Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8c2323d3f9d052ddb7c2a3ef87db59d13f5021c0 / . / private / system_server.te
blob: c1b184a317a03b18d8b62d05626db23f807e8b0a [file] [log] [blame]
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]6typeattribute system_server coredomain;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]7typeattribute system_server mlstrustedsubject;
8
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]9# Define a type for tmpfs-backed ashmem regions.
10tmpfs_domain(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]11
Josh Gaocb3eb4e2016-10-19 14:39:30 -0700[diff] [blame]12# Create a socket for connections from crash_dump.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]13type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]14
15allow system_server zygote_tmpfs:file read;
16
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]17# For art.
18allow system_server dalvikcache_data_file:dir r_dir_perms;
Nick Kralevichaa365282017-05-03 14:01:58 -0700[diff] [blame]19allow system_server dalvikcache_data_file:file r_file_perms;
20
Andreas Gampec848d372017-04-03 15:23:16 -0700[diff] [blame]21# When running system server under --invoke-with, we'll try to load the boot image under the
22# system server domain, following links to the system partition.
23with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]24
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]25# /data/resource-cache
26allow system_server resourcecache_data_file:file r_file_perms;
27allow system_server resourcecache_data_file:dir r_dir_perms;
28
29# ptrace to processes in the same domain for debugging crashes.
30allow system_server self:process ptrace;
31
32# Child of the zygote.
33allow system_server zygote:fd use;
34allow system_server zygote:process sigchld;
35
36# May kill zygote on crashes.
37allow system_server zygote:process sigkill;
38allow system_server crash_dump:process sigkill;
39
40# Read /system/bin/app_process.
41allow system_server zygote_exec:file r_file_perms;
42
43# Needed to close the zygote socket, which involves getopt / getattr
44allow system_server zygote:unix_stream_socket { getopt getattr };
45
46# system server gets network and bluetooth permissions.
47net_domain(system_server)
48# in addition to ioctls whitelisted for all domains, also allow system_server
49# to use privileged ioctls commands. Needed to set up VPNs.
50allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
51bluetooth_domain(system_server)
52
53# These are the capabilities assigned by the zygote to the
54# system server.
55allow system_server self:capability {
56 ipc_lock
57 kill
58 net_admin
59 net_bind_service
60 net_broadcast
61 net_raw
62 sys_boot
63 sys_nice
Nick Kralevich44866952017-02-15 15:04:43 -0800[diff] [blame]64 sys_ptrace
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]65 sys_time
66 sys_tty_config
67};
68
69wakelock_use(system_server)
70
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]71# Trigger module auto-load.
72allow system_server kernel:system module_request;
73
74# Allow alarmtimers to be set
75allow system_server self:capability2 wake_alarm;
76
Jeff Vander Stoepe58a8de2017-06-26 22:06:20 -0700[diff] [blame]77# Create and share netlink_netfilter_sockets for tetheroffload.
78allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
79
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]80# Use netlink uevent sockets.
81allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
82
83# Use generic netlink sockets.
84allow system_server self:netlink_socket create_socket_perms_no_ioctl;
85allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
86
Michael Schwartzbc3150a2017-05-18 09:59:05 -0700[diff] [blame]87# libvintf reads the kernel config to verify vendor interface compatibility.
88allow system_server config_gz:file { read open };
89
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]90# Use generic "sockets" where the address family is not known
91# to the kernel. The ioctl permission is specifically omitted here, but may
92# be added to device specific policy along with the ioctl commands to be
93# whitelisted.
94allow system_server self:socket create_socket_perms_no_ioctl;
95
96# Set and get routes directly via netlink.
97allow system_server self:netlink_route_socket nlmsg_write;
98
99# Kill apps.
Tom Cherryc59eb4d2017-06-13 14:49:17 -0700[diff] [blame]100allow system_server appdomain:process { getpgid sigkill signal };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]101
102# Set scheduling info for apps.
103allow system_server appdomain:process { getsched setsched };
104allow system_server audioserver:process { getsched setsched };
105allow system_server hal_audio:process { getsched setsched };
Philip Cuadra6eee6eb2017-03-23 10:03:49 -0700[diff] [blame]106allow system_server hal_bluetooth:process { getsched setsched };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]107allow system_server cameraserver:process { getsched setsched };
Eino-Ville Talvala6d53c9e2017-02-15 13:38:25 -0800[diff] [blame]108allow system_server hal_camera:process { getsched setsched };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]109allow system_server mediaserver:process { getsched setsched };
110allow system_server bootanim:process { getsched setsched };
111
Jeff Vander Stoep5c41d402017-07-28 16:04:21 -0700[diff] [blame]112# Allow system_server to write to /proc/<pid>/timerslack_ns
113allow system_server appdomain:file w_file_perms;
114allow system_server audioserver:file w_file_perms;
Max Bires655599a2017-07-18 10:18:35 -0700[diff] [blame]115allow system_server cameraserver:file w_file_perms;
116
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]117# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
118# within system_server to keep track of memory and CPU usage for
119# all processes on the device. In addition, /proc/pid files access is needed
120# for dumping stack traces of native processes.
