1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server domain_deprecated; 8typeattribute system_server mlstrustedsubject; 9 10# Define a type for tmpfs-backed ashmem regions. 11tmpfs_domain(system_server) 12 13# Create a socket for connections from crash_dump. 14type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 15 16allow system_server zygote_tmpfs:file read; 17 18# For art. 19allow system_server dalvikcache_data_file:dir r_dir_perms; 20allow system_server dalvikcache_data_file:file { r_file_perms execute }; 21userdebug_or_eng(` 22 # Report dalvikcache_data_file:file execute violations. 23 auditallow system_server dalvikcache_data_file:file execute; 24') 25 26# /data/resource-cache 27allow system_server resourcecache_data_file:file r_file_perms; 28allow system_server resourcecache_data_file:dir r_dir_perms; 29 30# ptrace to processes in the same domain for debugging crashes. 31allow system_server self:process ptrace; 32 33# Read and delete last_reboot_reason file 34allow system_server reboot_data_file:file { rename r_file_perms unlink }; 35allow system_server reboot_data_file:dir { write search open remove_name }; 36 37# Child of the zygote. 38allow system_server zygote:fd use; 39allow system_server zygote:process sigchld; 40 41# May kill zygote on crashes. 42allow system_server zygote:process sigkill; 43allow system_server crash_dump:process sigkill; 44 45# Read /system/bin/app_process. 46allow system_server zygote_exec:file r_file_perms; 47 48# Needed to close the zygote socket, which involves getopt / getattr 49allow system_server zygote:unix_stream_socket { getopt getattr }; 50 51# system server gets network and bluetooth permissions. 52net_domain(system_server) 53# in addition to ioctls allowlisted for all domains, also allow system_server 54# to use privileged ioctls commands. Needed to set up VPNs. 55allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 56bluetooth_domain(system_server) 57 58# These are the capabilities assigned by the zygote to the 59# system server. 60allow system_server self:capability { 61 ipc_lock 62 kill 63 net_admin 64 net_bind_service 65 net_broadcast 66 net_raw 67 sys_boot 68 sys_nice 69 sys_ptrace 70 sys_time 71 sys_tty_config 72}; 73 74wakelock_use(system_server) 75 76# Trigger module auto-load. 77allow system_server kernel:system module_request; 78 79# Allow alarmtimers to be set 80allow system_server self:capability2 wake_alarm; 81 82# Use netlink uevent sockets. 83allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 84 85# Use generic netlink sockets. 86allow system_server self:netlink_socket create_socket_perms_no_ioctl; 87allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 88 89# libvintf reads the kernel config to verify vendor interface compatibility. 90allow system_server config_gz:file { read open }; 91 92# Use generic "sockets" where the address family is not known 93# to the kernel. The ioctl permission is specifically omitted here, but may 94# be added to device specific policy along with the ioctl commands to be 95# allowlisted. 96allow system_server self:socket create_socket_perms_no_ioctl; 97 98# Set and get routes directly via netlink. 99allow system_server self:netlink_route_socket nlmsg_write; 100 101# Kill apps. 102allow system_server appdomain:process { sigkill signal }; 103 104# Set scheduling info for apps. 105allow system_server appdomain:process { getsched setsched }; 106allow system_server audioserver:process { getsched setsched }; 107allow system_server hal_audio:process { getsched setsched }; 108allow system_server hal_bluetooth:process { getsched setsched }; 109allow system_server cameraserver:process { getsched setsched }; 110allow system_server hal_camera:process { getsched setsched }; 111allow system_server mediaserver:process { getsched setsched }; 112allow system_server bootanim:process { getsched setsched }; 113 114# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 115# within system_server to keep track of memory and CPU usage for 116# all processes on the device. In addition, /proc/pid files access is needed 117# for dumping stack traces of native processes. 