Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9e6b24c6a5dc026924b2ab983d6644063585cd9c / . / private / system_server.te
blob: 58a25e29cfd8a9ad653e056665ccd8cfb03f0bf4 [file] [log] [blame]
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5
6typeattribute system_server domain_deprecated;
7typeattribute system_server mlstrustedsubject;
8
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]9# Define a type for tmpfs-backed ashmem regions.
10tmpfs_domain(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]11
Josh Gaocb3eb4e2016-10-19 14:39:30 -0700[diff] [blame]12# Create a socket for connections from crash_dump.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]13type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]14
15allow system_server zygote_tmpfs:file read;
16
17# Create a socket for receiving info from wpa.
18type_transition system_server wifi_data_file:sock_file system_wpa_socket;
19type_transition system_server wpa_socket:sock_file system_wpa_socket;
20
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]21# For art.
22allow system_server dalvikcache_data_file:dir r_dir_perms;
23allow system_server dalvikcache_data_file:file { r_file_perms execute };
24
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]25# /data/resource-cache
26allow system_server resourcecache_data_file:file r_file_perms;
27allow system_server resourcecache_data_file:dir r_dir_perms;
28
29# ptrace to processes in the same domain for debugging crashes.
30allow system_server self:process ptrace;
31
32# Child of the zygote.
33allow system_server zygote:fd use;
34allow system_server zygote:process sigchld;
35
36# May kill zygote on crashes.
37allow system_server zygote:process sigkill;
38allow system_server crash_dump:process sigkill;
39
40# Read /system/bin/app_process.
41allow system_server zygote_exec:file r_file_perms;
42
43# Needed to close the zygote socket, which involves getopt / getattr
44allow system_server zygote:unix_stream_socket { getopt getattr };
45
46# system server gets network and bluetooth permissions.
47net_domain(system_server)
48# in addition to ioctls whitelisted for all domains, also allow system_server
49# to use privileged ioctls commands. Needed to set up VPNs.
50allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
51bluetooth_domain(system_server)
52
53# These are the capabilities assigned by the zygote to the
54# system server.
55allow system_server self:capability {
56 ipc_lock
57 kill
58 net_admin
59 net_bind_service
60 net_broadcast
61 net_raw
62 sys_boot
63 sys_nice
64 sys_resource
65 sys_time
66 sys_tty_config
67};
68
69wakelock_use(system_server)
70
71# Triggered by /proc/pid accesses, not allowed.
72dontaudit system_server self:capability sys_ptrace;
73
74# Trigger module auto-load.
75allow system_server kernel:system module_request;
76
77# Allow alarmtimers to be set
78allow system_server self:capability2 wake_alarm;
79
80# Use netlink uevent sockets.
81allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
82
83# Use generic netlink sockets.
84allow system_server self:netlink_socket create_socket_perms_no_ioctl;
85allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
86
87# Use generic "sockets" where the address family is not known
88# to the kernel. The ioctl permission is specifically omitted here, but may
89# be added to device specific policy along with the ioctl commands to be
90# whitelisted.
91allow system_server self:socket create_socket_perms_no_ioctl;
92
93# Set and get routes directly via netlink.
94allow system_server self:netlink_route_socket nlmsg_write;
95
96# Kill apps.
97allow system_server appdomain:process { sigkill signal };
98
99# Set scheduling info for apps.
100allow system_server appdomain:process { getsched setsched };
101allow system_server audioserver:process { getsched setsched };
102allow system_server hal_audio:process { getsched setsched };
103allow system_server cameraserver:process { getsched setsched };
Eino-Ville Talvala6d9be832017-02-15 13:38:25 -0800[diff] [blame]104allow system_server hal_camera:process { getsched setsched };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]105allow system_server mediaserver:process { getsched setsched };
106allow system_server bootanim:process { getsched setsched };
107
108# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
109# within system_server to keep track of memory and CPU usage for
110# all processes on the device. In addition, /proc/pid files access is needed
111# for dumping stack traces of native processes.
