Blame - private/system_server.te - android_system_sepolicy

blob: fa55ada294d5cb3f264adae7594e0dbe9120a3c6 [file] [log] [blame]

Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	1	#
				2	# System Server aka system_server spawned by zygote.
				3	# Most of the framework services run in this process.
				4	#
				5
				6	typeattribute system_server domain_deprecated;
				7	typeattribute system_server mlstrustedsubject;
				8
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	9	# Define a type for tmpfs-backed ashmem regions.
				10	tmpfs_domain(system_server)
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	11
Josh Gao	cb3eb4e	2016-10-19 14:39:30 -0700	[diff] [blame]	12	# Create a socket for connections from crash_dump.
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	13	type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
dcashman	2e00e63	2016-10-12 14:58:09 -0700	[diff] [blame]	14
				15	allow system_server zygote_tmpfs:file read;
				16
				17	# Create a socket for receiving info from wpa.
				18	type_transition system_server wifi_data_file:sock_file system_wpa_socket;
				19	type_transition system_server wpa_socket:sock_file system_wpa_socket;
				20
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	21	# For art.
				22	allow system_server dalvikcache_data_file:dir r_dir_perms;
				23	allow system_server dalvikcache_data_file:file { r_file_perms execute };
				24
				25	# Enable system server to check the foreign dex usage markers.
				26	# We need search on top level directories so that we can get to the files
				27	allow system_server user_profile_data_file:dir search;
				28	allow system_server user_profile_data_file:file getattr;
				29	allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
				30	allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
				31
				32	# /data/resource-cache
				33	allow system_server resourcecache_data_file:file r_file_perms;
				34	allow system_server resourcecache_data_file:dir r_dir_perms;
				35
				36	# ptrace to processes in the same domain for debugging crashes.
				37	allow system_server self:process ptrace;
				38
				39	# Child of the zygote.
				40	allow system_server zygote:fd use;
				41	allow system_server zygote:process sigchld;
				42
				43	# May kill zygote on crashes.
				44	allow system_server zygote:process sigkill;
				45	allow system_server crash_dump:process sigkill;
				46
				47	# Read /system/bin/app_process.
				48	allow system_server zygote_exec:file r_file_perms;
				49
				50	# Needed to close the zygote socket, which involves getopt / getattr
				51	allow system_server zygote:unix_stream_socket { getopt getattr };
				52
				53	# system server gets network and bluetooth permissions.
				54	net_domain(system_server)
				55	# in addition to ioctls whitelisted for all domains, also allow system_server
				56	# to use privileged ioctls commands. Needed to set up VPNs.
				57	allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
				58	bluetooth_domain(system_server)
				59
				60	# These are the capabilities assigned by the zygote to the
				61	# system server.
				62	allow system_server self:capability {
				63	ipc_lock
				64	kill
				65	net_admin
				66	net_bind_service
				67	net_broadcast
				68	net_raw
				69	sys_boot
				70	sys_nice
				71	sys_resource
				72	sys_time
				73	sys_tty_config
				74	};
				75
				76	wakelock_use(system_server)
				77
				78	# Triggered by /proc/pid accesses, not allowed.
				79	dontaudit system_server self:capability sys_ptrace;
				80
				81	# Trigger module auto-load.
				82	allow system_server kernel:system module_request;
				83
				84	# Allow alarmtimers to be set
				85	allow system_server self:capability2 wake_alarm;
				86
				87	# Use netlink uevent sockets.
				88	allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
				89
				90	# Use generic netlink sockets.
				91	allow system_server self:netlink_socket create_socket_perms_no_ioctl;
				92	allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
				93
				94	# Use generic "sockets" where the address family is not known
				95	# to the kernel. The ioctl permission is specifically omitted here, but may
				96	# be added to device specific policy along with the ioctl commands to be
				97	# whitelisted.
				98	allow system_server self:socket create_socket_perms_no_ioctl;
				99
				100	# Set and get routes directly via netlink.
				101	allow system_server self:netlink_route_socket nlmsg_write;
				102
				103	# Kill apps.
				104	allow system_server appdomain:process { sigkill signal };
				105
				106	# Set scheduling info for apps.