118r_dir_file(system_server, domain) 119 120# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 121allow system_server qtaguid_proc:file rw_file_perms; 122allow system_server qtaguid_device:chr_file rw_file_perms; 123 124# Read /proc/uid_cputime/show_uid_stat. 125allow system_server proc_uid_cputime_showstat:file r_file_perms; 126 127# Write /proc/uid_cputime/remove_uid_range. 128allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 129 130# Write /proc/uid_procstat/set. 131allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 132 133# Write to /proc/sysrq-trigger. 134allow system_server proc_sysrq:file rw_file_perms; 135 136# Read /proc/stat for CPU usage statistics 137allow system_server proc_stat:file r_file_perms; 138 139# Read /sys/kernel/debug/wakeup_sources. 140allow system_server debugfs:file r_file_perms; 141 142# The DhcpClient and WifiWatchdog use packet_sockets 143allow system_server self:packet_socket create_socket_perms_no_ioctl; 144 145# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same 146# as raw sockets, but the kernel doesn't yet distinguish between the two. 147allow system_server node:rawip_socket node_bind; 148 149# 3rd party VPN clients require a tun_socket to be created 150allow system_server self:tun_socket create_socket_perms_no_ioctl; 151 152# Talk to init and various daemons via sockets. 153unix_socket_connect(system_server, lmkd, lmkd) 154unix_socket_connect(system_server, mtpd, mtp) 155unix_socket_connect(system_server, netd, netd) 156unix_socket_connect(system_server, vold, vold) 157unix_socket_connect(system_server, webview_zygote, webview_zygote) 158unix_socket_connect(system_server, zygote, zygote) 159unix_socket_connect(system_server, racoon, racoon) 160unix_socket_connect(system_server, uncrypt, uncrypt) 161 162# Communicate over a socket created by surfaceflinger. 163allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 164 165# Perform Binder IPC. 166binder_use(system_server) 167binder_call(system_server, appdomain) 168binder_call(system_server, binderservicedomain) 169binder_call(system_server, dumpstate) 170binder_call(system_server, fingerprintd) 171binder_call(system_server, gatekeeperd) 172binder_call(system_server, installd) 173binder_call(system_server, incidentd) 174binder_call(system_server, netd) 175binder_call(system_server, wificond) 176binder_service(system_server) 177 178# Use HALs 179hal_client_domain(system_server, hal_allocator) 180hal_client_domain(system_server, hal_contexthub) 181hal_client_domain(system_server, hal_fingerprint) 182hal_client_domain(system_server, hal_gnss) 183hal_client_domain(system_server, hal_graphics_allocator) 184hal_client_domain(system_server, hal_ir) 185hal_client_domain(system_server, hal_light) 186hal_client_domain(system_server, hal_memtrack) 187hal_client_domain(system_server, hal_oemlock) 188allow system_server hal_omx_hwservice:hwservice_manager find; 189allow system_server hidl_token_hwservice:hwservice_manager find; 190hal_client_domain(system_server, hal_power) 191hal_client_domain(system_server, hal_sensors) 192hal_client_domain(system_server, hal_tetheroffload) 193hal_client_domain(system_server, hal_thermal) 194hal_client_domain(system_server, hal_tv_cec) 195hal_client_domain(system_server, hal_tv_input) 196hal_client_domain(system_server, hal_usb) 197hal_client_domain(system_server, hal_vibrator) 198hal_client_domain(system_server, hal_vr) 199hal_client_domain(system_server, hal_weaver) 200hal_client_domain(system_server, hal_wifi) 201hal_client_domain(system_server, hal_wifi_offload) 202hal_client_domain(system_server, hal_wifi_supplicant) 203 204binder_call(system_server, mediacodec) 205 206# Talk with graphics composer fences 207allow system_server hal_graphics_composer:fd use; 208 209# Use RenderScript always-passthrough HAL 210allow system_server hal_renderscript_hwservice:hwservice_manager find; 211 212# Offer HwBinder services 213add_hwservice(system_server, fwk_scheduler_hwservice) 214add_hwservice(system_server, fwk_sensor_hwservice) 215 216# Talk to tombstoned to get ANR traces. 217unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 218 219# List HAL interfaces to get ANR traces. 220allow system_server hwservicemanager:hwservice_manager list; 221 222# Send signals to trigger ANR traces. 