112r_dir_file(system_server, domain)
113
114# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
115allow system_server qtaguid_proc:file rw_file_perms;
116allow system_server qtaguid_device:chr_file rw_file_perms;
117
118# Read /proc/uid_cputime/show_uid_stat.
119allow system_server proc_uid_cputime_showstat:file r_file_perms;
120
121# Write /proc/uid_cputime/remove_uid_range.
122allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
123
124# Write /proc/uid_procstat/set.
125allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
126
127# Write to /proc/sysrq-trigger.
128allow system_server proc_sysrq:file rw_file_perms;
129
130# Read /proc/stat for CPU usage statistics
131allow system_server proc_stat:file r_file_perms;
132
133# Read /sys/kernel/debug/wakeup_sources.
134allow system_server debugfs:file r_file_perms;
135
136# The DhcpClient and WifiWatchdog use packet_sockets
137allow system_server self:packet_socket create_socket_perms_no_ioctl;
138
139# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
140# as raw sockets, but the kernel doesn't yet distinguish between the two.
141allow system_server node:rawip_socket node_bind;
142
143# 3rd party VPN clients require a tun_socket to be created
144allow system_server self:tun_socket create_socket_perms_no_ioctl;
145
146# Talk to init and various daemons via sockets.
147unix_socket_connect(system_server, lmkd, lmkd)
148unix_socket_connect(system_server, mtpd, mtp)
149unix_socket_connect(system_server, netd, netd)
150unix_socket_connect(system_server, vold, vold)
151unix_socket_connect(system_server, webview_zygote, webview_zygote)
152unix_socket_connect(system_server, zygote, zygote)
153unix_socket_connect(system_server, racoon, racoon)
Roshan Piusa976e642017-02-18 21:32:32 -0800[diff] [blame]154# TODO(b/35707797): Remove this socket access.
155unix_socket_send(system_server, wpa, hal_wifi_supplicant_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]156unix_socket_connect(system_server, uncrypt, uncrypt)
157
158# Communicate over a socket created by surfaceflinger.
159allow system_server surfaceflinger:unix_stream_socket { read write setopt };
160
161# Perform Binder IPC.
162binder_use(system_server)
163binder_call(system_server, appdomain)
164binder_call(system_server, binderservicedomain)
165binder_call(system_server, dumpstate)
166binder_call(system_server, fingerprintd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]167binder_call(system_server, gatekeeperd)
168binder_call(system_server, installd)
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]169binder_call(system_server, incidentd)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]170binder_call(system_server, netd)
171binder_call(system_server, wificond)
172binder_service(system_server)
173
174# Perform HwBinder IPC.
175hwbinder_use(system_server)
Pawin Vongmasa5559d212017-01-24 02:45:16 -0800[diff] [blame]176hwallocator_use(system_server)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]177binder_call(system_server, hal_boot)
178binder_call(system_server, hal_contexthub)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]179hal_client_domain(system_server, hal_contexthub)
Alex Klyubinf98650e2017-02-21 15:35:16 -0800[diff] [blame]180hal_client_domain(system_server, hal_fingerprint)
Yifan Hong3107a6c2017-03-15 13:38:28 -0700[diff] [blame]181binder_call(system_server, hal_gnss)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]182hal_client_domain(system_server, hal_gnss)
Yifan Hong3107a6c2017-03-15 13:38:28 -0700[diff] [blame]183binder_call(system_server, hal_graphics_allocator)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]184binder_call(system_server, hal_ir)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]185hal_client_domain(system_server, hal_ir)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]186binder_call(system_server, hal_light)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]187hal_client_domain(system_server, hal_light)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]188binder_call(system_server, hal_memtrack)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]189hal_client_domain(system_server, hal_memtrack)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]190binder_call(system_server, hal_power)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]191hal_client_domain(system_server, hal_power)
Alex Klyubin41518be2017-03-13 15:13:52 -0700[diff] [blame]192hal_client_domain(system_server, hal_sensors)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]193binder_call(system_server, hal_thermal)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]194hal_client_domain(system_server, hal_thermal)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]195binder_call(system_server, hal_usb)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]196hal_client_domain(system_server, hal_usb)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]197binder_call(system_server, hal_vibrator)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]198hal_client_domain(system_server, hal_vibrator)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]199binder_call(system_server, hal_vr)
Alex Klyubin9e6b24c2017-03-16 18:48:40 -0700[diff] [blame^]200hal_client_domain(system_server, hal_vr)
Alex Klyubin1d2a1472017-02-22 15:12:19 -0800[diff] [blame]201hal_client_domain(system_server, hal_wifi)
Roshan Piusa976e642017-02-18 21:32:32 -0800[diff] [blame]202hal_client_domain(system_server, hal_wifi_supplicant)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]203
204# Talk to tombstoned to get ANR traces.
205unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
206
207# Send signals to trigger ANR traces.
208# This is derived from the list that system server defines as interesting native processes
209# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
210# frameworks/base/services/core/java/com/android/server/Watchdog.java.
211allow system_server {
212 audioserver
213 cameraserver
214 drmserver
215 inputflinger
216 mediacodec
217 mediadrmserver
218 mediaextractor
219 mediaserver
220 mediametrics
221 sdcardd
222 surfaceflinger
223}:process { signal };
224
225# Use sockets received over binder from various services.
226allow system_server audioserver:tcp_socket rw_socket_perms;
227allow system_server audioserver:udp_socket rw_socket_perms;
228allow system_server mediaserver:tcp_socket rw_socket_perms;
229allow system_server mediaserver:udp_socket rw_socket_perms;
230
231# Use sockets received over binder from various services.
232allow system_server mediadrmserver:tcp_socket rw_socket_perms;
233allow system_server mediadrmserver:udp_socket rw_socket_perms;
234
235# Check SELinux permissions.
236selinux_check_access(system_server)
237
238# XXX Label sysfs files with a specific type?
239allow system_server sysfs:file rw_file_perms;
240allow system_server sysfs_nfc_power_writable:file rw_file_perms;
241allow system_server sysfs_devices_system_cpu:file w_file_perms;
242allow system_server sysfs_mac_address:file r_file_perms;
243allow system_server sysfs_thermal:dir search;
244allow system_server sysfs_thermal:file r_file_perms;
245
246# TODO: Remove when HALs are forced into separate processes
247allow system_server sysfs_vibrator:file { write append };
248
249# TODO: added to match above sysfs rule. Remove me?
250allow system_server sysfs_usb:file w_file_perms;
251
252# Access devices.
253allow system_server device:dir r_dir_perms;
254allow system_server mdns_socket:sock_file rw_file_perms;
255allow system_server alarm_device:chr_file rw_file_perms;
256allow system_server gpu_device:chr_file rw_file_perms;
257allow system_server iio_device:chr_file rw_file_perms;
258allow system_server input_device:dir r_dir_perms;
259allow system_server input_device:chr_file rw_file_perms;
260allow system_server radio_device:chr_file r_file_perms;
261allow system_server tty_device:chr_file rw_file_perms;
262allow system_server usbaccessory_device:chr_file rw_file_perms;
263allow system_server video_device:dir r_dir_perms;
264allow system_server video_device:chr_file rw_file_perms;
265allow system_server adbd_socket:sock_file rw_file_perms;
266allow system_server rtc_device:chr_file rw_file_perms;
267allow system_server audio_device:dir r_dir_perms;
268
269# write access needed for MIDI
270allow system_server audio_device:chr_file rw_file_perms;
271
272# tun device used for 3rd party vpn apps
273allow system_server tun_device:chr_file rw_file_perms;
274
275# Manage system data files.
276allow system_server system_data_file:dir create_dir_perms;
277allow system_server system_data_file:notdevfile_class_set create_file_perms;
278allow system_server keychain_data_file:dir create_dir_perms;
279allow system_server keychain_data_file:file create_file_perms;
280allow system_server keychain_data_file:lnk_file create_file_perms;
281
282# Manage /data/app.