				107	allow system_server appdomain:process { getsched setsched };
				108	allow system_server audioserver:process { getsched setsched };
				109	allow system_server hal_audio:process { getsched setsched };
				110	allow system_server cameraserver:process { getsched setsched };
Eino-Ville Talvala	6d53c9e	2017-02-15 13:38:25 -0800	[diff] [blame^]	111	allow system_server hal_camera:process { getsched setsched };
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	112	allow system_server mediaserver:process { getsched setsched };
				113	allow system_server bootanim:process { getsched setsched };
				114
				115	# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
				116	# within system_server to keep track of memory and CPU usage for
				117	# all processes on the device. In addition, /proc/pid files access is needed
				118	# for dumping stack traces of native processes.
				119	r_dir_file(system_server, domain)
				120
				121	# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
				122	allow system_server qtaguid_proc:file rw_file_perms;
				123	allow system_server qtaguid_device:chr_file rw_file_perms;
				124
				125	# Read /proc/uid_cputime/show_uid_stat.
				126	allow system_server proc_uid_cputime_showstat:file r_file_perms;
				127
				128	# Write /proc/uid_cputime/remove_uid_range.
				129	allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
				130
				131	# Write /proc/uid_procstat/set.
				132	allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
				133
				134	# Write to /proc/sysrq-trigger.
				135	allow system_server proc_sysrq:file rw_file_perms;
				136
				137	# Read /proc/stat for CPU usage statistics
				138	allow system_server proc_stat:file r_file_perms;
				139
				140	# Read /sys/kernel/debug/wakeup_sources.
				141	allow system_server debugfs:file r_file_perms;
				142
				143	# The DhcpClient and WifiWatchdog use packet_sockets
				144	allow system_server self:packet_socket create_socket_perms_no_ioctl;
				145
				146	# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
				147	# as raw sockets, but the kernel doesn't yet distinguish between the two.
				148	allow system_server node:rawip_socket node_bind;
				149
				150	# 3rd party VPN clients require a tun_socket to be created
				151	allow system_server self:tun_socket create_socket_perms_no_ioctl;
				152
				153	# Talk to init and various daemons via sockets.
				154	unix_socket_connect(system_server, lmkd, lmkd)
				155	unix_socket_connect(system_server, mtpd, mtp)
				156	unix_socket_connect(system_server, netd, netd)
				157	unix_socket_connect(system_server, vold, vold)
				158	unix_socket_connect(system_server, webview_zygote, webview_zygote)
				159	unix_socket_connect(system_server, zygote, zygote)
				160	unix_socket_connect(system_server, racoon, racoon)
				161	unix_socket_send(system_server, wpa, wpa)
				162	unix_socket_connect(system_server, uncrypt, uncrypt)
				163
				164	# Communicate over a socket created by surfaceflinger.
				165	allow system_server surfaceflinger:unix_stream_socket { read write setopt };
				166
				167	# Perform Binder IPC.
				168	binder_use(system_server)
				169	binder_call(system_server, appdomain)
				170	binder_call(system_server, binderservicedomain)
				171	binder_call(system_server, dumpstate)
				172	binder_call(system_server, fingerprintd)
				173	binder_call(system_server, hal_fingerprint)
				174	binder_call(system_server, gatekeeperd)
				175	binder_call(system_server, installd)
Joe Onorato	41f93db	2016-11-20 23:23:04 -0800	[diff] [blame]	176	binder_call(system_server, incidentd)
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	177	binder_call(system_server, netd)
				178	binder_call(system_server, wificond)
				179	binder_service(system_server)
				180
				181	# Perform HwBinder IPC.
				182	hwbinder_use(system_server)
Pawin Vongmasa	5559d21	2017-01-24 02:45:16 -0800	[diff] [blame]	183	hwallocator_use(system_server)
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	184	binder_call(system_server, hal_bluetooth)
				185	binder_call(system_server, hal_boot)
				186	binder_call(system_server, hal_contexthub)
				187	binder_call(system_server, hal_fingerprint)
				188	binder_call(system_server, hal_gnss);
				189	binder_call(system_server, hal_ir)
				190	binder_call(system_server, hal_light)
				191	binder_call(system_server, hal_memtrack)
				192	binder_call(system_server, hal_power)
				193	binder_call(system_server, hal_sensors)
				194	binder_call(system_server, hal_thermal)
				195	binder_call(system_server, hal_usb)
				196	binder_call(system_server, hal_vibrator)
				197	binder_call(system_server, hal_vr)
				198	binder_call(system_server, hal_wifi)
				199	binder_call(system_server, hal_drm)
				200	binder_call(system_server, wpa)
				201
				202	# Talk to tombstoned to get ANR traces.
