1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5type system_server, domain, mlstrustedsubject; 6 7# Define a type for tmpfs-backed ashmem regions. 8tmpfs_domain(system_server) 9 10# Dalvik Compiler JIT Mapping. 11allow system_server self:process execmem; 12allow system_server ashmem_device:chr_file execute; 13allow system_server system_server_tmpfs:file execute; 14 15# For art. 16allow system_server dalvikcache_data_file:file execute; 17 18# /data/resource-cache 19allow system_server resourcecache_data_file:file r_file_perms; 20allow system_server resourcecache_data_file:dir r_dir_perms; 21 22# ptrace to processes in the same domain for debugging crashes. 23allow system_server self:process ptrace; 24 25# Child of the zygote. 26allow system_server zygote:fd use; 27allow system_server zygote:process sigchld; 28allow system_server zygote_tmpfs:file read; 29 30# May kill zygote on crashes. 31allow system_server zygote:process sigkill; 32 33# Read /system/bin/app_process. 34allow system_server zygote_exec:file r_file_perms; 35 36# Needed to close the zygote socket, which involves getopt / getattr 37allow system_server zygote:unix_stream_socket { getopt getattr }; 38 39# system server gets network and bluetooth permissions. 40net_domain(system_server) 41bluetooth_domain(system_server) 42 43# These are the capabilities assigned by the zygote to the 44# system server. 45allow system_server self:capability { 46 kill 47 net_admin 48 net_bind_service 49 net_broadcast 50 net_raw 51 sys_boot 52 sys_module 53 sys_nice 54 sys_resource 55 sys_time 56 sys_tty_config 57}; 58 59wakelock_use(system_server) 60 61# Triggered by /proc/pid accesses, not allowed. 62dontaudit system_server self:capability sys_ptrace; 63 64# Trigger module auto-load. 65allow system_server kernel:system module_request; 66 67# Use netlink uevent sockets. 68allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 69 70# Use generic netlink sockets. 71allow system_server self:netlink_socket create_socket_perms; 72 73# Set and get routes directly via netlink. 74allow system_server self:netlink_route_socket nlmsg_write; 75 76# Kill apps. 77allow system_server appdomain:process { sigkill signal }; 78 79# This line seems suspect, as it should not really need to 80# set scheduling parameters for a kernel domain task. 81allow system_server kernel:process setsched; 82 83# Set scheduling info for apps. 84allow system_server appdomain:process { getsched setsched }; 85allow system_server mediaserver:process { getsched setsched }; 86 87# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 88# within system_server to keep track of memory and CPU usage for 89# all processes on the device. 90r_dir_file(system_server, domain) 91 92# Write to /proc/pid/oom_adj_score for apps. 93allow system_server appdomain:file write; 94 95# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 96allow system_server qtaguid_proc:file rw_file_perms; 97allow system_server qtaguid_device:chr_file rw_file_perms; 98 99# Write to /proc/sysrq-trigger. 100allow system_server proc_sysrq:file rw_file_perms; 101 102# Read /sys/kernel/debug/wakeup_sources. 103allow system_server debugfs:file r_file_perms; 104 105# WifiWatchdog uses a packet_socket 106allow system_server self:packet_socket create_socket_perms; 107 108# 3rd party VPN clients require a tun_socket to be created 109allow system_server self:tun_socket create_socket_perms; 110 111# Notify init of death. 112allow system_server init:process sigchld; 113 114# Talk to init and various daemons via sockets. 115unix_socket_connect(system_server, property, init) 116unix_socket_connect(system_server, installd, installd) 117unix_socket_connect(system_server, lmkd, lmkd) 118unix_socket_connect(system_server, mtpd, mtp) 119unix_socket_connect(system_server, netd, netd) 120unix_socket_connect(system_server, vold, vold) 121unix_socket_connect(system_server, zygote, zygote) 122unix_socket_connect(system_server, gps, gpsd) 123unix_socket_connect(system_server, racoon, racoon) 124unix_socket_send(system_server, wpa, wpa) 125 126# Communicate over a socket created by surfaceflinger. 127allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 128 129# Perform Binder IPC. 130binder_use(system_server) 131binder_call(system_server, binderservicedomain) 132binder_call(system_server, appdomain) 133binder_call(system_server, dumpstate) 134binder_service(system_server) 135 136# Read /proc/pid files for dumping stack traces of native processes. 137r_dir_file(system_server, mediaserver) 138r_dir_file(system_server, sdcardd) 139r_dir_file(system_server, surfaceflinger) 140r_dir_file(system_server, inputflinger) 141 142# Use sockets received over binder from various services. 143allow system_server mediaserver:tcp_socket rw_socket_perms; 144allow system_server mediaserver:udp_socket rw_socket_perms; 145 146# Check SELinux permissions. 147selinux_check_access(system_server) 148 149# XXX Label sysfs files with a specific type? 150allow system_server sysfs:file rw_file_perms; 151allow system_server sysfs_nfc_power_writable:file rw_file_perms; 152allow system_server sysfs_devices_system_cpu:file w_file_perms; 153 154# Access devices. 