283allow system_server apk_data_file:dir create_dir_perms;
284allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
285allow system_server apk_tmp_file:dir create_dir_perms;
286allow system_server apk_tmp_file:file create_file_perms;
287
288# Manage /data/app-private.
289allow system_server apk_private_data_file:dir create_dir_perms;
290allow system_server apk_private_data_file:file create_file_perms;
291allow system_server apk_private_tmp_file:dir create_dir_perms;
292allow system_server apk_private_tmp_file:file create_file_perms;
293
294# Manage files within asec containers.
295allow system_server asec_apk_file:dir create_dir_perms;
296allow system_server asec_apk_file:file create_file_perms;
297allow system_server asec_public_file:file create_file_perms;
298
299# Manage /data/anr.
300allow system_server anr_data_file:dir create_dir_perms;
301allow system_server anr_data_file:file create_file_perms;
302
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]303# Read /data/misc/incidents - only read. The fd will be sent over binder,
304# with no DAC access to it, for dropbox to read.
305allow system_server incident_data_file:file read;
306
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]307# Manage /data/backup.
308allow system_server backup_data_file:dir create_dir_perms;
309allow system_server backup_data_file:file create_file_perms;
310
311# Write to /data/system/heapdump
312allow system_server heapdump_data_file:dir rw_dir_perms;
313allow system_server heapdump_data_file:file create_file_perms;
314
315# Manage /data/misc/adb.
316allow system_server adb_keys_file:dir create_dir_perms;
317allow system_server adb_keys_file:file create_file_perms;
318
319# Manage /data/misc/sms.
320# TODO: Split into a separate type?
321allow system_server radio_data_file:dir create_dir_perms;
322allow system_server radio_data_file:file create_file_perms;
323
324# Manage /data/misc/systemkeys.
325allow system_server systemkeys_data_file:dir create_dir_perms;
326allow system_server systemkeys_data_file:file create_file_perms;
327
328# Access /data/tombstones.
329allow system_server tombstone_data_file:dir r_dir_perms;
330allow system_server tombstone_data_file:file r_file_perms;
331
332# Manage /data/misc/vpn.
333allow system_server vpn_data_file:dir create_dir_perms;
334allow system_server vpn_data_file:file create_file_perms;
335
336# Manage /data/misc/wifi.
337allow system_server wifi_data_file:dir create_dir_perms;
338allow system_server wifi_data_file:file create_file_perms;
339
340# Manage /data/misc/zoneinfo.
341allow system_server zoneinfo_data_file:dir create_dir_perms;
342allow system_server zoneinfo_data_file:file create_file_perms;
343
344# Walk /data/data subdirectories.
345# Types extracted from seapp_contexts type= fields.
346allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
347# Also permit for unlabeled /data/data subdirectories and
348# for unlabeled asec containers on upgrades from 4.2.
349allow system_server unlabeled:dir r_dir_perms;
350# Read pkg.apk file before it has been relabeled by vold.
351allow system_server unlabeled:file r_file_perms;
352
353# Populate com.android.providers.settings/databases/settings.db.
354allow system_server system_app_data_file:dir create_dir_perms;
355allow system_server system_app_data_file:file create_file_perms;
356
357# Receive and use open app data files passed over binder IPC.
358# Types extracted from seapp_contexts type= fields.
359allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
360
361# Access to /data/media for measuring disk usage.
362allow system_server media_rw_data_file:dir { search getattr open read };
363
364# Receive and use open /data/media files passed over binder IPC.
365# Also used for measuring disk usage.
366allow system_server media_rw_data_file:file { getattr read write append };
367
368# Relabel apk files.
369allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
370allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
371
372# Relabel wallpaper.
373allow system_server system_data_file:file relabelfrom;
374allow system_server wallpaper_file:file relabelto;
375allow system_server wallpaper_file:file { rw_file_perms rename unlink };
376
377# Backup of wallpaper imagery uses temporary hard links to avoid data churn
378allow system_server { system_data_file wallpaper_file }:file link;
379
380# ShortcutManager icons
381allow system_server system_data_file:dir relabelfrom;
382allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
383allow system_server shortcut_manager_icons:file create_file_perms;
384
385# Manage ringtones.