223allow system_server { 224 # This is derived from the list that system server defines as interesting native processes 225 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 226 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 227 audioserver 228 cameraserver 229 drmserver 230 inputflinger 231 mediadrmserver 232 mediaextractor 233 mediaserver 234 mediametrics 235 sdcardd 236 surfaceflinger 237 238 # This list comes from HAL_INTERFACES_OF_INTEREST in 239 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 240 hal_audio_server 241 hal_bluetooth_server 242 hal_camera_server 243 hal_graphics_composer_server 244 hal_vr_server 245 mediacodec # TODO(b/36375899): hal_omx_server 246}:process { signal }; 247 248# Use sockets received over binder from various services. 249allow system_server audioserver:tcp_socket rw_socket_perms; 250allow system_server audioserver:udp_socket rw_socket_perms; 251allow system_server mediaserver:tcp_socket rw_socket_perms; 252allow system_server mediaserver:udp_socket rw_socket_perms; 253 254# Use sockets received over binder from various services. 255allow system_server mediadrmserver:tcp_socket rw_socket_perms; 256allow system_server mediadrmserver:udp_socket rw_socket_perms; 257 258# Get file context 259allow system_server file_contexts_file:file r_file_perms; 260# access for mac_permissions 261allow system_server mac_perms_file: file r_file_perms; 262# Check SELinux permissions. 263selinux_check_access(system_server) 264 265# XXX Label sysfs files with a specific type? 266allow system_server sysfs:file rw_file_perms; 267allow system_server sysfs_nfc_power_writable:file rw_file_perms; 268allow system_server sysfs_devices_system_cpu:file w_file_perms; 269allow system_server sysfs_mac_address:file r_file_perms; 270allow system_server sysfs_thermal:dir search; 271allow system_server sysfs_thermal:file r_file_perms; 272 273# TODO: Remove when HALs are forced into separate processes 274allow system_server sysfs_vibrator:file { write append }; 275 276# TODO: added to match above sysfs rule. Remove me? 277allow system_server sysfs_usb:file w_file_perms; 278 279# Access devices. 280allow system_server device:dir r_dir_perms; 281allow system_server mdns_socket:sock_file rw_file_perms; 282allow system_server alarm_device:chr_file rw_file_perms; 283allow system_server gpu_device:chr_file rw_file_perms; 284allow system_server iio_device:chr_file rw_file_perms; 285allow system_server input_device:dir r_dir_perms; 286allow system_server input_device:chr_file rw_file_perms; 287allow system_server radio_device:chr_file r_file_perms; 288allow system_server tty_device:chr_file rw_file_perms; 289allow system_server usbaccessory_device:chr_file rw_file_perms; 290allow system_server video_device:dir r_dir_perms; 291allow system_server video_device:chr_file rw_file_perms; 292allow system_server adbd_socket:sock_file rw_file_perms; 293allow system_server rtc_device:chr_file rw_file_perms; 294allow system_server audio_device:dir r_dir_perms; 295 296# write access needed for MIDI 297allow system_server audio_device:chr_file rw_file_perms; 298 299# tun device used for 3rd party vpn apps 300allow system_server tun_device:chr_file rw_file_perms; 301 302# Manage system data files. 303allow system_server system_data_file:dir create_dir_perms; 304allow system_server system_data_file:notdevfile_class_set create_file_perms; 305allow system_server keychain_data_file:dir create_dir_perms; 306allow system_server keychain_data_file:file create_file_perms; 307allow system_server keychain_data_file:lnk_file create_file_perms; 308 309# Manage /data/app. 310allow system_server apk_data_file:dir create_dir_perms; 311allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 312allow system_server apk_tmp_file:dir create_dir_perms; 313allow system_server apk_tmp_file:file create_file_perms; 314 315# Access /vendor/app 316r_dir_file(system_server, vendor_app_file) 317 318# Access /vendor/app 319r_dir_file(system_server, vendor_overlay_file) 320 321# Manage /data/app-private. 322allow system_server apk_private_data_file:dir create_dir_perms; 323allow system_server apk_private_data_file:file create_file_perms; 324allow system_server apk_private_tmp_file:dir create_dir_perms; 325allow system_server apk_private_tmp_file:file create_file_perms; 326 327# Manage files within asec containers. 