155allow system_server device:dir r_dir_perms; 156allow system_server mdns_socket:sock_file rw_file_perms; 157allow system_server alarm_device:chr_file rw_file_perms; 158allow system_server gpu_device:chr_file rw_file_perms; 159allow system_server iio_device:chr_file rw_file_perms; 160allow system_server input_device:dir r_dir_perms; 161allow system_server input_device:chr_file rw_file_perms; 162allow system_server radio_device:chr_file r_file_perms; 163allow system_server tty_device:chr_file rw_file_perms; 164allow system_server usbaccessory_device:chr_file rw_file_perms; 165allow system_server video_device:dir r_dir_perms; 166allow system_server video_device:chr_file rw_file_perms; 167allow system_server adbd_socket:sock_file rw_file_perms; 168allow system_server audio_device:dir r_dir_perms; 169allow system_server audio_device:chr_file r_file_perms; 170 171# tun device used for 3rd party vpn apps 172allow system_server tun_device:chr_file rw_file_perms; 173 174# Manage system data files. 175allow system_server system_data_file:dir create_dir_perms; 176allow system_server system_data_file:notdevfile_class_set create_file_perms; 177allow system_server keychain_data_file:dir create_dir_perms; 178allow system_server keychain_data_file:file create_file_perms; 179 180# Manage /data/app. 181allow system_server apk_data_file:dir create_dir_perms; 182allow system_server apk_data_file:file create_file_perms; 183allow system_server apk_tmp_file:dir create_dir_perms; 184allow system_server apk_tmp_file:file create_file_perms; 185 186# Manage /data/app-private. 187allow system_server apk_private_data_file:dir create_dir_perms; 188allow system_server apk_private_data_file:file create_file_perms; 189allow system_server apk_private_tmp_file:dir create_dir_perms; 190allow system_server apk_private_tmp_file:file create_file_perms; 191 192# Manage files within asec containers. 193allow system_server asec_apk_file:dir create_dir_perms; 194allow system_server asec_apk_file:file create_file_perms; 195allow system_server asec_public_file:file create_file_perms; 196 197# Manage /data/anr. 198allow system_server anr_data_file:dir create_dir_perms; 199allow system_server anr_data_file:file create_file_perms; 200 201# Manage /data/backup. 202allow system_server backup_data_file:dir create_dir_perms; 203allow system_server backup_data_file:file create_file_perms; 204 205# Read from /data/dalvik-cache/profiles 206allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; 207allow system_server dalvikcache_profiles_data_file:file create_file_perms; 208 209# Manage /data/misc/adb. 210allow system_server adb_keys_file:dir create_dir_perms; 211allow system_server adb_keys_file:file create_file_perms; 212 213# Manage /data/misc/sms. 214# TODO: Split into a separate type? 215allow system_server radio_data_file:dir create_dir_perms; 216allow system_server radio_data_file:file create_file_perms; 217 218# Manage /data/misc/systemkeys. 219allow system_server systemkeys_data_file:dir create_dir_perms; 220allow system_server systemkeys_data_file:file create_file_perms; 221 222# Access /data/tombstones. 223allow system_server tombstone_data_file:dir r_dir_perms; 224allow system_server tombstone_data_file:file r_file_perms; 225 226# Manage /data/misc/vpn. 227allow system_server vpn_data_file:dir create_dir_perms; 228allow system_server vpn_data_file:file create_file_perms; 229 230# Manage /data/misc/wifi. 231allow system_server wifi_data_file:dir create_dir_perms; 232allow system_server wifi_data_file:file create_file_perms; 233 234# Manage /data/misc/zoneinfo. 235allow system_server zoneinfo_data_file:dir create_dir_perms; 236allow system_server zoneinfo_data_file:file create_file_perms; 237 238# Walk /data/data subdirectories. 239# Types extracted from seapp_contexts type= fields. 240allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 241# Also permit for unlabeled /data/data subdirectories and 242# for unlabeled asec containers on upgrades from 4.2. 243allow system_server unlabeled:dir r_dir_perms; 244# Read pkg.apk file before it has been relabeled by vold. 245allow system_server unlabeled:file r_file_perms; 246 247# Populate com.android.providers.settings/databases/settings.db. 248allow system_server system_app_data_file:dir create_dir_perms; 249allow system_server system_app_data_file:file create_file_perms; 250 251# Receive and use open app data files passed over binder IPC. 252# Types extracted from seapp_contexts type= fields. 253allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 254 255# Receive and use open /data/media files passed over binder IPC. 256allow system_server media_rw_data_file:file { getattr read write }; 257 258# Read /file_contexts and /data/security/file_contexts 259security_access_policy(system_server) 260 261# Relabel apk files. 262allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 263allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 264 265# Relabel wallpaper. 