1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5type system_server, domain, mlstrustedsubject; 6 7# Define a type for tmpfs-backed ashmem regions. 8tmpfs_domain(system_server) 9 10# Dalvik Compiler JIT Mapping. 11allow system_server self:process execmem; 12allow system_server ashmem_device:chr_file execute; 13allow system_server system_server_tmpfs:file execute; 14 15# For art. 16allow system_server dalvikcache_data_file:file execute; 17 18# /data/resource-cache 19allow system_server resourcecache_data_file:file r_file_perms; 20allow system_server resourcecache_data_file:dir r_dir_perms; 21 22# ptrace to processes in the same domain for debugging crashes. 23allow system_server self:process ptrace; 24 25# Child of the zygote. 26allow system_server zygote:fd use; 27allow system_server zygote:process sigchld; 28allow system_server zygote_tmpfs:file read; 29 30# May kill zygote on crashes. 31allow system_server zygote:process sigkill; 32 33# Read /system/bin/app_process. 34allow system_server zygote_exec:file r_file_perms; 35 36# Needed to close the zygote socket, which involves getopt / getattr 37allow system_server zygote:unix_stream_socket { getopt getattr }; 38 39# system server gets network and bluetooth permissions. 40net_domain(system_server) 41bluetooth_domain(system_server) 42 43# These are the capabilities assigned by the zygote to the 44# system server. 45allow system_server self:capability { 46 kill 47 net_admin 48 net_bind_service 49 net_broadcast 50 net_raw 51 sys_boot 52 sys_module 53 sys_nice 54 sys_resource 55 sys_time 56 sys_tty_config 57}; 58 59wakelock_use(system_server) 60 61# Triggered by /proc/pid accesses, not allowed. 62dontaudit system_server self:capability sys_ptrace; 63 64# Trigger module auto-load. 65allow system_server kernel:system module_request; 66 67# Use netlink uevent sockets. 68allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 69 70# Use generic netlink sockets. 71allow system_server self:netlink_socket create_socket_perms; 72 73# Set and get routes directly via netlink. 74allow system_server self:netlink_route_socket nlmsg_write; 75 76# Kill apps. 77allow system_server appdomain:process { sigkill signal }; 78 79# This line seems suspect, as it should not really need to 80# set scheduling parameters for a kernel domain task. 81allow system_server kernel:process setsched; 82 83# Set scheduling info for apps. 84allow system_server appdomain:process { getsched setsched }; 85allow system_server mediaserver:process { getsched setsched }; 86 87# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 88# within system_server to keep track of memory and CPU usage for 89# all processes on the device. 90r_dir_file(system_server, domain) 91 92# Write to /proc/pid/oom_adj_score for apps. 93allow system_server appdomain:file write; 94 95# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 96allow system_server qtaguid_proc:file rw_file_perms; 97allow system_server qtaguid_device:chr_file rw_file_perms; 98 99# Write to /proc/sysrq-trigger. 100allow system_server proc_sysrq:file rw_file_perms; 101 102# Read /sys/kernel/debug/wakeup_sources. 103allow system_server debugfs:file r_file_perms; 104 105# WifiWatchdog uses a packet_socket 106allow system_server self:packet_socket create_socket_perms; 107 108# 3rd party VPN clients require a tun_socket to be created 109allow system_server self:tun_socket create_socket_perms; 110 111# Notify init of death. 112allow system_server init:process sigchld; 113 114# Talk to init and various daemons via sockets. 115unix_socket_connect(system_server, property, init) 116unix_socket_connect(system_server, installd, installd) 117unix_socket_connect(system_server, lmkd, lmkd) 118unix_socket_connect(system_server, mtpd, mtp) 119unix_socket_connect(system_server, netd, netd) 120unix_socket_connect(system_server, vold, vold) 121unix_socket_connect(system_server, zygote, zygote) 122unix_socket_connect(system_server, gps, gpsd) 123unix_socket_connect(system_server, racoon, racoon) 124unix_socket_send(system_server, wpa, wpa) 125 126# Communicate over a socket created by surfaceflinger. 127allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 128 129# Perform Binder IPC. 130binder_use(system_server) 131binder_call(system_server, binderservicedomain) 132binder_call(system_server, appdomain) 133binder_call(system_server, dumpstate) 134binder_service(system_server) 135 136# Read /proc/pid files for dumping stack traces of native processes. 137r_dir_file(system_server, mediaserver) 138r_dir_file(system_server, sdcardd) 139r_dir_file(system_server, surfaceflinger) 140r_dir_file(system_server, inputflinger) 141 142# Use sockets received over binder from various services. 143allow system_server mediaserver:tcp_socket rw_socket_perms; 144allow system_server mediaserver:udp_socket rw_socket_perms; 145 146# Check SELinux permissions. 147selinux_check_access(system_server) 148 149# XXX Label sysfs files with a specific type? 150allow system_server sysfs:file rw_file_perms; 151allow system_server sysfs_nfc_power_writable:file rw_file_perms; 152allow system_server sysfs_devices_system_cpu:file w_file_perms; 153 154# Access devices. 