328allow system_server asec_apk_file:dir create_dir_perms; 329allow system_server asec_apk_file:file create_file_perms; 330allow system_server asec_public_file:file create_file_perms; 331 332# Manage /data/anr. 333allow system_server anr_data_file:dir create_dir_perms; 334allow system_server anr_data_file:file create_file_perms; 335 336# Read /data/misc/incidents - only read. The fd will be sent over binder, 337# with no DAC access to it, for dropbox to read. 338allow system_server incident_data_file:file read; 339 340# Manage /data/backup. 341allow system_server backup_data_file:dir create_dir_perms; 342allow system_server backup_data_file:file create_file_perms; 343 344# Write to /data/system/heapdump 345allow system_server heapdump_data_file:dir rw_dir_perms; 346allow system_server heapdump_data_file:file create_file_perms; 347 348# Manage /data/misc/adb. 349allow system_server adb_keys_file:dir create_dir_perms; 350allow system_server adb_keys_file:file create_file_perms; 351 352# Manage /data/misc/sms. 353# TODO: Split into a separate type? 354allow system_server radio_data_file:dir create_dir_perms; 355allow system_server radio_data_file:file create_file_perms; 356 357# Manage /data/misc/systemkeys. 358allow system_server systemkeys_data_file:dir create_dir_perms; 359allow system_server systemkeys_data_file:file create_file_perms; 360 361# Manage /data/misc/textclassifier. 362allow system_server textclassifier_data_file:dir create_dir_perms; 363allow system_server textclassifier_data_file:file create_file_perms; 364 365# Access /data/tombstones. 366allow system_server tombstone_data_file:dir r_dir_perms; 367allow system_server tombstone_data_file:file r_file_perms; 368 369# Manage /data/misc/vpn. 370allow system_server vpn_data_file:dir create_dir_perms; 371allow system_server vpn_data_file:file create_file_perms; 372 373# Manage /data/misc/wifi. 374allow system_server wifi_data_file:dir create_dir_perms; 375allow system_server wifi_data_file:file create_file_perms; 376 377# Manage /data/misc/zoneinfo. 378allow system_server zoneinfo_data_file:dir create_dir_perms; 379allow system_server zoneinfo_data_file:file create_file_perms; 380 381# Walk /data/data subdirectories. 382# Types extracted from seapp_contexts type= fields. 383allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 384# Also permit for unlabeled /data/data subdirectories and 385# for unlabeled asec containers on upgrades from 4.2. 386allow system_server unlabeled:dir r_dir_perms; 387# Read pkg.apk file before it has been relabeled by vold. 388allow system_server unlabeled:file r_file_perms; 389 390# Populate com.android.providers.settings/databases/settings.db. 391allow system_server system_app_data_file:dir create_dir_perms; 392allow system_server system_app_data_file:file create_file_perms; 393 394# Receive and use open app data files passed over binder IPC. 395# Types extracted from seapp_contexts type= fields. 396allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append }; 397 398# Access to /data/media for measuring disk usage. 399allow system_server media_rw_data_file:dir { search getattr open read }; 400 401# Receive and use open /data/media files passed over binder IPC. 402# Also used for measuring disk usage. 403allow system_server media_rw_data_file:file { getattr read write append }; 404 405# Relabel apk files. 406allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 407allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 408 409# Relabel wallpaper. 410allow system_server system_data_file:file relabelfrom; 411allow system_server wallpaper_file:file relabelto; 412allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 413 414# Backup of wallpaper imagery uses temporary hard links to avoid data churn 415allow system_server { system_data_file wallpaper_file }:file link; 416 417# ShortcutManager icons 418allow system_server system_data_file:dir relabelfrom; 419allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 420allow system_server shortcut_manager_icons:file create_file_perms; 421 422# Manage ringtones. 