121r_dir_file(system_server, domain)
122
123# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
124allow system_server qtaguid_proc:file rw_file_perms;
125allow system_server qtaguid_device:chr_file rw_file_perms;
126
127# Read /proc/uid_cputime/show_uid_stat.
128allow system_server proc_uid_cputime_showstat:file r_file_perms;
129
130# Write /proc/uid_cputime/remove_uid_range.
131allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
132
133# Write /proc/uid_procstat/set.
134allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
135
Andres Oportus4dc88792017-06-07 10:39:11 -0700[diff] [blame]136# Read /proc/uid_time_in_state.
137allow system_server proc_uid_time_in_state:file r_file_perms;
138
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]139# Write to /proc/sysrq-trigger.
140allow system_server proc_sysrq:file rw_file_perms;
141
142# Read /proc/stat for CPU usage statistics
143allow system_server proc_stat:file r_file_perms;
144
145# Read /sys/kernel/debug/wakeup_sources.
146allow system_server debugfs:file r_file_perms;
147
148# The DhcpClient and WifiWatchdog use packet_sockets
149allow system_server self:packet_socket create_socket_perms_no_ioctl;
150
151# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
152# as raw sockets, but the kernel doesn't yet distinguish between the two.
153allow system_server node:rawip_socket node_bind;
154
155# 3rd party VPN clients require a tun_socket to be created
156allow system_server self:tun_socket create_socket_perms_no_ioctl;
157
158# Talk to init and various daemons via sockets.
159unix_socket_connect(system_server, lmkd, lmkd)
160unix_socket_connect(system_server, mtpd, mtp)
161unix_socket_connect(system_server, netd, netd)
162unix_socket_connect(system_server, vold, vold)
163unix_socket_connect(system_server, webview_zygote, webview_zygote)
164unix_socket_connect(system_server, zygote, zygote)
165unix_socket_connect(system_server, racoon, racoon)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]166unix_socket_connect(system_server, uncrypt, uncrypt)
167
168# Communicate over a socket created by surfaceflinger.
169allow system_server surfaceflinger:unix_stream_socket { read write setopt };
170
171# Perform Binder IPC.
172binder_use(system_server)
173binder_call(system_server, appdomain)
174binder_call(system_server, binderservicedomain)
175binder_call(system_server, dumpstate)
176binder_call(system_server, fingerprintd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]177binder_call(system_server, gatekeeperd)
178binder_call(system_server, installd)
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]179binder_call(system_server, incidentd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]180binder_call(system_server, netd)
Jeff Sharkey0fa3fb02017-09-06 11:17:32 -0600[diff] [blame]181binder_call(system_server, vold)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]182binder_call(system_server, wificond)
183binder_service(system_server)
184
Alex Klyubin632bc492017-04-13 19:05:27 -0700[diff] [blame]185# Use HALs
Alex Klyubin7cda44f2017-03-21 14:28:53 -0700[diff] [blame]186hal_client_domain(system_server, hal_allocator)
Tomasz Wasilczyk567b9472017-08-07 17:06:06 -0700[diff] [blame]187hal_client_domain(system_server, hal_broadcastradio)
Jeff Vander Stoep23e0a7f2017-06-23 08:40:16 -0700[diff] [blame]188hal_client_domain(system_server, hal_configstore)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]189hal_client_domain(system_server, hal_contexthub)
Alex Klyubinf98650e2017-02-21 15:35:16 -0800[diff] [blame]190hal_client_domain(system_server, hal_fingerprint)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]191hal_client_domain(system_server, hal_gnss)
Alex Klyubin5007c102017-04-17 12:53:40 -0700[diff] [blame]192hal_client_domain(system_server, hal_graphics_allocator)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]193hal_client_domain(system_server, hal_ir)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]194hal_client_domain(system_server, hal_light)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]195hal_client_domain(system_server, hal_memtrack)
Michael Butlere9d07b92017-06-29 18:33:03 -0700[diff] [blame]196hal_client_domain(system_server, hal_neuralnetworks)
Andrew Scull46ac9262017-03-27 15:40:21 +0100[diff] [blame]197hal_client_domain(system_server, hal_oemlock)