386allow system_server ringtone_file:dir { create_dir_perms relabelto };
387allow system_server ringtone_file:file create_file_perms;
388
389# Relabel icon file.
390allow system_server icon_file:file relabelto;
391allow system_server icon_file:file { rw_file_perms unlink };
392
393# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
394allow system_server system_data_file:dir relabelfrom;
395
396# Property Service write
397set_prop(system_server, system_prop)
398set_prop(system_server, safemode_prop)
399set_prop(system_server, dhcp_prop)
400set_prop(system_server, net_radio_prop)
Nick Kralevich4e404292017-02-09 16:08:11 -0800[diff] [blame]401set_prop(system_server, net_dns_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]402set_prop(system_server, system_radio_prop)
403set_prop(system_server, debug_prop)
404set_prop(system_server, powerctl_prop)
405set_prop(system_server, fingerprint_prop)
406set_prop(system_server, device_logging_prop)
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]407set_prop(system_server, dumpstate_options_prop)
408set_prop(system_server, overlay_prop)
409userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
410
411# ctl interface
412set_prop(system_server, ctl_default_prop)
413set_prop(system_server, ctl_bugreport_prop)
414
415# cppreopt property
416set_prop(system_server, cppreopt_prop)
417
418# Collect metrics on boot time created by init
419get_prop(system_server, boottime_prop)
420
421# Read device's serial number from system properties
422get_prop(system_server, serialno_prop)
423
424# Read/write the property which keeps track of whether this is the first start of system_server
425set_prop(system_server, firstboot_prop)
426
427# Create a socket for receiving info from wpa.
428allow system_server wpa_socket:dir rw_dir_perms;
429allow system_server system_wpa_socket:sock_file create_file_perms;
430
431# Remove sockets created by wpa_supplicant
432allow system_server wpa_socket:sock_file unlink;
433
434# Create a socket for connections from debuggerd.
435allow system_server system_ndebug_socket:sock_file create_file_perms;
436
437# Manage cache files.
438allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
439allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
440allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
441
442allow system_server system_file:dir r_dir_perms;
443allow system_server system_file:lnk_file r_file_perms;
444
445# LocationManager(e.g, GPS) needs to read and write
446# to uart driver and ctrl proc entry
447allow system_server gps_control:file rw_file_perms;
448
449# Allow system_server to use app-created sockets and pipes.
450allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
451allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
452
453# Allow abstract socket connection
454allow system_server rild:unix_stream_socket connectto;
455
456# BackupManagerService needs to manipulate backup data files
457allow system_server cache_backup_file:dir rw_dir_perms;
458allow system_server cache_backup_file:file create_file_perms;
459# LocalTransport works inside /cache/backup
460allow system_server cache_private_backup_file:dir create_dir_perms;
461allow system_server cache_private_backup_file:file create_file_perms;
462
463# Allow system to talk to usb device
464allow system_server usb_device:chr_file rw_file_perms;
465allow system_server usb_device:dir r_dir_perms;
466
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]467# Read from HW RNG (needed by EntropyMixer).
468allow system_server hw_random_device:chr_file r_file_perms;
469
470# Read and delete files under /dev/fscklogs.
471r_dir_file(system_server, fscklogs)
472allow system_server fscklogs:dir { write remove_name };
473allow system_server fscklogs:file unlink;
474
475# logd access, system_server inherit logd write socket
476# (urge is to deprecate this long term)
477allow system_server zygote:unix_dgram_socket write;
478
479# Read from log daemon.