				203	unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
				204
				205	# Send signals to trigger ANR traces.
				206	# This is derived from the list that system server defines as interesting native processes
				207	# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
				208	# frameworks/base/services/core/java/com/android/server/Watchdog.java.
				209	allow system_server {
				210	audioserver
				211	cameraserver
				212	drmserver
				213	inputflinger
				214	mediacodec
				215	mediadrmserver
				216	mediaextractor
				217	mediaserver
				218	mediametrics
				219	sdcardd
				220	surfaceflinger
				221	}:process { signal };
				222
				223	# Use sockets received over binder from various services.
				224	allow system_server audioserver:tcp_socket rw_socket_perms;
				225	allow system_server audioserver:udp_socket rw_socket_perms;
				226	allow system_server mediaserver:tcp_socket rw_socket_perms;
				227	allow system_server mediaserver:udp_socket rw_socket_perms;
				228
				229	# Use sockets received over binder from various services.
				230	allow system_server mediadrmserver:tcp_socket rw_socket_perms;
				231	allow system_server mediadrmserver:udp_socket rw_socket_perms;
				232
				233	# Check SELinux permissions.
				234	selinux_check_access(system_server)
				235
				236	# XXX Label sysfs files with a specific type?
				237	allow system_server sysfs:file rw_file_perms;
				238	allow system_server sysfs_nfc_power_writable:file rw_file_perms;
				239	allow system_server sysfs_devices_system_cpu:file w_file_perms;
				240	allow system_server sysfs_mac_address:file r_file_perms;
				241	allow system_server sysfs_thermal:dir search;
				242	allow system_server sysfs_thermal:file r_file_perms;
				243
				244	# TODO: Remove when HALs are forced into separate processes
				245	allow system_server sysfs_vibrator:file { write append };
				246
				247	# TODO: added to match above sysfs rule. Remove me?
				248	allow system_server sysfs_usb:file w_file_perms;
				249
				250	# Access devices.
				251	allow system_server device:dir r_dir_perms;
				252	allow system_server mdns_socket:sock_file rw_file_perms;
				253	allow system_server alarm_device:chr_file rw_file_perms;
				254	allow system_server gpu_device:chr_file rw_file_perms;
				255	allow system_server iio_device:chr_file rw_file_perms;
				256	allow system_server input_device:dir r_dir_perms;
				257	allow system_server input_device:chr_file rw_file_perms;
				258	allow system_server radio_device:chr_file r_file_perms;
				259	allow system_server tty_device:chr_file rw_file_perms;
				260	allow system_server usbaccessory_device:chr_file rw_file_perms;
				261	allow system_server video_device:dir r_dir_perms;
				262	allow system_server video_device:chr_file rw_file_perms;
				263	allow system_server adbd_socket:sock_file rw_file_perms;
				264	allow system_server rtc_device:chr_file rw_file_perms;
				265	allow system_server audio_device:dir r_dir_perms;
				266
				267	# write access needed for MIDI
				268	allow system_server audio_device:chr_file rw_file_perms;
				269
				270	# tun device used for 3rd party vpn apps
				271	allow system_server tun_device:chr_file rw_file_perms;
				272
				273	# Manage system data files.
				274	allow system_server system_data_file:dir create_dir_perms;
				275	allow system_server system_data_file:notdevfile_class_set create_file_perms;
				276	allow system_server keychain_data_file:dir create_dir_perms;
				277	allow system_server keychain_data_file:file create_file_perms;
				278	allow system_server keychain_data_file:lnk_file create_file_perms;
				279
				280	# Manage /data/app.
				281	allow system_server apk_data_file:dir create_dir_perms;
				282	allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
				283	allow system_server apk_tmp_file:dir create_dir_perms;
				284	allow system_server apk_tmp_file:file create_file_perms;
				285
				286	# Manage /data/app-private.
				287	allow system_server apk_private_data_file:dir create_dir_perms;
				288	allow system_server apk_private_data_file:file create_file_perms;
				289	allow system_server apk_private_tmp_file:dir create_dir_perms;
				290	allow system_server apk_private_tmp_file:file create_file_perms;
				291
				292	# Manage files within asec containers.
