinstall.
621binder_call(system_server, postinstall)
622
623allow system_server postinstall:fifo_file write;
624allow system_server update_engine:fd use;
625allow system_server update_engine:fifo_file write;
626
627# Access to /data/preloads
628allow system_server preloads_data_file:file { r_file_perms unlink };
629allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
Fyodor Kupolovb238fe62017-03-14 11:42:03 -0700[diff] [blame]630allow system_server preloads_media_file:file { r_file_perms unlink };
631allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]632
633r_dir_file(system_server, cgroup)
634allow system_server ion_device:chr_file r_file_perms;
635allow system_server hal_graphics_allocator:fd use;
636
637r_dir_file(system_server, proc)
638r_dir_file(system_server, proc_meminfo)
639r_dir_file(system_server, proc_net)
640r_dir_file(system_server, rootfs)
641r_dir_file(system_server, sysfs_type)
642
643# Allow system_server to make binder calls to hwservicemanager
644binder_call(system_server, hwservicemanager)
645
646### Rules needed when Light HAL runs inside system_server process.
647### These rules should eventually be granted only when needed.
648allow system_server sysfs_leds:lnk_file read;
649allow system_server sysfs_leds:file rw_file_perms;
650allow system_server sysfs_leds:dir r_dir_perms;
651###
652
mukesh agrawal723364f2017-02-22 18:01:00 -0800[diff] [blame]653# Allow WifiService to start, stop, and read wifi-specific trace events.
654allow system_server debugfs_tracing_instances:dir search;
655allow system_server debugfs_wifi_tracing:file rw_file_perms;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]656
Jeff Vander Stoep74434842017-03-13 12:22:15 -0700[diff] [blame]657# allow system_server to exec shell on ASAN builds. Needed to run
658# asanwrapper.
659with_asan(`
660 allow system_server shell_exec:file rx_file_perms;
661')
662
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]663###
664### Neverallow rules
665###
666### system_server should NEVER do any of this
667
668# Do not allow opening files from external storage as unsafe ejection
669# could cause the kernel to kill the system_server.
670neverallow system_server sdcard_type:dir { open read write };
671neverallow system_server sdcard_type:file rw_file_perms;
672
673# system server should never be operating on zygote spawned app data
674# files directly. Rather, they should always be passed via a
675# file descriptor.
676# Types extracted from seapp_contexts type= fields, excluding
677# those types that system_server needs to open directly.
678neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
679
680# Forking and execing is inherently dangerous and racy. See, for
681# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
682# Prevent the addition of new file execs to stop the problem from
683# getting worse. b/28035297
Jeff Vander Stoep74434842017-03-13 12:22:15 -0700[diff] [blame]684neverallow system_server {
685 file_type
686 -toolbox_exec
687 -logcat_exec
688 with_asan(`-shell_exec')
689}:file execute_no_trans;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]690
691# Ensure that system_server doesn't perform any domain transitions other than
692# transitioning to the crash_dump domain when a crash occurs.
693neverallow system_server { domain -crash_dump }:process transition;
694neverallow system_server *:process dyntransition;
695
696# Only allow crash_dump to connect to system_ndebug_socket.
697neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
698
699# system_server should never be executing dex2oat. This is either
700# a bug (for example, bug 16317188), or represents an attempt by
701# system server to dynamically load a dex file, something we do not
702# want to allow.
703neverallow system_server dex2oat_exec:file no_x_file_perms;
704
705# system_server should never execute or load executable shared libraries
706# in /data except for /data/dalvik-cache files.
707neverallow system_server {
708 data_file_type
709 -dalvikcache_data_file #mapping with PROT_EXEC
710}:file no_x_file_perms;
711
712# The only block device system_server should be accessing is
713# the frp_block_device. This helps avoid a system_server to root
714# escalation by writing to raw block devices.
715neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
716
717# system_server should never use JIT functionality
718neverallow system_server self:process execmem;
719neverallow system_server ashmem_device:chr_file execute;
720
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]721# TODO: deal with tmpfs_domain pub/priv split properly
Nick Kralevichb56e6ef2016-12-09 20:14:31 -0800[diff] [blame]722neverallow system_server system_server_tmpfs:file execute;
Calin Juravlee5a1f642017-01-17 20:31:31 -0800[diff] [blame]723
724# dexoptanalyzer is currently used only for secondary dex files which
725# system_server should never access.
726neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;