480read_logd(system_server)
481read_runtime_log_tags(system_server)
482
483# Be consistent with DAC permissions. Allow system_server to write to
484# /sys/module/lowmemorykiller/parameters/adj
485# /sys/module/lowmemorykiller/parameters/minfree
486allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
487
488# Read /sys/fs/pstore/console-ramoops
489# Don't worry about overly broad permissions for now, as there's
490# only one file in /sys/fs/pstore
491allow system_server pstorefs:dir r_dir_perms;
492allow system_server pstorefs:file r_file_perms;
493
494# /sys access
495allow system_server sysfs_zram:dir search;
496allow system_server sysfs_zram:file r_file_perms;
497
498add_service(system_server, system_server_service);
499allow system_server audioserver_service:service_manager find;
500allow system_server batteryproperties_service:service_manager find;
501allow system_server cameraserver_service:service_manager find;
502allow system_server drmserver_service:service_manager find;
503allow system_server dumpstate_service:service_manager find;
504allow system_server fingerprintd_service:service_manager find;
505allow system_server hal_fingerprint_service:service_manager find;
506allow system_server gatekeeper_service:service_manager find;
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]507allow system_server incident_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]508allow system_server installd_service:service_manager find;
509allow system_server keystore_service:service_manager find;
510allow system_server mediaserver_service:service_manager find;
511allow system_server mediametrics_service:service_manager find;
512allow system_server mediaextractor_service:service_manager find;
513allow system_server mediacodec_service:service_manager find;
514allow system_server mediadrmserver_service:service_manager find;
Chong Zhang72916412016-10-31 17:02:32 -0700[diff] [blame]515allow system_server mediacasserver_service:service_manager find;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]516allow system_server netd_service:service_manager find;
517allow system_server nfc_service:service_manager find;
518allow system_server radio_service:service_manager find;
519allow system_server surfaceflinger_service:service_manager find;
520allow system_server wificond_service:service_manager find;
521
522allow system_server keystore:keystore_key {
523 get_state
524 get
525 insert
526 delete
527 exist
528 list
529 reset
530 password
531 lock
532 unlock
533 is_empty
534 sign
535 verify
536 grant
537 duplicate
538 clear_uid
539 add_auth
540 user_changed
541};
542
543# Allow system server to search and write to the persistent factory reset
544# protection partition. This block device does not get wiped in a factory reset.
545allow system_server block_device:dir search;
546allow system_server frp_block_device:blk_file rw_file_perms;
547
548# Clean up old cgroups
549allow system_server cgroup:dir { remove_name rmdir };
550
551# /oem access
552r_dir_file(system_server, oemfs)
553
554# Allow resolving per-user storage symlinks
555allow system_server { mnt_user_file storage_file }:dir { getattr search };
556allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
557
558# Allow statfs() on storage devices, which happens fast enough that
559# we shouldn't be killed during unsafe removal
560allow system_server sdcard_type:dir { getattr search };
561
562# Traverse into expanded storage
563allow system_server mnt_expand_file:dir r_dir_perms;
564
565# Allow system process to relabel the fingerprint directory after mkdir
566# and delete the directory and files when no longer needed
567allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
568allow system_server fingerprintd_data_file:file { getattr unlink };
569
570# Allow system process to read network MAC address
571allow system_server sysfs_mac_address:file r_file_perms;
572
573userdebug_or_eng(`
574 # Allow system server to create and write method traces in /data/misc/trace.
575 allow system_server method_trace_data_file:dir w_dir_perms;
576 allow system_server method_trace_data_file:file { create w_file_perms };
577
578 # Allow system server to read dmesg
579 allow system_server kernel:system syslog_read;
580')
581
582# For AppFuse.
583allow system_server vold:fd use;
584allow system_server fuse_device:chr_file { read write ioctl getattr };
585allow system_server app_fuse_file:dir rw_dir_perms;
586allow system_server app_fuse_file:file { read write open getattr append };
587
588# For configuring sdcardfs
589allow system_server configfs:dir { create_dir_perms };
590allow system_server configfs:file { getattr open unlink write };
591
592# Connect to adbd and use a socket transferred from it.
593# Used for e.g. jdwp.
594allow system_server adbd:unix_stream_socket connectto;
595allow system_server adbd:fd use;
596allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
597
598# Allow invoking tools like "timeout"
599allow system_server toolbox_exec:file rx_file_perms;
600
601# Postinstall
602#
603# For OTA dexopt, allow calls coming from postinstall.