155allow system_server device:dir r_dir_perms; 156allow system_server mdns_socket:sock_file rw_file_perms; 157allow system_server alarm_device:chr_file rw_file_perms; 158allow system_server gpu_device:chr_file rw_file_perms; 159allow system_server iio_device:chr_file rw_file_perms; 160allow system_server input_device:dir r_dir_perms; 161allow system_server input_device:chr_file rw_file_perms; 162allow system_server radio_device:chr_file r_file_perms; 163allow system_server tty_device:chr_file rw_file_perms; 164allow system_server usbaccessory_device:chr_file rw_file_perms; 165allow system_server video_device:dir r_dir_perms; 166allow system_server video_device:chr_file rw_file_perms; 167allow system_server adbd_socket:sock_file rw_file_perms; 168allow system_server audio_device:dir r_dir_perms; 169allow system_server audio_device:chr_file r_file_perms; 170 171# tun device used for 3rd party vpn apps 172allow system_server tun_device:chr_file rw_file_perms; 173 174# Manage system data files. 175allow system_server system_data_file:dir create_dir_perms; 176allow system_server system_data_file:notdevfile_class_set create_file_perms; 177allow system_server keychain_data_file:dir create_dir_perms; 178allow system_server keychain_data_file:file create_file_perms; 179 180# Manage /data/app. 181allow system_server apk_data_file:dir create_dir_perms; 182allow system_server apk_data_file:file create_file_perms; 183allow system_server apk_tmp_file:dir create_dir_perms; 184allow system_server apk_tmp_file:file create_file_perms; 185 186# Manage /data/app-private. 187allow system_server apk_private_data_file:dir create_dir_perms; 188allow system_server apk_private_data_file:file create_file_perms; 189allow system_server apk_private_tmp_file:dir create_dir_perms; 190allow system_server apk_private_tmp_file:file create_file_perms; 191 192# Manage files within asec containers. 193allow system_server asec_apk_file:dir create_dir_perms; 194allow system_server asec_apk_file:file create_file_perms; 195allow system_server asec_public_file:file create_file_perms; 196 197# Manage /data/anr. 198allow system_server anr_data_file:dir create_dir_perms; 199allow system_server anr_data_file:file create_file_perms; 200 201# Manage /data/backup. 202allow system_server backup_data_file:dir create_dir_perms; 203allow system_server backup_data_file:file create_file_perms; 204 205# Read from /data/dalvik-cache/profiles 206allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; 207allow system_server dalvikcache_profiles_data_file:file create_file_perms; 208 209# Manage /data/misc/adb. 210allow system_server adb_keys_file:dir create_dir_perms; 211allow system_server adb_keys_file:file create_file_perms; 212 213# Manage /data/misc/sms. 214# TODO: Split into a separate type? 215allow system_server radio_data_file:dir create_dir_perms; 216allow system_server radio_data_file:file create_file_perms; 217 218# Manage /data/misc/systemkeys. 219allow system_server systemkeys_data_file:dir create_dir_perms; 220allow system_server systemkeys_data_file:file create_file_perms; 221 222# Access /data/tombstones. 223allow system_server tombstone_data_file:dir r_dir_perms; 224allow system_server tombstone_data_file:file r_file_perms; 225 226# Manage /data/misc/vpn. 227allow system_server vpn_data_file:dir create_dir_perms; 228allow system_server vpn_data_file:file create_file_perms; 229 230# Manage /data/misc/wifi. 231allow system_server wifi_data_file:dir create_dir_perms; 232allow system_server wifi_data_file:file create_file_perms; 233 234# Manage /data/misc/zoneinfo. 235allow system_server zoneinfo_data_file:dir create_dir_perms; 236allow system_server zoneinfo_data_file:file create_file_perms; 237 238# Walk /data/data subdirectories. 239# Types extracted from seapp_contexts type= fields. 240allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 241# Also permit for unlabeled /data/data subdirectories and 242# for unlabeled asec containers on upgrades from 4.2. 243allow system_server unlabeled:dir r_dir_perms; 244# Read pkg.apk file before it has been relabeled by vold. 245allow system_server unlabeled:file r_file_perms; 246 247# Populate com.android.providers.settings/databases/settings.db. 248allow system_server system_app_data_file:dir create_dir_perms; 249allow system_server system_app_data_file:file create_file_perms; 250 251# Receive and use open app data files passed over binder IPC. 252# Types extracted from seapp_contexts type= fields. 253allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 254 255# Receive and use open /data/media files passed over binder IPC. 256allow system_server media_rw_data_file:file { getattr read write }; 257 258# Read /file_contexts and /data/security/file_contexts 259security_access_policy(system_server) 260 261# Relabel apk files. 262allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 263allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 264 265# Relabel wallpaper. 