423allow system_server ringtone_file:dir { create_dir_perms relabelto }; 424allow system_server ringtone_file:file create_file_perms; 425 426# Relabel icon file. 427allow system_server icon_file:file relabelto; 428allow system_server icon_file:file { rw_file_perms unlink }; 429 430# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 431allow system_server system_data_file:dir relabelfrom; 432 433# Property Service write 434set_prop(system_server, system_prop) 435set_prop(system_server, safemode_prop) 436set_prop(system_server, dhcp_prop) 437set_prop(system_server, net_radio_prop) 438set_prop(system_server, net_dns_prop) 439set_prop(system_server, system_radio_prop) 440set_prop(system_server, debug_prop) 441set_prop(system_server, powerctl_prop) 442set_prop(system_server, fingerprint_prop) 443set_prop(system_server, device_logging_prop) 444set_prop(system_server, dumpstate_options_prop) 445set_prop(system_server, overlay_prop) 446userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 447 448# ctl interface 449set_prop(system_server, ctl_default_prop) 450set_prop(system_server, ctl_bugreport_prop) 451 452# cppreopt property 453set_prop(system_server, cppreopt_prop) 454 455# Collect metrics on boot time created by init 456get_prop(system_server, boottime_prop) 457 458# Read device's serial number from system properties 459get_prop(system_server, serialno_prop) 460 461# Read/write the property which keeps track of whether this is the first start of system_server 462set_prop(system_server, firstboot_prop) 463 464# Create a socket for connections from debuggerd. 465allow system_server system_ndebug_socket:sock_file create_file_perms; 466 467# Manage cache files. 468allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 469allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 470allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 471 472allow system_server system_file:dir r_dir_perms; 473allow system_server system_file:lnk_file r_file_perms; 474 475# LocationManager(e.g, GPS) needs to read and write 476# to uart driver and ctrl proc entry 477allow system_server gps_control:file rw_file_perms; 478 479# Allow system_server to use app-created sockets and pipes. 480allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 481allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 482 483# BackupManagerService needs to manipulate backup data files 484allow system_server cache_backup_file:dir rw_dir_perms; 485allow system_server cache_backup_file:file create_file_perms; 486# LocalTransport works inside /cache/backup 487allow system_server cache_private_backup_file:dir create_dir_perms; 488allow system_server cache_private_backup_file:file create_file_perms; 489 490# Allow system to talk to usb device 491allow system_server usb_device:chr_file rw_file_perms; 492allow system_server usb_device:dir r_dir_perms; 493 494# Read from HW RNG (needed by EntropyMixer). 495allow system_server hw_random_device:chr_file r_file_perms; 496 497# Read and delete files under /dev/fscklogs. 498r_dir_file(system_server, fscklogs) 499allow system_server fscklogs:dir { write remove_name }; 500allow system_server fscklogs:file unlink; 501 502# logd access, system_server inherit logd write socket 503# (urge is to deprecate this long term) 504allow system_server zygote:unix_dgram_socket write; 505 506# Read from log daemon. 507read_logd(system_server) 508read_runtime_log_tags(system_server) 509 510# Be consistent with DAC permissions. Allow system_server to write to 511# /sys/module/lowmemorykiller/parameters/adj 512# /sys/module/lowmemorykiller/parameters/minfree 513allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 514 515# Read /sys/fs/pstore/console-ramoops 516# Don't worry about overly broad permissions for now, as there's 517# only one file in /sys/fs/pstore 518allow system_server pstorefs:dir r_dir_perms; 519allow system_server pstorefs:file r_file_perms; 520 521# /sys access 522allow system_server sysfs_zram:dir search; 523allow system_server sysfs_zram:file r_file_perms; 524 525add_service(system_server, system_server_service); 526allow system_server audioserver_service:service_manager find; 527allow system_server batteryproperties_service:service_manager find; 528allow system_server cameraserver_service:service_manager find; 529allow system_server