				293	allow system_server asec_apk_file:dir create_dir_perms;
				294	allow system_server asec_apk_file:file create_file_perms;
				295	allow system_server asec_public_file:file create_file_perms;
				296
				297	# Manage /data/anr.
				298	allow system_server anr_data_file:dir create_dir_perms;
				299	allow system_server anr_data_file:file create_file_perms;
				300
Joe Onorato	41f93db	2016-11-20 23:23:04 -0800	[diff] [blame]	301	# Read /data/misc/incidents - only read. The fd will be sent over binder,
				302	# with no DAC access to it, for dropbox to read.
				303	allow system_server incident_data_file:file read;
				304
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	305	# Manage /data/backup.
				306	allow system_server backup_data_file:dir create_dir_perms;
				307	allow system_server backup_data_file:file create_file_perms;
				308
				309	# Write to /data/system/heapdump
				310	allow system_server heapdump_data_file:dir rw_dir_perms;
				311	allow system_server heapdump_data_file:file create_file_perms;
				312
				313	# Manage /data/misc/adb.
				314	allow system_server adb_keys_file:dir create_dir_perms;
				315	allow system_server adb_keys_file:file create_file_perms;
				316
				317	# Manage /data/misc/sms.
				318	# TODO: Split into a separate type?
				319	allow system_server radio_data_file:dir create_dir_perms;
				320	allow system_server radio_data_file:file create_file_perms;
				321
				322	# Manage /data/misc/systemkeys.
				323	allow system_server systemkeys_data_file:dir create_dir_perms;
				324	allow system_server systemkeys_data_file:file create_file_perms;
				325
				326	# Access /data/tombstones.
				327	allow system_server tombstone_data_file:dir r_dir_perms;
				328	allow system_server tombstone_data_file:file r_file_perms;
				329
				330	# Manage /data/misc/vpn.
				331	allow system_server vpn_data_file:dir create_dir_perms;
				332	allow system_server vpn_data_file:file create_file_perms;
				333
				334	# Manage /data/misc/wifi.
				335	allow system_server wifi_data_file:dir create_dir_perms;
				336	allow system_server wifi_data_file:file create_file_perms;
				337
				338	# Manage /data/misc/zoneinfo.
				339	allow system_server zoneinfo_data_file:dir create_dir_perms;
				340	allow system_server zoneinfo_data_file:file create_file_perms;
				341
				342	# Walk /data/data subdirectories.
				343	# Types extracted from seapp_contexts type= fields.
				344	allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
				345	# Also permit for unlabeled /data/data subdirectories and
				346	# for unlabeled asec containers on upgrades from 4.2.
				347	allow system_server unlabeled:dir r_dir_perms;
				348	# Read pkg.apk file before it has been relabeled by vold.
				349	allow system_server unlabeled:file r_file_perms;
				350
				351	# Populate com.android.providers.settings/databases/settings.db.
				352	allow system_server system_app_data_file:dir create_dir_perms;
				353	allow system_server system_app_data_file:file create_file_perms;
				354
				355	# Receive and use open app data files passed over binder IPC.
				356	# Types extracted from seapp_contexts type= fields.
				357	allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
				358
				359	# Access to /data/media for measuring disk usage.
				360	allow system_server media_rw_data_file:dir { search getattr open read };
				361
				362	# Receive and use open /data/media files passed over binder IPC.
				363	# Also used for measuring disk usage.
				364	allow system_server media_rw_data_file:file { getattr read write append };
				365
				366	# Relabel apk files.
				367	allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
				368	allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
				369
				370	# Relabel wallpaper.
				371	allow system_server system_data_file:file relabelfrom;
				372	allow system_server wallpaper_file:file relabelto;
				373	allow system_server wallpaper_file:file { rw_file_perms rename unlink };
				374
				375	# Backup of wallpaper imagery uses temporary hard links to avoid data churn
				376	allow system_server { system_data_file wallpaper_file }:file link;
				377
				378	# ShortcutManager icons
				379	allow system_server system_data_file:dir relabelfrom;
				380	allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
				381	allow system_server shortcut_manager_icons:file create_file_perms;
				382
				383	# Manage ringtones.
				384	allow system_server ringtone_file:dir { create_dir_perms relabelto };
				385	allow system_server ringtone_file:file create_file_perms;
				386
				387	# Relabel icon file.
