system_server.te revision 206dea92b9ba01b4deb18fba5f7024845f04ccd5
1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5type system_server, domain, mlstrustedsubject; 6 7# Define a type for tmpfs-backed ashmem regions. 8tmpfs_domain(system_server) 9 10eng(` 11 # JIT mappings 12 allow system_server self:process execmem; 13 allow system_server ashmem_device:chr_file execute; 14 allow system_server system_server_tmpfs:file execute; 15') 16 17# For art. 18allow system_server dalvikcache_data_file:file execute; 19allow system_server dalvikcache_data_file:dir r_dir_perms; 20 21# /data/resource-cache 22allow system_server resourcecache_data_file:file r_file_perms; 23allow system_server resourcecache_data_file:dir r_dir_perms; 24 25# ptrace to processes in the same domain for debugging crashes. 26allow system_server self:process ptrace; 27 28# Child of the zygote. 29allow system_server zygote:fd use; 30allow system_server zygote:process sigchld; 31allow system_server zygote_tmpfs:file read; 32 33# May kill zygote on crashes. 34allow system_server zygote:process sigkill; 35 36# Read /system/bin/app_process. 37allow system_server zygote_exec:file r_file_perms; 38 39# Needed to close the zygote socket, which involves getopt / getattr 40allow system_server zygote:unix_stream_socket { getopt getattr }; 41 42# system server gets network and bluetooth permissions. 43net_domain(system_server) 44bluetooth_domain(system_server) 45 46# These are the capabilities assigned by the zygote to the 47# system server. 48allow system_server self:capability { 49 kill 50 net_admin 51 net_bind_service 52 net_broadcast 53 net_raw 54 sys_boot 55 sys_nice 56 sys_resource 57 sys_time 58 sys_tty_config 59}; 60 61wakelock_use(system_server) 62 63# Triggered by /proc/pid accesses, not allowed. 64dontaudit system_server self:capability sys_ptrace; 65 66# Trigger module auto-load. 67allow system_server kernel:system module_request; 68 69# Use netlink uevent sockets. 70allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 71 72# Use generic netlink sockets. 73allow system_server self:netlink_socket create_socket_perms; 74 75# Set and get routes directly via netlink. 76allow system_server self:netlink_route_socket nlmsg_write; 77 78# Kill apps. 79allow system_server appdomain:process { sigkill signal }; 80 81# Set scheduling info for apps. 82allow system_server appdomain:process { getsched setsched }; 83allow system_server mediaserver:process { getsched setsched }; 84 85# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 86# within system_server to keep track of memory and CPU usage for 87# all processes on the device. 88r_dir_file(system_server, domain) 89 90# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 91allow system_server qtaguid_proc:file rw_file_perms; 92allow system_server qtaguid_device:chr_file rw_file_perms; 93 94# Read /proc/uid_cputime/show_uid_stat. 95allow system_server proc_uid_cputime_showstat:file r_file_perms; 96 97# Write /proc/uid_cputime/remove_uid_range. 98allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 99 100# Write to /proc/sysrq-trigger. 101allow system_server proc_sysrq:file rw_file_perms; 102 103# Read /sys/kernel/debug/wakeup_sources. 104allow system_server debugfs:file r_file_perms; 105 106# WifiWatchdog uses a packet_socket 107allow system_server self:packet_socket create_socket_perms; 108 109# 3rd party VPN clients require a tun_socket to be created 110allow system_server self:tun_socket create_socket_perms; 111 112# Notify init of death. 113allow system_server init:process sigchld; 114 115# Talk to init and various daemons via sockets. 116unix_socket_connect(system_server, installd, installd) 117unix_socket_connect(system_server, lmkd, lmkd) 118unix_socket_connect(system_server, mtpd, mtp) 119unix_socket_connect(system_server, netd, netd) 120unix_socket_connect(system_server, vold, vold) 121unix_socket_connect(system_server, zygote, zygote) 122unix_socket_connect(system_server, gps, gpsd) 123unix_socket_connect(system_server, racoon, racoon) 124unix_socket_send(system_server, wpa, wpa) 125 126# Communicate over a socket created by surfaceflinger. 127allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 128 129# Perform Binder IPC. 130binder_use(system_server) 131binder_call(system_server, binderservicedomain) 132binder_call(system_server, gatekeeperd) 133binder_call(system_server, fingerprintd) 134binder_call(system_server, appdomain) 135binder_call(system_server, dumpstate) 136binder_service(system_server) 137 138# Ask debuggerd to dump backtraces for native stacks of interest. 139allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; 140 141# Read /proc/pid files for dumping stack traces of native processes. 142r_dir_file(system_server, mediaserver) 143r_dir_file(system_server, sdcardd) 144r_dir_file(system_server, surfaceflinger) 145r_dir_file(system_server, inputflinger) 146 147# Use sockets received over binder from various services. 148allow system_server mediaserver:tcp_socket rw_socket_perms; 149allow system_server mediaserver:udp_socket rw_socket_perms; 150 151# Check SELinux permissions. 152selinux_check_access(system_server) 153 154# XXX Label sysfs files with a specific type? 155allow system_server sysfs:file rw_file_perms; 156allow system_server sysfs_nfc_power_writable:file rw_file_perms; 157allow system_server sysfs_devices_system_cpu:file w_file_perms; 158allow system_server sysfs_mac_address:file r_file_perms; 159 160# Access devices. 161allow system_server device:dir r_dir_perms; 162allow system_server mdns_socket:sock_file rw_file_perms; 163allow system_server alarm_device:chr_file rw_file_perms; 164allow system_server gpu_device:chr_file rw_file_perms; 165allow system_server iio_device:chr_file rw_file_perms; 166allow system_server input_device:dir r_dir_perms; 167allow system_server input_device:chr_file rw_file_perms; 168allow system_server radio_device:chr_file r_file_perms; 169allow system_server tty_device:chr_file rw_file_perms; 170allow system_server usbaccessory_device:chr_file rw_file_perms; 171allow system_server video_device:dir r_dir_perms; 172allow system_server video_device:chr_file rw_file_perms; 173allow system_server adbd_socket:sock_file rw_file_perms; 174allow system_server rtc_device:chr_file rw_file_perms; 175allow system_server audio_device:dir r_dir_perms; 176 177# write access needed for MIDI 178allow system_server audio_device:chr_file rw_file_perms; 179 180# tun device used for 3rd party vpn apps 181allow system_server tun_device:chr_file rw_file_perms; 182 183# Manage system data files. 184allow system_server system_data_file:dir create_dir_perms; 185allow system_server system_data_file:notdevfile_class_set create_file_perms; 186allow system_server keychain_data_file:dir create_dir_perms; 187allow system_server keychain_data_file:file create_file_perms; 188 189# Manage /data/app. 190allow system_server apk_data_file:dir create_dir_perms; 191allow system_server apk_data_file:file { create_file_perms link }; 192allow system_server apk_tmp_file:dir create_dir_perms; 193allow system_server apk_tmp_file:file create_file_perms; 194 195# Manage /data/app-private. 196allow system_server apk_private_data_file:dir create_dir_perms; 197allow system_server apk_private_data_file:file create_file_perms; 198allow system_server apk_private_tmp_file:dir create_dir_perms; 199allow system_server apk_private_tmp_file:file create_file_perms; 200 201# Manage files within asec containers. 202allow system_server asec_apk_file:dir create_dir_perms; 203allow system_server asec_apk_file:file create_file_perms; 204allow system_server asec_public_file:file create_file_perms; 205 206# Manage /data/anr. 207allow system_server anr_data_file:dir create_dir_perms; 208allow system_server anr_data_file:file create_file_perms; 209 210# Manage /data/backup. 211allow system_server backup_data_file:dir create_dir_perms; 212allow system_server backup_data_file:file create_file_perms; 213 214# Read from /data/dalvik-cache/profiles 215allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; 216allow system_server dalvikcache_profiles_data_file:file create_file_perms; 217 218# Write to /data/system/heapdump 219allow system_server heapdump_data_file:dir rw_dir_perms; 220allow system_server heapdump_data_file:file create_file_perms; 221 222# Manage /data/misc/adb. 223allow system_server adb_keys_file:dir create_dir_perms; 224allow system_server adb_keys_file:file create_file_perms; 225 226# Manage /data/misc/sms. 227# TODO: Split into a separate type? 228allow system_server radio_data_file:dir create_dir_perms; 229allow system_server radio_data_file:file create_file_perms; 230 231# Manage /data/misc/systemkeys. 232allow system_server systemkeys_data_file:dir create_dir_perms; 233allow system_server systemkeys_data_file:file create_file_perms; 234 235# Access /data/tombstones. 236allow system_server tombstone_data_file:dir r_dir_perms; 237allow system_server tombstone_data_file:file r_file_perms; 238 239# Manage /data/misc/vpn. 240allow system_server vpn_data_file:dir create_dir_perms; 241allow system_server vpn_data_file:file create_file_perms; 242 243# Manage /data/misc/wifi. 244allow system_server wifi_data_file:dir create_dir_perms; 245allow system_server wifi_data_file:file create_file_perms; 246 247# Manage /data/misc/zoneinfo. 