drmserver_service:service_manager find; 530allow system_server dumpstate_service:service_manager find; 531allow system_server fingerprintd_service:service_manager find; 532allow system_server hal_fingerprint_service:service_manager find; 533allow system_server gatekeeper_service:service_manager find; 534allow system_server incident_service:service_manager find; 535allow system_server installd_service:service_manager find; 536allow system_server keystore_service:service_manager find; 537allow system_server mediaserver_service:service_manager find; 538allow system_server mediametrics_service:service_manager find; 539allow system_server mediaextractor_service:service_manager find; 540allow system_server mediacodec_service:service_manager find; 541allow system_server mediadrmserver_service:service_manager find; 542allow system_server mediacasserver_service:service_manager find; 543allow system_server netd_service:service_manager find; 544allow system_server nfc_service:service_manager find; 545allow system_server radio_service:service_manager find; 546allow system_server surfaceflinger_service:service_manager find; 547allow system_server wificond_service:service_manager find; 548 549allow system_server keystore:keystore_key { 550 get_state 551 get 552 insert 553 delete 554 exist 555 list 556 reset 557 password 558 lock 559 unlock 560 is_empty 561 sign 562 verify 563 grant 564 duplicate 565 clear_uid 566 add_auth 567 user_changed 568}; 569 570# Allow system server to search and write to the persistent factory reset 571# protection partition. This block device does not get wiped in a factory reset. 572allow system_server block_device:dir search; 573allow system_server frp_block_device:blk_file rw_file_perms; 574 575# Clean up old cgroups 576allow system_server cgroup:dir { remove_name rmdir }; 577 578# /oem access 579r_dir_file(system_server, oemfs) 580 581# Allow resolving per-user storage symlinks 582allow system_server { mnt_user_file storage_file }:dir { getattr search }; 583allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 584 585# Allow statfs() on storage devices, which happens fast enough that 586# we shouldn't be killed during unsafe removal 587allow system_server sdcard_type:dir { getattr search }; 588 589# Traverse into expanded storage 590allow system_server mnt_expand_file:dir r_dir_perms; 591 592# Allow system process to relabel the fingerprint directory after mkdir 593# and delete the directory and files when no longer needed 594allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 595allow system_server fingerprintd_data_file:file { getattr unlink }; 596 597# Allow system process to read network MAC address 598allow system_server sysfs_mac_address:file r_file_perms; 599 600userdebug_or_eng(` 601 # Allow system server to create and write method traces in /data/misc/trace. 602 allow system_server method_trace_data_file:dir w_dir_perms; 603 allow system_server method_trace_data_file:file { create w_file_perms }; 604 605 # Allow system server to read dmesg 606 allow system_server kernel:system syslog_read; 607') 608 609# For AppFuse. 610allow system_server vold:fd use; 611allow system_server fuse_device:chr_file { read write ioctl getattr }; 612allow system_server app_fuse_file:dir rw_dir_perms; 613allow system_server app_fuse_file:file { read write open getattr append }; 614 615# For configuring sdcardfs 616allow system_server configfs:dir { create_dir_perms }; 617allow system_server configfs:file { getattr open unlink write }; 618 619# Connect to adbd and use a socket transferred from it. 620# Used for e.g. jdwp. 621allow system_server adbd:unix_stream_socket connectto; 622allow system_server adbd:fd use; 623allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 624 625# Allow invoking tools like "timeout" 626allow system_server toolbox_exec:file rx_file_perms; 627 628# Postinstall 629# 630# For OTA dexopt, allow calls coming from postinstall. 