				388	allow system_server icon_file:file relabelto;
				389	allow system_server icon_file:file { rw_file_perms unlink };
				390
				391	# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
				392	allow system_server system_data_file:dir relabelfrom;
				393
				394	# Property Service write
				395	set_prop(system_server, system_prop)
				396	set_prop(system_server, safemode_prop)
				397	set_prop(system_server, dhcp_prop)
				398	set_prop(system_server, net_radio_prop)
Nick Kralevich	4e40429	2017-02-09 16:08:11 -0800	[diff] [blame]	399	set_prop(system_server, net_dns_prop)
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	400	set_prop(system_server, system_radio_prop)
				401	set_prop(system_server, debug_prop)
				402	set_prop(system_server, powerctl_prop)
				403	set_prop(system_server, fingerprint_prop)
				404	set_prop(system_server, device_logging_prop)
				405	set_prop(system_server, wifi_prop)
				406	set_prop(system_server, dumpstate_options_prop)
				407	set_prop(system_server, overlay_prop)
				408	userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
				409
				410	# ctl interface
				411	set_prop(system_server, ctl_default_prop)
				412	set_prop(system_server, ctl_bugreport_prop)
				413
				414	# cppreopt property
				415	set_prop(system_server, cppreopt_prop)
				416
				417	# Collect metrics on boot time created by init
				418	get_prop(system_server, boottime_prop)
				419
				420	# Read device's serial number from system properties
				421	get_prop(system_server, serialno_prop)
				422
				423	# Read/write the property which keeps track of whether this is the first start of system_server
				424	set_prop(system_server, firstboot_prop)
				425
				426	# Create a socket for receiving info from wpa.
				427	allow system_server wpa_socket:dir rw_dir_perms;
				428	allow system_server system_wpa_socket:sock_file create_file_perms;
				429
				430	# Remove sockets created by wpa_supplicant
				431	allow system_server wpa_socket:sock_file unlink;
				432
				433	# Create a socket for connections from debuggerd.
				434	allow system_server system_ndebug_socket:sock_file create_file_perms;
				435
				436	# Manage cache files.
				437	allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
				438	allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
				439	allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
				440
				441	allow system_server system_file:dir r_dir_perms;
				442	allow system_server system_file:lnk_file r_file_perms;
				443
				444	# LocationManager(e.g, GPS) needs to read and write
				445	# to uart driver and ctrl proc entry
				446	allow system_server gps_control:file rw_file_perms;
				447
				448	# Allow system_server to use app-created sockets and pipes.
				449	allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
				450	allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
				451
				452	# Allow abstract socket connection
				453	allow system_server rild:unix_stream_socket connectto;
				454
				455	# BackupManagerService needs to manipulate backup data files
				456	allow system_server cache_backup_file:dir rw_dir_perms;
				457	allow system_server cache_backup_file:file create_file_perms;
				458	# LocalTransport works inside /cache/backup
				459	allow system_server cache_private_backup_file:dir create_dir_perms;
				460	allow system_server cache_private_backup_file:file create_file_perms;
				461
				462	# Allow system to talk to usb device
				463	allow system_server usb_device:chr_file rw_file_perms;
				464	allow system_server usb_device:dir r_dir_perms;
				465
				466	# Allow system to talk to sensors
				467	allow system_server sensors_device:chr_file rw_file_perms;
				468
				469	# Read from HW RNG (needed by EntropyMixer).
				470	allow system_server hw_random_device:chr_file r_file_perms;
				471
				472	# Read and delete files under /dev/fscklogs.
				473	r_dir_file(system_server, fscklogs)
				474	allow system_server fscklogs:dir { write remove_name };
				475	allow system_server fscklogs:file unlink;
				476
				477	# logd access, system_server inherit logd write socket
				478	# (urge is to deprecate this long term)
				479	allow system_server zygote:unix_dgram_socket write;
				480
				481	# Read from log daemon.