Alex Klyubin632bc492017-04-13 19:05:27 -0700[diff] [blame]198allow system_server hal_omx_hwservice:hwservice_manager find;
199allow system_server hidl_token_hwservice:hwservice_manager find;
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]200hal_client_domain(system_server, hal_power)
Alex Klyubin41518be2017-03-13 15:13:52 -0700[diff] [blame]201hal_client_domain(system_server, hal_sensors)
pkanwar722249b2017-05-21 16:49:37 -0700[diff] [blame]202hal_client_domain(system_server, hal_tetheroffload)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]203hal_client_domain(system_server, hal_thermal)
Donghyun Chof81dd0c2017-04-05 11:20:48 +0900[diff] [blame]204hal_client_domain(system_server, hal_tv_cec)
Shubangc76e1582017-03-29 15:03:59 -0700[diff] [blame]205hal_client_domain(system_server, hal_tv_input)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]206hal_client_domain(system_server, hal_usb)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]207hal_client_domain(system_server, hal_vibrator)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame]208hal_client_domain(system_server, hal_vr)
Andrew Scull9c58c142017-03-27 14:27:20 +0100[diff] [blame]209hal_client_domain(system_server, hal_weaver)
Alex Klyubin1d2a1472017-02-22 15:12:19 -0800[diff] [blame]210hal_client_domain(system_server, hal_wifi)
Sohani Rao3dd460b2017-03-01 10:25:44 -0800[diff] [blame]211hal_client_domain(system_server, hal_wifi_offload)
Roshan Pius2a9595e2017-02-18 21:32:32 -0800[diff] [blame]212hal_client_domain(system_server, hal_wifi_supplicant)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]213
Martijn Coenenfc80f482017-04-15 08:09:08 -0700[diff] [blame]214binder_call(system_server, mediacodec)
215
Martijn Coenende2e79c2017-04-14 15:55:20 -0700[diff] [blame]216# Talk with graphics composer fences
217allow system_server hal_graphics_composer:fd use;
218
Alex Klyubin632bc492017-04-13 19:05:27 -0700[diff] [blame]219# Use RenderScript always-passthrough HAL
220allow system_server hal_renderscript_hwservice:hwservice_manager find;
221
222# Offer HwBinder services
223add_hwservice(system_server, fwk_scheduler_hwservice)
224add_hwservice(system_server, fwk_sensor_hwservice)
225
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]226# Talk to tombstoned to get ANR traces.
227unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
228
Chia-I Wue4d21462017-04-20 14:34:00 -0700[diff] [blame]229# List HAL interfaces to get ANR traces.
230allow system_server hwservicemanager:hwservice_manager list;
231
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]232# Send signals to trigger ANR traces.
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]233allow system_server {
Steven Morelandfac31442017-03-24 09:37:17 -0700[diff] [blame]234 # This is derived from the list that system server defines as interesting native processes
235 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
236 # frameworks/base/services/core/java/com/android/server/Watchdog.java.
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]237 audioserver
238 cameraserver
239 drmserver
240 inputflinger
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]241 mediadrmserver
242 mediaextractor
243 mediaserver
244 mediametrics
245 sdcardd
246 surfaceflinger
Steven Morelandfac31442017-03-24 09:37:17 -0700[diff] [blame]247
248 # This list comes from HAL_INTERFACES_OF_INTEREST in
249 # frameworks/base/services/core/java/com/android/server/Watchdog.java.
250 hal_audio_server
251 hal_bluetooth_server
252 hal_camera_server
Chia-I Wue4d21462017-04-20 14:34:00 -0700[diff] [blame]253 hal_graphics_composer_server
Peng Xue4968f92017-07-11 21:18:53 -0700[diff] [blame]254 hal_sensors_server
Steven Morelandfac31442017-03-24 09:37:17 -0700[diff] [blame]255 hal_vr_server
256 mediacodec # TODO(b/36375899): hal_omx_server
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]257}:process { signal };
258
259# Use sockets received over binder from various services.
260allow system_server audioserver:tcp_socket rw_socket_perms;
261allow system_server audioserver:udp_socket rw_socket_perms;
262allow system_server mediaserver:tcp_socket rw_socket_perms;
263allow system_server mediaserver:udp_socket rw_socket_perms;
264
265# Use sockets received over binder from various services.