631binder_call(system_server, postinstall) 632 633allow system_server postinstall:fifo_file write; 634allow system_server update_engine:fd use; 635allow system_server update_engine:fifo_file write; 636 637# Access to /data/preloads 638allow system_server preloads_data_file:file { r_file_perms unlink }; 639allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 640allow system_server preloads_media_file:file { r_file_perms unlink }; 641allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 642 643r_dir_file(system_server, cgroup) 644allow system_server ion_device:chr_file r_file_perms; 645 646r_dir_file(system_server, proc) 647r_dir_file(system_server, proc_meminfo) 648r_dir_file(system_server, proc_net) 649r_dir_file(system_server, rootfs) 650r_dir_file(system_server, sysfs_type) 651 652### Rules needed when Light HAL runs inside system_server process. 653### These rules should eventually be granted only when needed. 654allow system_server sysfs_leds:lnk_file read; 655allow system_server sysfs_leds:file rw_file_perms; 656allow system_server sysfs_leds:dir r_dir_perms; 657### 658 659# Allow WifiService to start, stop, and read wifi-specific trace events. 660allow system_server debugfs_tracing_instances:dir search; 661allow system_server debugfs_wifi_tracing:file rw_file_perms; 662 663# allow system_server to exec shell on ASAN builds. Needed to run 664# asanwrapper. 665with_asan(` 666 allow system_server shell_exec:file rx_file_perms; 667') 668 669### 670### Neverallow rules 671### 672### system_server should NEVER do any of this 673 674# Do not allow opening files from external storage as unsafe ejection 675# could cause the kernel to kill the system_server. 676neverallow system_server sdcard_type:dir { open read write }; 677neverallow system_server sdcard_type:file rw_file_perms; 678 679# system server should never be operating on zygote spawned app data 680# files directly. Rather, they should always be passed via a 681# file descriptor. 682# Types extracted from seapp_contexts type= fields, excluding 683# those types that system_server needs to open directly. 684neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; 685 686# Forking and execing is inherently dangerous and racy. See, for 687# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 688# Prevent the addition of new file execs to stop the problem from 689# getting worse. b/28035297 690neverallow system_server { 691 file_type 692 -toolbox_exec 693 -logcat_exec 694 with_asan(`-shell_exec') 695}:file execute_no_trans; 696 697# Ensure that system_server doesn't perform any domain transitions other than 698# transitioning to the crash_dump domain when a crash occurs. 699neverallow system_server { domain -crash_dump }:process transition; 700neverallow system_server *:process dyntransition; 701 702# Only allow crash_dump to connect to system_ndebug_socket. 703neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 704 705# system_server should never be executing dex2oat. This is either 706# a bug (for example, bug 16317188), or represents an attempt by 707# system server to dynamically load a dex file, something we do not 708# want to allow. 709neverallow system_server dex2oat_exec:file no_x_file_perms; 710 711# system_server should never execute or load executable shared libraries 712# in /data except for /data/dalvik-cache files. 713neverallow system_server { 714 data_file_type 715 -dalvikcache_data_file #mapping with PROT_EXEC 716}:file no_x_file_perms; 717 718# The only block device system_server should be accessing is 719# the frp_block_device. This helps avoid a system_server to root 720# escalation by writing to raw block devices. 721neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 722 723# system_server should never use JIT functionality 724neverallow system_server self:process execmem; 725neverallow system_server ashmem_device:chr_file execute; 726 727# TODO: deal with tmpfs_domain pub/priv split properly 728neverallow system_server system_server_tmpfs:file execute; 729 730# dexoptanalyzer is currently used only for secondary dex files which 731# system_server should never access. 732neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 733 734# No ptracing others 735neverallow system_server { domain -system_server }:process ptrace; 736 737# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 738# file read access. However, that is now unnecessary (b/34951864) 739# This neverallow can be removed after b/34951864 is fixed. 740neverallow system_server system_server:capability sys_resource; 741