604binder_call(system_server, postinstall)
605
606allow system_server postinstall:fifo_file write;
607allow system_server update_engine:fd use;
608allow system_server update_engine:fifo_file write;
609
610# Access to /data/preloads
611allow system_server preloads_data_file:file { r_file_perms unlink };
612allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
Fyodor Kupolovb238fe62017-03-14 11:42:03 -0700[diff] [blame]613allow system_server preloads_media_file:file { r_file_perms unlink };
614allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]615
616r_dir_file(system_server, cgroup)
617allow system_server ion_device:chr_file r_file_perms;
618allow system_server hal_graphics_allocator:fd use;
619
620r_dir_file(system_server, proc)
621r_dir_file(system_server, proc_meminfo)
622r_dir_file(system_server, proc_net)
623r_dir_file(system_server, rootfs)
624r_dir_file(system_server, sysfs_type)
625
626# Allow system_server to make binder calls to hwservicemanager
627binder_call(system_server, hwservicemanager)
628
629### Rules needed when Light HAL runs inside system_server process.
630### These rules should eventually be granted only when needed.
631allow system_server sysfs_leds:lnk_file read;
632allow system_server sysfs_leds:file rw_file_perms;
633allow system_server sysfs_leds:dir r_dir_perms;
634###
635
mukesh agrawal723364f2017-02-22 18:01:00 -0800[diff] [blame]636# Allow WifiService to start, stop, and read wifi-specific trace events.
637allow system_server debugfs_tracing_instances:dir search;
638allow system_server debugfs_wifi_tracing:file rw_file_perms;
Alex Klyubin59322f12017-02-06 15:39:36 -0800[diff] [blame]639
640###
641### Neverallow rules
642###
643### system_server should NEVER do any of this
644
645# Do not allow opening files from external storage as unsafe ejection
646# could cause the kernel to kill the system_server.
647neverallow system_server sdcard_type:dir { open read write };
648neverallow system_server sdcard_type:file rw_file_perms;
649
650# system server should never be operating on zygote spawned app data
651# files directly. Rather, they should always be passed via a
652# file descriptor.
653# Types extracted from seapp_contexts type= fields, excluding
654# those types that system_server needs to open directly.
655neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
656
657# Forking and execing is inherently dangerous and racy. See, for
658# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
659# Prevent the addition of new file execs to stop the problem from
660# getting worse. b/28035297
661neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
662
663# Ensure that system_server doesn't perform any domain transitions other than
664# transitioning to the crash_dump domain when a crash occurs.
665neverallow system_server { domain -crash_dump }:process transition;
666neverallow system_server *:process dyntransition;
667
668# Only allow crash_dump to connect to system_ndebug_socket.
669neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
670
671# system_server should never be executing dex2oat. This is either
672# a bug (for example, bug 16317188), or represents an attempt by
673# system server to dynamically load a dex file, something we do not
674# want to allow.
675neverallow system_server dex2oat_exec:file no_x_file_perms;
676
677# system_server should never execute or load executable shared libraries
678# in /data except for /data/dalvik-cache files.
679neverallow system_server {
680 data_file_type
681 -dalvikcache_data_file #mapping with PROT_EXEC
682}:file no_x_file_perms;
683
684# The only block device system_server should be accessing is
685# the frp_block_device. This helps avoid a system_server to root
686# escalation by writing to raw block devices.
687neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
688
689# system_server should never use JIT functionality
690neverallow system_server self:process execmem;
691neverallow system_server ashmem_device:chr_file execute;
692
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]693# TODO: deal with tmpfs_domain pub/priv split properly
Nick Kralevichb56e6ef2016-12-09 20:14:31 -0800[diff] [blame]694neverallow system_server system_server_tmpfs:file execute;
Calin Juravlee5a1f642017-01-17 20:31:31 -0800[diff] [blame]695
696# dexoptanalyzer is currently used only for secondary dex files which
697# system_server should never access.
698neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;