266allow system_server mediadrmserver:tcp_socket rw_socket_perms;
267allow system_server mediadrmserver:udp_socket rw_socket_perms;
268
Sandeep Patilc9cf7362017-03-24 15:02:13 -0700[diff] [blame]269# Get file context
270allow system_server file_contexts_file:file r_file_perms;
Sandeep Patilbb24f3a2017-03-27 12:06:04 -0700[diff] [blame]271# access for mac_permissions
272allow system_server mac_perms_file: file r_file_perms;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]273# Check SELinux permissions.
274selinux_check_access(system_server)
275
276# XXX Label sysfs files with a specific type?
277allow system_server sysfs:file rw_file_perms;
278allow system_server sysfs_nfc_power_writable:file rw_file_perms;
279allow system_server sysfs_devices_system_cpu:file w_file_perms;
280allow system_server sysfs_mac_address:file r_file_perms;
281allow system_server sysfs_thermal:dir search;
282allow system_server sysfs_thermal:file r_file_perms;
283
284# TODO: Remove when HALs are forced into separate processes
285allow system_server sysfs_vibrator:file { write append };
286
287# TODO: added to match above sysfs rule. Remove me?
288allow system_server sysfs_usb:file w_file_perms;
289
290# Access devices.
291allow system_server device:dir r_dir_perms;
292allow system_server mdns_socket:sock_file rw_file_perms;
293allow system_server alarm_device:chr_file rw_file_perms;
294allow system_server gpu_device:chr_file rw_file_perms;
295allow system_server iio_device:chr_file rw_file_perms;
296allow system_server input_device:dir r_dir_perms;
297allow system_server input_device:chr_file rw_file_perms;
298allow system_server radio_device:chr_file r_file_perms;
299allow system_server tty_device:chr_file rw_file_perms;
300allow system_server usbaccessory_device:chr_file rw_file_perms;
301allow system_server video_device:dir r_dir_perms;
302allow system_server video_device:chr_file rw_file_perms;
303allow system_server adbd_socket:sock_file rw_file_perms;
304allow system_server rtc_device:chr_file rw_file_perms;
305allow system_server audio_device:dir r_dir_perms;
306
307# write access needed for MIDI
308allow system_server audio_device:chr_file rw_file_perms;
309
310# tun device used for 3rd party vpn apps
311allow system_server tun_device:chr_file rw_file_perms;
312
313# Manage system data files.
314allow system_server system_data_file:dir create_dir_perms;
315allow system_server system_data_file:notdevfile_class_set create_file_perms;
316allow system_server keychain_data_file:dir create_dir_perms;
317allow system_server keychain_data_file:file create_file_perms;
318allow system_server keychain_data_file:lnk_file create_file_perms;
319
320# Manage /data/app.
321allow system_server apk_data_file:dir create_dir_perms;
322allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
323allow system_server apk_tmp_file:dir create_dir_perms;
324allow system_server apk_tmp_file:file create_file_perms;
325
Sandeep Patil277a20e2017-04-01 17:17:12 -0700[diff] [blame]326# Access /vendor/app
327r_dir_file(system_server, vendor_app_file)
328
Sandeep Patil90756992017-04-05 16:16:13 -0700[diff] [blame]329# Access /vendor/app
330r_dir_file(system_server, vendor_overlay_file)
331
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]332# Manage /data/app-private.
333allow system_server apk_private_data_file:dir create_dir_perms;
334allow system_server apk_private_data_file:file create_file_perms;
335allow system_server apk_private_tmp_file:dir create_dir_perms;
336allow system_server apk_private_tmp_file:file create_file_perms;
337
338# Manage files within asec containers.
339allow system_server asec_apk_file:dir create_dir_perms;
340allow system_server asec_apk_file:file create_file_perms;
341allow system_server asec_public_file:file create_file_perms;
342
343# Manage /data/anr.
Narayan Kamath11bfcc12017-05-15 18:39:16 +0100[diff] [blame]344#
345# TODO: Some of these permissions can be withdrawn once we've switched to the
346# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
347# the system_server should never need to create a new anr_data_file:file or write
348# to one, but it will still need to read and append to existing files.
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]349allow system_server anr_data_file:dir create_dir_perms;
350allow system_server anr_data_file:file create_file_perms;
351
Narayan Kamath11bfcc12017-05-15 18:39:16 +0100[diff] [blame]352# New stack dumping scheme : request an output FD from tombstoned via a unix
353# domain socket.