248allow system_server zoneinfo_data_file:dir create_dir_perms; 249allow system_server zoneinfo_data_file:file create_file_perms; 250 251# Walk /data/data subdirectories. 252# Types extracted from seapp_contexts type= fields. 253allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 254# Also permit for unlabeled /data/data subdirectories and 255# for unlabeled asec containers on upgrades from 4.2. 256allow system_server unlabeled:dir r_dir_perms; 257# Read pkg.apk file before it has been relabeled by vold. 258allow system_server unlabeled:file r_file_perms; 259 260# Populate com.android.providers.settings/databases/settings.db. 261allow system_server system_app_data_file:dir create_dir_perms; 262allow system_server system_app_data_file:file create_file_perms; 263 264# Receive and use open app data files passed over binder IPC. 265# Types extracted from seapp_contexts type= fields. 266allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 267 268# Receive and use open /data/media files passed over binder IPC. 269allow system_server media_rw_data_file:file { getattr read write }; 270 271# Read /file_contexts and /data/security/file_contexts 272security_access_policy(system_server) 273 274# Relabel apk files. 275allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 276allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 277 278# Relabel wallpaper. 279allow system_server system_data_file:file relabelfrom; 280allow system_server wallpaper_file:file relabelto; 281allow system_server wallpaper_file:file { rw_file_perms unlink }; 282 283# This was originally required for relabeling /data/anr, 284# but should not be used anymore. TODO: remove it. 285allow system_server system_data_file:dir relabelfrom; 286auditallow system_server system_data_file:dir relabelfrom; 287 288# Property Service write 289set_prop(system_server, system_prop) 290set_prop(system_server, dhcp_prop) 291set_prop(system_server, net_radio_prop) 292set_prop(system_server, system_radio_prop) 293set_prop(system_server, debug_prop) 294set_prop(system_server, powerctl_prop) 295set_prop(system_server, fingerprint_prop) 296 297# ctl interface 298set_prop(system_server, ctl_default_prop) 299set_prop(system_server, ctl_dhcp_pan_prop) 300set_prop(system_server, ctl_bugreport_prop) 301 302# Create a socket for receiving info from wpa. 303type_transition system_server wifi_data_file:sock_file system_wpa_socket; 304type_transition system_server wpa_socket:sock_file system_wpa_socket; 305allow system_server wpa_socket:dir rw_dir_perms; 306allow system_server system_wpa_socket:sock_file create_file_perms; 307 308# Remove sockets created by wpa_supplicant 309allow system_server wpa_socket:sock_file unlink; 310 311# Create a socket for connections from debuggerd. 312type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 313allow system_server system_ndebug_socket:sock_file create_file_perms; 314 315# Manage cache files. 316allow system_server cache_file:dir { relabelfrom create_dir_perms }; 317allow system_server cache_file:file { relabelfrom create_file_perms }; 318allow system_server cache_file:fifo_file create_file_perms; 319 320# Run system programs, e.g. dexopt. 321allow system_server system_file:file x_file_perms; 322 323# XXX Run toolbox. Might not be needed. 324allow system_server toolbox_exec:file rx_file_perms; 325auditallow system_server toolbox_exec:file rx_file_perms; 326 327# LocationManager(e.g, GPS) needs to read and write 328# to uart driver and ctrl proc entry 329allow system_server gps_device:chr_file rw_file_perms; 330allow system_server gps_control:file rw_file_perms; 331 332# Allow system_server to use app-created sockets and pipes. 333allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 334allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 335 336# Allow abstract socket connection 337allow system_server rild:unix_stream_socket connectto; 338 339# BackupManagerService lets PMS create a data backup file 340allow system_server cache_backup_file:file create_file_perms; 341# Relabel /data/backup 342allow system_server backup_data_file:dir { relabelto relabelfrom }; 343# Relabel /cache/.*\.{data|restore} 344allow system_server cache_backup_file:file { relabelto relabelfrom }; 345# LocalTransport creates and relabels /cache/backup 346allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; 347 348# Allow system to talk to usb device 349allow system_server usb_device:chr_file rw_file_perms; 350allow system_server usb_device:dir r_dir_perms; 351 352# Allow system to talk to sensors 353allow system_server sensors_device:chr_file rw_file_perms; 354 355# Read from HW RNG (needed by EntropyMixer). 