266allow system_server system_data_file:file relabelfrom; 267allow system_server wallpaper_file:file relabelto; 268allow system_server wallpaper_file:file { rw_file_perms unlink }; 269 270# Relabel /data/anr. 271allow system_server system_data_file:dir relabelfrom; 272allow system_server anr_data_file:dir relabelto; 273 274# Property Service write 275allow system_server system_prop:property_service set; 276allow system_server dhcp_prop:property_service set; 277allow system_server net_radio_prop:property_service set; 278allow system_server system_radio_prop:property_service set; 279allow system_server debug_prop:property_service set; 280allow system_server powerctl_prop:property_service set; 281allow system_server fingerprint_prop:property_service set; 282 283# ctl interface 284allow system_server ctl_default_prop:property_service set; 285allow system_server ctl_dhcp_pan_prop:property_service set; 286allow system_server ctl_bugreport_prop:property_service set; 287 288# Create a socket for receiving info from wpa. 289type_transition system_server wifi_data_file:sock_file system_wpa_socket; 290type_transition system_server wpa_socket:sock_file system_wpa_socket; 291allow system_server wpa_socket:dir rw_dir_perms; 292allow system_server system_wpa_socket:sock_file create_file_perms; 293 294# Remove sockets created by wpa_supplicant 295allow system_server wpa_socket:sock_file unlink; 296 297# Create a socket for connections from debuggerd. 298type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 299allow system_server system_ndebug_socket:sock_file create_file_perms; 300 301# Specify any arguments to zygote. 302allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; 303 304# Manage cache files. 305allow system_server cache_file:dir { relabelfrom create_dir_perms }; 306allow system_server cache_file:file { relabelfrom create_file_perms }; 307 308# Run system programs, e.g. dexopt. 309allow system_server system_file:file x_file_perms; 310 311# LocationManager(e.g, GPS) needs to read and write 312# to uart driver and ctrl proc entry 313allow system_server gps_device:chr_file rw_file_perms; 314allow system_server gps_control:file rw_file_perms; 315 316# Allow system_server to use app-created sockets and pipes. 317allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 318allow system_server appdomain:fifo_file { getattr read write }; 319 320# Allow abstract socket connection 321allow system_server rild:unix_stream_socket connectto; 322 323# BackupManagerService lets PMS create a data backup file 324allow system_server cache_backup_file:file create_file_perms; 325# Relabel /data/backup 326allow system_server backup_data_file:dir { relabelto relabelfrom }; 327# Relabel /cache/.*\.{data|restore} 328allow system_server cache_backup_file:file { relabelto relabelfrom }; 329# LocalTransport creates and relabels /cache/backup 330allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; 331 332# Allow system to talk to usb device 333allow system_server usb_device:chr_file rw_file_perms; 334allow system_server usb_device:dir r_dir_perms; 335 336# Allow system to talk to sensors 337allow system_server sensors_device:chr_file rw_file_perms; 338 339# Read from HW RNG (needed by EntropyMixer). 340allow system_server hw_random_device:chr_file r_file_perms; 341 342# Read and delete files under /dev/fscklogs. 343r_dir_file(system_server, fscklogs) 344allow system_server fscklogs:dir { write remove_name }; 345allow system_server fscklogs:file unlink; 346 347# For SELinuxPolicyInstallReceiver 348selinux_manage_policy(system_server) 349 350# logd access, system_server inherit logd write socket 351# (urge is to deprecate this long term) 352allow system_server zygote:unix_dgram_socket write; 353 354# Read from log daemon. 355read_logd(system_server) 356 357# Be consistent with DAC permissions. Allow system_server to write to 358# /sys/module/lowmemorykiller/parameters/adj 359# /sys/module/lowmemorykiller/parameters/minfree 360allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 361 362# Read /sys/fs/pstore/console-ramoops 363# Don't worry about overly broad permissions for now, as there's 364# only one file in /sys/fs/pstore 365allow system_server pstorefs:dir r_dir_perms; 366allow system_server pstorefs:file r_file_perms; 367 368allow system_server system_server_service:service_manager add; 369 370allow system_server keystore:keystore_key { 371 test 372 get 373 insert 374 delete 375 exist 376 saw 377 reset 378 password 379 lock 380 unlock 381 zero 382 sign 383 verify 384 grant 385 duplicate 386 clear_uid 387 reset_uid 388 sync_uid 389 password_uid 390}; 391 392# Allow system server to search and write to the persistent factory reset 393# protection partition. This block device does not get wiped in a factory reset. 394allow system_server block_device:dir search; 395allow system_server frp_block_device:blk_file rw_file_perms; 396 397# Clean up old cgroups 398allow system_server cgroup:dir { remove_name rmdir }; 399 400# /oem access 401r_dir_file(system_server, oemfs) 402 403### 404### Neverallow rules 405### 406### system_server should NEVER do any of this 407 408# Do not allow accessing SDcard files as unsafe ejection could 409# cause the kernel to kill the system_server. 410neverallow system_server sdcard_type:file rw_file_perms; 411