266allow system_server system_data_file:file relabelfrom; 267allow system_server wallpaper_file:file relabelto; 268allow system_server wallpaper_file:file { rw_file_perms unlink }; 269 270# Relabel /data/anr. 271allow system_server system_data_file:dir relabelfrom; 272allow system_server anr_data_file:dir relabelto; 273 274# Property Service write 275allow system_server system_prop:property_service set; 276allow system_server dhcp_prop:property_service set; 277allow system_server net_radio_prop:property_service set; 278allow system_server system_radio_prop:property_service set; 279allow system_server debug_prop:property_service set; 280allow system_server powerctl_prop:property_service set; 281 282# ctl interface 283allow system_server ctl_default_prop:property_service set; 284allow system_server ctl_dhcp_pan_prop:property_service set; 285allow system_server ctl_bugreport_prop:property_service set; 286 287# Create a socket for receiving info from wpa. 288type_transition system_server wifi_data_file:sock_file system_wpa_socket; 289type_transition system_server wpa_socket:sock_file system_wpa_socket; 290allow system_server wpa_socket:dir rw_dir_perms; 291allow system_server system_wpa_socket:sock_file create_file_perms; 292 293# Remove sockets created by wpa_supplicant 294allow system_server wpa_socket:sock_file unlink; 295 296# Create a socket for connections from debuggerd. 297type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 298allow system_server system_ndebug_socket:sock_file create_file_perms; 299 300# Specify any arguments to zygote. 301allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; 302 303# Manage cache files. 304allow system_server cache_file:dir { relabelfrom create_dir_perms }; 305allow system_server cache_file:file { relabelfrom create_file_perms }; 306 307# Run system programs, e.g. dexopt. 308allow system_server system_file:file x_file_perms; 309 310# LocationManager(e.g, GPS) needs to read and write 311# to uart driver and ctrl proc entry 312allow system_server gps_device:chr_file rw_file_perms; 313allow system_server gps_control:file rw_file_perms; 314 315# Allow system_server to use app-created sockets and pipes. 316allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 317allow system_server appdomain:fifo_file { getattr read write }; 318 319# Allow abstract socket connection 320allow system_server rild:unix_stream_socket connectto; 321 322# BackupManagerService lets PMS create a data backup file 323allow system_server cache_backup_file:file create_file_perms; 324# Relabel /data/backup 325allow system_server backup_data_file:dir { relabelto relabelfrom }; 326# Relabel /cache/.*\.{data|restore} 327allow system_server cache_backup_file:file { relabelto relabelfrom }; 328# LocalTransport creates and relabels /cache/backup 329allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; 330 331# Allow system to talk to usb device 332allow system_server usb_device:chr_file rw_file_perms; 333allow system_server usb_device:dir r_dir_perms; 334 335# Allow system to talk to sensors 336allow system_server sensors_device:chr_file rw_file_perms; 337 338# Read from HW RNG (needed by EntropyMixer). 339allow system_server hw_random_device:chr_file r_file_perms; 340 341# Read and delete files under /dev/fscklogs. 342r_dir_file(system_server, fscklogs) 343allow system_server fscklogs:dir { write remove_name }; 344allow system_server fscklogs:file unlink; 345 346# For SELinuxPolicyInstallReceiver 347selinux_manage_policy(system_server) 348 349# logd access, system_server inherit logd write socket 350# (urge is to deprecate this long term) 351allow system_server zygote:unix_dgram_socket write; 352 353# Read from log daemon. 354read_logd(system_server) 355 356# Be consistent with DAC permissions. Allow system_server to write to 357# /sys/module/lowmemorykiller/parameters/adj 358# /sys/module/lowmemorykiller/parameters/minfree 359allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 360 361# Read /sys/fs/pstore/console-ramoops 362# Don't worry about overly broad permissions for now, as there's 363# only one file in /sys/fs/pstore 364allow system_server pstorefs:dir r_dir_perms; 365allow system_server pstorefs:file r_file_perms; 366 367allow system_server system_server_service:service_manager add; 368 369allow system_server keystore:keystore_key { 370 test 371 get 372 insert 373 delete 374 exist 375 saw 376 reset 377 password 378 lock 379 unlock 380 zero 381 sign 382 verify 383 grant 384 duplicate 385 clear_uid 386 reset_uid 387 sync_uid 388 password_uid 389}; 390 391# Allow system server to search and write to the persistent factory reset 392# protection partition. This block device does not get wiped in a factory reset. 393allow system_server block_device:dir search; 394allow system_server frp_block_device:blk_file rw_file_perms; 395 396# Clean up old cgroups 397allow system_server cgroup:dir { remove_name rmdir }; 398 399# /oem access 400r_dir_file(system_server, oemfs) 401 402### 403### Neverallow rules 404### 405### system_server should NEVER do any of this 406 407# Do not allow accessing SDcard files as unsafe ejection could 408# cause the kernel to kill the system_server. 409neverallow system_server sdcard_type:file rw_file_perms; 410