354#
355# Allow system_server to connect and write to the tombstoned java trace socket in
Narayan Kamatha34781a2017-05-30 17:52:46 +0100[diff] [blame]356# order to dump its traces. Also allow the system server to write its traces to
357# dumpstate during bugreport capture.
Narayan Kamath11bfcc12017-05-15 18:39:16 +0100[diff] [blame]358unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
359allow system_server tombstoned:fd use;
Narayan Kamatha34781a2017-05-30 17:52:46 +0100[diff] [blame]360allow system_server dumpstate:fifo_file append;
Narayan Kamath11bfcc12017-05-15 18:39:16 +0100[diff] [blame]361
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]362# Read /data/misc/incidents - only read. The fd will be sent over binder,
363# with no DAC access to it, for dropbox to read.
364allow system_server incident_data_file:file read;
365
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]366# Manage /data/backup.
367allow system_server backup_data_file:dir create_dir_perms;
368allow system_server backup_data_file:file create_file_perms;
369
370# Write to /data/system/heapdump
371allow system_server heapdump_data_file:dir rw_dir_perms;
372allow system_server heapdump_data_file:file create_file_perms;
373
374# Manage /data/misc/adb.
375allow system_server adb_keys_file:dir create_dir_perms;
376allow system_server adb_keys_file:file create_file_perms;
377
378# Manage /data/misc/sms.
379# TODO: Split into a separate type?
380allow system_server radio_data_file:dir create_dir_perms;
381allow system_server radio_data_file:file create_file_perms;
382
383# Manage /data/misc/systemkeys.
384allow system_server systemkeys_data_file:dir create_dir_perms;
385allow system_server systemkeys_data_file:file create_file_perms;
386
Abodunrinwa Tokiadfc5db2017-04-26 21:20:20 +0100[diff] [blame]387# Manage /data/misc/textclassifier.
388allow system_server textclassifier_data_file:dir create_dir_perms;
389allow system_server textclassifier_data_file:file create_file_perms;
390
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]391# Access /data/tombstones.
392allow system_server tombstone_data_file:dir r_dir_perms;
393allow system_server tombstone_data_file:file r_file_perms;
394
395# Manage /data/misc/vpn.
396allow system_server vpn_data_file:dir create_dir_perms;
397allow system_server vpn_data_file:file create_file_perms;
398
399# Manage /data/misc/wifi.
400allow system_server wifi_data_file:dir create_dir_perms;
401allow system_server wifi_data_file:file create_file_perms;
402
403# Manage /data/misc/zoneinfo.
404allow system_server zoneinfo_data_file:dir create_dir_perms;
405allow system_server zoneinfo_data_file:file create_file_perms;
406
407# Walk /data/data subdirectories.
408# Types extracted from seapp_contexts type= fields.
409allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
410# Also permit for unlabeled /data/data subdirectories and
411# for unlabeled asec containers on upgrades from 4.2.
412allow system_server unlabeled:dir r_dir_perms;
413# Read pkg.apk file before it has been relabeled by vold.
414allow system_server unlabeled:file r_file_perms;
415
416# Populate com.android.providers.settings/databases/settings.db.
417allow system_server system_app_data_file:dir create_dir_perms;
418allow system_server system_app_data_file:file create_file_perms;
419
420# Receive and use open app data files passed over binder IPC.
421# Types extracted from seapp_contexts type= fields.
422allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
423
424# Access to /data/media for measuring disk usage.
425allow system_server media_rw_data_file:dir { search getattr open read };
426
427# Receive and use open /data/media files passed over binder IPC.
428# Also used for measuring disk usage.
429allow system_server media_rw_data_file:file { getattr read write append };
430
431# Relabel apk files.
432allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
433allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
434
435# Relabel wallpaper.
436allow system_server system_data_file:file relabelfrom;
437allow system_server wallpaper_file:file relabelto;
438allow system_server wallpaper_file:file { rw_file_perms rename unlink };
439
440# Backup of wallpaper imagery uses temporary hard links to avoid data churn
441allow system_server { system_data_file wallpaper_file }:file link;
442
443# ShortcutManager icons
444allow system_server system_data_file:dir relabelfrom;
445allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
446allow system_server shortcut_manager_icons:file create_file_perms;
447
448# Manage ringtones.
449allow system_server ringtone_file:dir { create_dir_perms relabelto };
450allow system_server ringtone_file:file create_file_perms;
451
452# Relabel icon file.