				482	read_logd(system_server)
				483	read_runtime_log_tags(system_server)
				484
				485	# Be consistent with DAC permissions. Allow system_server to write to
				486	# /sys/module/lowmemorykiller/parameters/adj
				487	# /sys/module/lowmemorykiller/parameters/minfree
				488	allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
				489
				490	# Read /sys/fs/pstore/console-ramoops
				491	# Don't worry about overly broad permissions for now, as there's
				492	# only one file in /sys/fs/pstore
				493	allow system_server pstorefs:dir r_dir_perms;
				494	allow system_server pstorefs:file r_file_perms;
				495
				496	# /sys access
				497	allow system_server sysfs_zram:dir search;
				498	allow system_server sysfs_zram:file r_file_perms;
				499
				500	add_service(system_server, system_server_service);
				501	allow system_server audioserver_service:service_manager find;
				502	allow system_server batteryproperties_service:service_manager find;
				503	allow system_server cameraserver_service:service_manager find;
				504	allow system_server drmserver_service:service_manager find;
				505	allow system_server dumpstate_service:service_manager find;
				506	allow system_server fingerprintd_service:service_manager find;
				507	allow system_server hal_fingerprint_service:service_manager find;
				508	allow system_server gatekeeper_service:service_manager find;
Joe Onorato	41f93db	2016-11-20 23:23:04 -0800	[diff] [blame]	509	allow system_server incident_service:service_manager find;
Alex Klyubin	59322f1	2017-02-06 15:39:36 -0800	[diff] [blame]	510	allow system_server installd_service:service_manager find;
				511	allow system_server keystore_service:service_manager find;
				512	allow system_server mediaserver_service:service_manager find;
				513	allow system_server mediametrics_service:service_manager find;
				514	allow system_server mediaextractor_service:service_manager find;
				515	allow system_server mediacodec_service:service_manager find;
				516	allow system_server mediadrmserver_service:service_manager find;
				517	allow system_server netd_service:service_manager find;
				518	allow system_server nfc_service:service_manager find;
				519	allow system_server radio_service:service_manager find;
				520	allow system_server surfaceflinger_service:service_manager find;
				521	allow system_server wificond_service:service_manager find;
				522
				523	allow system_server keystore:keystore_key {
				524	get_state
				525	get
				526	insert
				527	delete
				528	exist
				529	list
				530	reset
				531	password
				532	lock
				533	unlock
				534	is_empty
				535	sign
				536	verify
				537	grant
				538	duplicate
				539	clear_uid
				540	add_auth
				541	user_changed
				542	};
				543
				544	# Allow system server to search and write to the persistent factory reset
				545	# protection partition. This block device does not get wiped in a factory reset.
				546	allow system_server block_device:dir search;
				547	allow system_server frp_block_device:blk_file rw_file_perms;
				548
				549	# Clean up old cgroups
				550	allow system_server cgroup:dir { remove_name rmdir };
				551
				552	# /oem access
				553	r_dir_file(system_server, oemfs)
				554
				555	# Allow resolving per-user storage symlinks
				556	allow system_server { mnt_user_file storage_file }:dir { getattr search };
				557	allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
				558
				559	# Allow statfs() on storage devices, which happens fast enough that
				560	# we shouldn't be killed during unsafe removal
				561	allow system_server sdcard_type:dir { getattr search };
				562
				563	# Traverse into expanded storage
				564	allow system_server mnt_expand_file:dir r_dir_perms;
				565
				566	# Allow system process to relabel the fingerprint directory after mkdir
				567	# and delete the directory and files when no longer needed
				568	allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
				569	allow system_server fingerprintd_data_file:file { getattr unlink };
				570
				571	# Allow system process to read network MAC address
				572	allow system_server sysfs_mac_address:file r_file_perms;
				573
				574	userdebug_or_eng(`
				575	# Allow system server to create and write method traces in /data/misc/trace.
				576	allow system_server method_trace_data_file:dir w_dir_perms;
				577	allow system_server method_trace_data_file:file { create w_file_perms };
				578
				579	# Allow system server to read dmesg
				580	allow system_server kernel:system syslog_read;
				581	')
				582
				583	# For AppFuse.
				584	allow system_server vold:fd use;
				585	allow system_server fuse_device:chr_file { read write ioctl getattr };
				586	allow system_server app_fuse_file:dir rw_dir_perms;
				587	allow system_server app_fuse_file:file { read write open getattr append };
				588
				589	# For configuring sdcardfs
				590	allow system_server configfs:dir { create_dir_perms };
				591	allow system_server configfs:file { getattr open unlink write };
				592
				593	# Connect to adbd and use a socket transferred from it.
				594	# Used for e.g. jdwp.