356allow system_server hw_random_device:chr_file r_file_perms; 357 358# Read and delete files under /dev/fscklogs. 359r_dir_file(system_server, fscklogs) 360allow system_server fscklogs:dir { write remove_name }; 361allow system_server fscklogs:file unlink; 362 363# For SELinuxPolicyInstallReceiver 364selinux_manage_policy(system_server) 365 366# logd access, system_server inherit logd write socket 367# (urge is to deprecate this long term) 368allow system_server zygote:unix_dgram_socket write; 369 370# Read from log daemon. 371read_logd(system_server) 372 373# Be consistent with DAC permissions. Allow system_server to write to 374# /sys/module/lowmemorykiller/parameters/adj 375# /sys/module/lowmemorykiller/parameters/minfree 376allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 377 378# Read /sys/fs/pstore/console-ramoops 379# Don't worry about overly broad permissions for now, as there's 380# only one file in /sys/fs/pstore 381allow system_server pstorefs:dir r_dir_perms; 382allow system_server pstorefs:file r_file_perms; 383 384allow system_server drmserver_service:service_manager find; 385allow system_server healthd_service:service_manager find; 386allow system_server keystore_service:service_manager find; 387allow system_server gatekeeper_service:service_manager find; 388allow system_server fingerprintd_service:service_manager find; 389allow system_server mediaserver_service:service_manager find; 390allow system_server nfc_service:service_manager find; 391allow system_server radio_service:service_manager find; 392allow system_server system_server_service:service_manager { add find }; 393allow system_server surfaceflinger_service:service_manager find; 394 395allow system_server keystore:keystore_key { 396 get_state 397 get 398 insert 399 delete 400 exist 401 list 402 reset 403 password 404 lock 405 unlock 406 is_empty 407 sign 408 verify 409 grant 410 duplicate 411 clear_uid 412 add_auth 413 user_changed 414}; 415 416# Allow system server to search and write to the persistent factory reset 417# protection partition. This block device does not get wiped in a factory reset. 418allow system_server block_device:dir search; 419allow system_server frp_block_device:blk_file rw_file_perms; 420 421# Clean up old cgroups 422allow system_server cgroup:dir { remove_name rmdir }; 423 424# /oem access 425r_dir_file(system_server, oemfs) 426 427# Allow resolving per-user storage symlinks 428allow system_server { mnt_user_file storage_file }:dir { getattr search }; 429allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 430 431# Allow statfs() on storage devices, which happens fast enough that 432# we shouldn't be killed during unsafe removal 433allow system_server sdcard_type:dir { getattr search }; 434 435# Traverse into expanded storage 436allow system_server mnt_expand_file:dir r_dir_perms; 437 438# Allow system process to relabel the fingerprint directory after mkdir 439allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto}; 440 441# Allow system process to read network MAC address 442allow system_server sysfs_mac_address:file r_file_perms; 443 444### 445### Neverallow rules 446### 447### system_server should NEVER do any of this 448 449# Do not allow opening files from external storage as unsafe ejection 450# could cause the kernel to kill the system_server. 451neverallow system_server sdcard_type:dir { open read write }; 452neverallow system_server sdcard_type:file rw_file_perms; 453 454# system server should never be opening zygote spawned app data 455# files directly. Rather, they should always be passed via a 456# file descriptor. 457# Types extracted from seapp_contexts type= fields, excluding 458# those types that system_server needs to open directly. 459neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open; 460 461# system_server should never be executing dex2oat. This is either 462# a bug (for example, bug 16317188), or represents an attempt by 463# system server to dynamically load a dex file, something we do not 464# want to allow. 465neverallow system_server dex2oat_exec:file no_x_file_perms; 466 467# system_server should never execute anything from /data except for /data/dalvik-cache files. 468neverallow system_server { 469 data_file_type 470 -dalvikcache_data_file #mapping with PROT_EXEC 471}:file no_x_file_perms; 472 473# The only block device system_server should be accessing is 474# the frp_block_device. This helps avoid a system_server to root 475# escalation by writing to raw block devices. 476neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 477