453allow system_server icon_file:file relabelto;
454allow system_server icon_file:file { rw_file_perms unlink };
455
456# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
457allow system_server system_data_file:dir relabelfrom;
458
459# Property Service write
460set_prop(system_server, system_prop)
461set_prop(system_server, safemode_prop)
462set_prop(system_server, dhcp_prop)
463set_prop(system_server, net_radio_prop)
Nick Kralevich4e404292017-02-09 16:08:11 -0800[diff] [blame]464set_prop(system_server, net_dns_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]465set_prop(system_server, system_radio_prop)
466set_prop(system_server, debug_prop)
467set_prop(system_server, powerctl_prop)
468set_prop(system_server, fingerprint_prop)
469set_prop(system_server, device_logging_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]470set_prop(system_server, dumpstate_options_prop)
471set_prop(system_server, overlay_prop)
472userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
473
474# ctl interface
475set_prop(system_server, ctl_default_prop)
476set_prop(system_server, ctl_bugreport_prop)
477
478# cppreopt property
479set_prop(system_server, cppreopt_prop)
480
Mark Salyzyn006c2e92017-08-14 14:25:10 -0700[diff] [blame]481# BootReceiver to read ro.boot.bootreason
482get_prop(system_server, bootloader_boot_reason_prop)
483# PowerManager to read persist.sys.boot.reason
484get_prop(system_server, last_boot_reason_prop)
485
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]486# Collect metrics on boot time created by init
487get_prop(system_server, boottime_prop)
488
489# Read device's serial number from system properties
490get_prop(system_server, serialno_prop)
491
492# Read/write the property which keeps track of whether this is the first start of system_server
493set_prop(system_server, firstboot_prop)
494
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]495# Create a socket for connections from debuggerd.
496allow system_server system_ndebug_socket:sock_file create_file_perms;
497
498# Manage cache files.
Jeff Vander Stoepa4cada72017-07-26 09:54:36 -0700[diff] [blame]499allow system_server cache_file:lnk_file r_file_perms;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]500allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
501allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
502allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
503
504allow system_server system_file:dir r_dir_perms;
505allow system_server system_file:lnk_file r_file_perms;
506
507# LocationManager(e.g, GPS) needs to read and write
508# to uart driver and ctrl proc entry
509allow system_server gps_control:file rw_file_perms;
510
511# Allow system_server to use app-created sockets and pipes.
512allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
513allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
514
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]515# BackupManagerService needs to manipulate backup data files
516allow system_server cache_backup_file:dir rw_dir_perms;
517allow system_server cache_backup_file:file create_file_perms;
518# LocalTransport works inside /cache/backup
519allow system_server cache_private_backup_file:dir create_dir_perms;
520allow system_server cache_private_backup_file:file create_file_perms;
521
522# Allow system to talk to usb device
523allow system_server usb_device:chr_file rw_file_perms;
524allow system_server usb_device:dir r_dir_perms;
525
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]526# Read from HW RNG (needed by EntropyMixer).
527allow system_server hw_random_device:chr_file r_file_perms;
528
529# Read and delete files under /dev/fscklogs.
530r_dir_file(system_server, fscklogs)
531allow system_server fscklogs:dir { write remove_name };
532allow system_server fscklogs:file unlink;
533
534# logd access, system_server inherit logd write socket
535# (urge is to deprecate this long term)
536allow system_server zygote:unix_dgram_socket write;
537
538# Read from log daemon.
539read_logd(system_server)
540read_runtime_log_tags(system_server)
541
542# Be consistent with DAC permissions. Allow system_server to write to
543# /sys/module/lowmemorykiller/parameters/adj
544# /sys/module/lowmemorykiller/parameters/minfree
545allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
546
547# Read /sys/fs/pstore/console-ramoops
548# Don't worry about overly broad permissions for now, as there's
549# only one file in /sys/fs/pstore
550allow system_server pstorefs:dir r_dir_perms;
551allow system_server pstorefs:file r_file_perms;
552
553# /sys access
554allow system_server sysfs_zram:dir search;
555allow system_server sysfs_zram:file r_file_perms;
556
557add_service(system_server, system_server_service);
558allow system_server audioserver_service:service_manager find;
559allow system_server batteryproperties_service:service_manager find;
560allow system_server cameraserver_service:service_manager find;
561allow system_server drmserver_service:service_manager find;
562allow system_server dumpstate_service:service_manager find;
563allow system_server fingerprintd_service:service_manager find;
564allow system_server hal_fingerprint_service:service_manager find;
565allow system_server gatekeeper_service:service_manager find;
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]566allow system_server incident_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]567allow system_server installd_service:service_manager find;
568allow system_server keystore_service:service_manager find;
569allow system_server mediaserver_service:service_manager find;
570allow system_server mediametrics_service:service_manager find;
571allow system_server mediaextractor_service:service_manager find;
572allow system_server mediacodec_service:service_manager find;
573allow system_server mediadrmserver_service:service_manager find;
574allow system_server netd_service:service_manager find;
575allow system_server nfc_service:service_manager find;
576allow system_server radio_service:service_manager find;
577allow system_server surfaceflinger_service:service_manager find;
Jeff Sharkey0fa3fb02017-09-06 11:17:32 -0600[diff] [blame]578allow system_server vold_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]579allow system_server wificond_service:service_manager find;
580
581allow system_server keystore:keystore_key {
582 get_state
583 get
584 insert
585 delete
586 exist
587 list
588 reset
589 password
590 lock
591 unlock
592 is_empty
593 sign
594 verify
595 grant
596 duplicate
597 clear_uid
598 add_auth
599 user_changed
600};
601
602# Allow system server to search and write to the persistent factory reset
603# protection partition. This block device does not get wiped in a factory reset.