				595	allow system_server adbd:unix_stream_socket connectto;
				596	allow system_server adbd:fd use;
				597	allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
				598
				599	# Allow invoking tools like "timeout"
				600	allow system_server toolbox_exec:file rx_file_perms;
				601
				602	# Postinstall
				603	#
				604	# For OTA dexopt, allow calls coming from postinstall.
				605	binder_call(system_server, postinstall)
				606
				607	allow system_server postinstall:fifo_file write;
				608	allow system_server update_engine:fd use;
				609	allow system_server update_engine:fifo_file write;
				610
				611	# Access to /data/preloads
				612	allow system_server preloads_data_file:file { r_file_perms unlink };
				613	allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
				614
				615	r_dir_file(system_server, cgroup)
				616	allow system_server ion_device:chr_file r_file_perms;
				617	allow system_server hal_graphics_allocator:fd use;
				618
				619	r_dir_file(system_server, proc)
				620	r_dir_file(system_server, proc_meminfo)
				621	r_dir_file(system_server, proc_net)
				622	r_dir_file(system_server, rootfs)
				623	r_dir_file(system_server, sysfs_type)
				624
				625	# Allow system_server to make binder calls to hwservicemanager
				626	binder_call(system_server, hwservicemanager)
				627
				628	### Rules needed when Light HAL runs inside system_server process.
				629	### These rules should eventually be granted only when needed.
				630	allow system_server sysfs_leds:lnk_file read;
				631	allow system_server sysfs_leds:file rw_file_perms;
				632	allow system_server sysfs_leds:dir r_dir_perms;
				633	###
				634
				635	userdebug_or_eng(`
				636	# Allow WifiService to start, stop, and read wifi-specific trace events.
				637	allow system_server debugfs_tracing_instances:dir search;
				638	allow system_server debugfs_wifi_tracing:file rw_file_perms;
				639	')
				640
				641	###
				642	### Neverallow rules
				643	###
				644	### system_server should NEVER do any of this
				645
				646	# Do not allow opening files from external storage as unsafe ejection
				647	# could cause the kernel to kill the system_server.
				648	neverallow system_server sdcard_type:dir { open read write };
				649	neverallow system_server sdcard_type:file rw_file_perms;
				650
				651	# system server should never be operating on zygote spawned app data
				652	# files directly. Rather, they should always be passed via a
				653	# file descriptor.
				654	# Types extracted from seapp_contexts type= fields, excluding
				655	# those types that system_server needs to open directly.
				656	neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
				657
				658	# Forking and execing is inherently dangerous and racy. See, for
				659	# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
				660	# Prevent the addition of new file execs to stop the problem from
				661	# getting worse. b/28035297
				662	neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
				663
				664	# Ensure that system_server doesn't perform any domain transitions other than
				665	# transitioning to the crash_dump domain when a crash occurs.
				666	neverallow system_server { domain -crash_dump }:process transition;
				667	neverallow system_server *:process dyntransition;
				668
				669	# Only allow crash_dump to connect to system_ndebug_socket.
				670	neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
				671
				672	# system_server should never be executing dex2oat. This is either
				673	# a bug (for example, bug 16317188), or represents an attempt by
				674	# system server to dynamically load a dex file, something we do not
				675	# want to allow.
				676	neverallow system_server dex2oat_exec:file no_x_file_perms;
				677
				678	# system_server should never execute or load executable shared libraries
				679	# in /data except for /data/dalvik-cache files.
				680	neverallow system_server {
				681	data_file_type
				682	-dalvikcache_data_file #mapping with PROT_EXEC
				683	}:file no_x_file_perms;
				684
				685	# The only block device system_server should be accessing is
				686	# the frp_block_device. This helps avoid a system_server to root
				687	# escalation by writing to raw block devices.
				688	neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
				689
				690	# system_server should never use JIT functionality
				691	neverallow system_server self:process execmem;
				692	neverallow system_server ashmem_device:chr_file execute;
				693
dcashman	2e00e63	2016-10-12 14:58:09 -0700	[diff] [blame]	694	# TODO: deal with tmpfs_domain pub/priv split properly
Nick Kralevich	b56e6ef	2016-12-09 20:14:31 -0800	[diff] [blame]	695	neverallow system_server system_server_tmpfs:file execute;
Calin Juravle	e5a1f64	2017-01-17 20:31:31 -0800	[diff] [blame]	696
				697	# dexoptanalyzer is currently used only for secondary dex files which
				698	# system_server should never access.
				699	neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;