604allow system_server block_device:dir search;
605allow system_server frp_block_device:blk_file rw_file_perms;
606
607# Clean up old cgroups
608allow system_server cgroup:dir { remove_name rmdir };
609
610# /oem access
611r_dir_file(system_server, oemfs)
612
613# Allow resolving per-user storage symlinks
614allow system_server { mnt_user_file storage_file }:dir { getattr search };
615allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
616
617# Allow statfs() on storage devices, which happens fast enough that
618# we shouldn't be killed during unsafe removal
619allow system_server sdcard_type:dir { getattr search };
620
621# Traverse into expanded storage
622allow system_server mnt_expand_file:dir r_dir_perms;
623
624# Allow system process to relabel the fingerprint directory after mkdir
625# and delete the directory and files when no longer needed
626allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
627allow system_server fingerprintd_data_file:file { getattr unlink };
628
629# Allow system process to read network MAC address
630allow system_server sysfs_mac_address:file r_file_perms;
631
632userdebug_or_eng(`
633 # Allow system server to create and write method traces in /data/misc/trace.
634 allow system_server method_trace_data_file:dir w_dir_perms;
635 allow system_server method_trace_data_file:file { create w_file_perms };
636
637 # Allow system server to read dmesg
638 allow system_server kernel:system syslog_read;
639')
640
641# For AppFuse.
642allow system_server vold:fd use;
643allow system_server fuse_device:chr_file { read write ioctl getattr };
644allow system_server app_fuse_file:dir rw_dir_perms;
645allow system_server app_fuse_file:file { read write open getattr append };
646
647# For configuring sdcardfs
648allow system_server configfs:dir { create_dir_perms };
649allow system_server configfs:file { getattr open unlink write };
650
651# Connect to adbd and use a socket transferred from it.
652# Used for e.g. jdwp.
653allow system_server adbd:unix_stream_socket connectto;
654allow system_server adbd:fd use;
655allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
656
657# Allow invoking tools like "timeout"
658allow system_server toolbox_exec:file rx_file_perms;
659
660# Postinstall
661#
662# For OTA dexopt, allow calls coming from postinstall.
663binder_call(system_server, postinstall)
664
665allow system_server postinstall:fifo_file write;
666allow system_server update_engine:fd use;
667allow system_server update_engine:fifo_file write;
668
669# Access to /data/preloads
670allow system_server preloads_data_file:file { r_file_perms unlink };
671allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
Fyodor Kupolovb238fe62017-03-14 11:42:03 -0700[diff] [blame]672allow system_server preloads_media_file:file { r_file_perms unlink };
673allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]674
675r_dir_file(system_server, cgroup)
676allow system_server ion_device:chr_file r_file_perms;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]677
Tri Vo8c2323d2017-09-14 13:59:09 -0700[diff] [blame^]678r_dir_file(system_server, proc_asound_cards)
679r_dir_file(system_server, proc_loadavg)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]680r_dir_file(system_server, proc_meminfo)
681r_dir_file(system_server, proc_net)
Tri Vo8c2323d2017-09-14 13:59:09 -0700[diff] [blame^]682r_dir_file(system_server, proc_pagetypeinfo)
683r_dir_file(system_server, proc_version)
684r_dir_file(system_server, proc_vmallocinfo)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]685r_dir_file(system_server, rootfs)
686r_dir_file(system_server, sysfs_type)
687
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]688### Rules needed when Light HAL runs inside system_server process.
689### These rules should eventually be granted only when needed.
690allow system_server sysfs_leds:lnk_file read;
691allow system_server sysfs_leds:file rw_file_perms;
692allow system_server sysfs_leds:dir r_dir_perms;
693###
694
mukesh agrawal723364f2017-02-22 18:01:00 -0800[diff] [blame]695# Allow WifiService to start, stop, and read wifi-specific trace events.
696allow system_server debugfs_tracing_instances:dir search;
Joel Galenson58d69292017-07-06 10:59:11 -0700[diff] [blame]697allow system_server debugfs_wifi_tracing:dir search;
mukesh agrawal723364f2017-02-22 18:01:00 -0800[diff] [blame]698allow system_server debugfs_wifi_tracing:file rw_file_perms;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]699
Andreas Gampe7db95722017-05-04 08:35:03 -0700[diff] [blame]700# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
Jeff Vander Stoep74434842017-03-13 12:22:15 -0700[diff] [blame]701# asanwrapper.
702with_asan(`
703 allow system_server shell_exec:file rx_file_perms;
Andreas Gampec848d372017-04-03 15:23:16 -0700[diff] [blame]704 allow system_server asanwrapper_exec:file rx_file_perms;
Andreas Gampe7db95722017-05-04 08:35:03 -0700[diff] [blame]705 allow system_server zygote_exec:file rx_file_perms;
Jeff Vander Stoep74434842017-03-13 12:22:15 -0700[diff] [blame]706')
707
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]708###
709### Neverallow rules
710###
711### system_server should NEVER do any of this
712
713# Do not allow opening files from external storage as unsafe ejection
714# could cause the kernel to kill the system_server.
715neverallow system_server sdcard_type:dir { open read write };
716neverallow system_server sdcard_type:file rw_file_perms;
717
718# system server should never be operating on zygote spawned app data
719# files directly. Rather, they should always be passed via a
720# file descriptor.
721# Types extracted from seapp_contexts type= fields, excluding
722# those types that system_server needs to open directly.
723neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
724
725# Forking and execing is inherently dangerous and racy. See, for
726# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
727# Prevent the addition of new file execs to stop the problem from
728# getting worse. b/28035297
Jeff Vander Stoep74434842017-03-13 12:22:15 -0700[diff] [blame]729neverallow system_server {
730 file_type
731 -toolbox_exec
732 -logcat_exec
Andreas Gampec848d372017-04-03 15:23:16 -0700[diff] [blame]733 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
Jeff Vander Stoep74434842017-03-13 12:22:15 -0700[diff] [blame]734}:file execute_no_trans;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]735
736# Ensure that system_server doesn't perform any domain transitions other than
737# transitioning to the crash_dump domain when a crash occurs.
738neverallow system_server { domain -crash_dump }:process transition;
739neverallow system_server *:process dyntransition;
740
741# Only allow crash_dump to connect to system_ndebug_socket.
742neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
743
744# system_server should never be executing dex2oat. This is either
745# a bug (for example, bug 16317188), or represents an attempt by
746# system server to dynamically load a dex file, something we do not
747# want to allow.
748neverallow system_server dex2oat_exec:file no_x_file_perms;
749
750# system_server should never execute or load executable shared libraries
751# in /data except for /data/dalvik-cache files.
752neverallow system_server {
753 data_file_type
754 -dalvikcache_data_file #mapping with PROT_EXEC
755}:file no_x_file_perms;
756
757# The only block device system_server should be accessing is
758# the frp_block_device. This helps avoid a system_server to root
759# escalation by writing to raw block devices.
760neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
761
762# system_server should never use JIT functionality
763neverallow system_server self:process execmem;
764neverallow system_server ashmem_device:chr_file execute;
765
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]766# TODO: deal with tmpfs_domain pub/priv split properly
Nick Kralevichb56e6ef2016-12-09 20:14:31 -0800[diff] [blame]767neverallow system_server system_server_tmpfs:file execute;
Calin Juravlee5a1f642017-01-17 20:31:31 -0800[diff] [blame]768
769# dexoptanalyzer is currently used only for secondary dex files which
770# system_server should never access.
771neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
Nick Kralevich44866952017-02-15 15:04:43 -0800[diff] [blame]772
773# No ptracing others
774neverallow system_server { domain -system_server }:process ptrace;
775
776# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
777# file read access. However, that is now unnecessary (b/34951864)
778# This neverallow can be removed after b/34951864 is fixed.
779neverallow system_server system_server:capability sys_resource;