system_server.te revision 206dea92b9ba01b4deb18fba5f7024845f04ccd5 
1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5type system_server, domain, mlstrustedsubject;
6
7# Define a type for tmpfs-backed ashmem regions.
8tmpfs_domain(system_server)
9
10eng(`
11  # JIT mappings
12  allow system_server self:process execmem;
13  allow system_server ashmem_device:chr_file execute;
14  allow system_server system_server_tmpfs:file execute;
15')
16
17# For art.
18allow system_server dalvikcache_data_file:file execute;
19allow system_server dalvikcache_data_file:dir r_dir_perms;
20
21# /data/resource-cache
22allow system_server resourcecache_data_file:file r_file_perms;
23allow system_server resourcecache_data_file:dir r_dir_perms;
24
25# ptrace to processes in the same domain for debugging crashes.
26allow system_server self:process ptrace;
27
28# Child of the zygote.
29allow system_server zygote:fd use;
30allow system_server zygote:process sigchld;
31allow system_server zygote_tmpfs:file read;
32
33# May kill zygote on crashes.
34allow system_server zygote:process sigkill;
35
36# Read /system/bin/app_process.
37allow system_server zygote_exec:file r_file_perms;
38
39# Needed to close the zygote socket, which involves getopt / getattr
40allow system_server zygote:unix_stream_socket { getopt getattr };
41
42# system server gets network and bluetooth permissions.
43net_domain(system_server)
44bluetooth_domain(system_server)
45
46# These are the capabilities assigned by the zygote to the
47# system server.
48allow system_server self:capability {
49    kill
50    net_admin
51    net_bind_service
52    net_broadcast
53    net_raw
54    sys_boot
55    sys_nice
56    sys_resource
57    sys_time
58    sys_tty_config
59};
60
61wakelock_use(system_server)
62
63# Triggered by /proc/pid accesses, not allowed.
64dontaudit system_server self:capability sys_ptrace;
65
66# Trigger module auto-load.
67allow system_server kernel:system module_request;
68
69# Use netlink uevent sockets.
70allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
71
72# Use generic netlink sockets.
73allow system_server self:netlink_socket create_socket_perms;
74
75# Set and get routes directly via netlink.
76allow system_server self:netlink_route_socket nlmsg_write;
77
78# Kill apps.
79allow system_server appdomain:process { sigkill signal };
80
81# Set scheduling info for apps.
82allow system_server appdomain:process { getsched setsched };
83allow system_server mediaserver:process { getsched setsched };
84
85# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
86# within system_server to keep track of memory and CPU usage for
87# all processes on the device.
88r_dir_file(system_server, domain)
89
90# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
91allow system_server qtaguid_proc:file rw_file_perms;
92allow system_server qtaguid_device:chr_file rw_file_perms;
93
94# Read /proc/uid_cputime/show_uid_stat.
95allow system_server proc_uid_cputime_showstat:file r_file_perms;
96
97# Write /proc/uid_cputime/remove_uid_range.
98allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
99
100# Write to /proc/sysrq-trigger.
101allow system_server proc_sysrq:file rw_file_perms;
102
103# Read /sys/kernel/debug/wakeup_sources.
104allow system_server debugfs:file r_file_perms;
105
106# WifiWatchdog uses a packet_socket
107allow system_server self:packet_socket create_socket_perms;
108
109# 3rd party VPN clients require a tun_socket to be created
110allow system_server self:tun_socket create_socket_perms;
111
112# Notify init of death.
113allow system_server init:process sigchld;
114
115# Talk to init and various daemons via sockets.
116unix_socket_connect(system_server, installd, installd)
117unix_socket_connect(system_server, lmkd, lmkd)
118unix_socket_connect(system_server, mtpd, mtp)
119unix_socket_connect(system_server, netd, netd)
120unix_socket_connect(system_server, vold, vold)
121unix_socket_connect(system_server, zygote, zygote)
122unix_socket_connect(system_server, gps, gpsd)
123unix_socket_connect(system_server, racoon, racoon)
124unix_socket_send(system_server, wpa, wpa)
125
126# Communicate over a socket created by surfaceflinger.
127allow system_server surfaceflinger:unix_stream_socket { read write setopt };
128
129# Perform Binder IPC.
130binder_use(system_server)
131binder_call(system_server, binderservicedomain)
132binder_call(system_server, gatekeeperd)
133binder_call(system_server, fingerprintd)
134binder_call(system_server, appdomain)
135binder_call(system_server, dumpstate)
136binder_service(system_server)
137
138# Ask debuggerd to dump backtraces for native stacks of interest.
139allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
140
141# Read /proc/pid files for dumping stack traces of native processes.
142r_dir_file(system_server, mediaserver)
143r_dir_file(system_server, sdcardd)
144r_dir_file(system_server, surfaceflinger)
145r_dir_file(system_server, inputflinger)
146
147# Use sockets received over binder from various services.
148allow system_server mediaserver:tcp_socket rw_socket_perms;
149allow system_server mediaserver:udp_socket rw_socket_perms;
150
151# Check SELinux permissions.
152selinux_check_access(system_server)
153
154# XXX Label sysfs files with a specific type?
155allow system_server sysfs:file rw_file_perms;
156allow system_server sysfs_nfc_power_writable:file rw_file_perms;
157allow system_server sysfs_devices_system_cpu:file w_file_perms;
158allow system_server sysfs_mac_address:file r_file_perms;
159
160# Access devices.
161allow system_server device:dir r_dir_perms;
162allow system_server mdns_socket:sock_file rw_file_perms;
163allow system_server alarm_device:chr_file rw_file_perms;
164allow system_server gpu_device:chr_file rw_file_perms;
165allow system_server iio_device:chr_file rw_file_perms;
166allow system_server input_device:dir r_dir_perms;
167allow system_server input_device:chr_file rw_file_perms;
168allow system_server radio_device:chr_file r_file_perms;
169allow system_server tty_device:chr_file rw_file_perms;
170allow system_server usbaccessory_device:chr_file rw_file_perms;
171allow system_server video_device:dir r_dir_perms;
172allow system_server video_device:chr_file rw_file_perms;
173allow system_server adbd_socket:sock_file rw_file_perms;
174allow system_server rtc_device:chr_file rw_file_perms;
175allow system_server audio_device:dir r_dir_perms;
176
177# write access needed for MIDI
178allow system_server audio_device:chr_file rw_file_perms;
179
180# tun device used for 3rd party vpn apps
181allow system_server tun_device:chr_file rw_file_perms;
182
183# Manage system data files.
184allow system_server system_data_file:dir create_dir_perms;
185allow system_server system_data_file:notdevfile_class_set create_file_perms;
186allow system_server keychain_data_file:dir create_dir_perms;
187allow system_server keychain_data_file:file create_file_perms;
188
189# Manage /data/app.
190allow system_server apk_data_file:dir create_dir_perms;
191allow system_server apk_data_file:file { create_file_perms link };
192allow system_server apk_tmp_file:dir create_dir_perms;
193allow system_server apk_tmp_file:file create_file_perms;
194
195# Manage /data/app-private.
196allow system_server apk_private_data_file:dir create_dir_perms;
197allow system_server apk_private_data_file:file create_file_perms;
198allow system_server apk_private_tmp_file:dir create_dir_perms;
199allow system_server apk_private_tmp_file:file create_file_perms;
200
201# Manage files within asec containers.
202allow system_server asec_apk_file:dir create_dir_perms;
203allow system_server asec_apk_file:file create_file_perms;
204allow system_server asec_public_file:file create_file_perms;
205
206# Manage /data/anr.
207allow system_server anr_data_file:dir create_dir_perms;
208allow system_server anr_data_file:file create_file_perms;
209
210# Manage /data/backup.
211allow system_server backup_data_file:dir create_dir_perms;
212allow system_server backup_data_file:file create_file_perms;
213
214# Read from /data/dalvik-cache/profiles
215allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
216allow system_server dalvikcache_profiles_data_file:file create_file_perms;
217
218# Write to /data/system/heapdump
219allow system_server heapdump_data_file:dir rw_dir_perms;
220allow system_server heapdump_data_file:file create_file_perms;
221
222# Manage /data/misc/adb.
223allow system_server adb_keys_file:dir create_dir_perms;
224allow system_server adb_keys_file:file create_file_perms;
225
226# Manage /data/misc/sms.
227# TODO:  Split into a separate type?
228allow system_server radio_data_file:dir create_dir_perms;
229allow system_server radio_data_file:file create_file_perms;
230
231# Manage /data/misc/systemkeys.
232allow system_server systemkeys_data_file:dir create_dir_perms;
233allow system_server systemkeys_data_file:file create_file_perms;
234
235# Access /data/tombstones.
236allow system_server tombstone_data_file:dir r_dir_perms;
237allow system_server tombstone_data_file:file r_file_perms;
238
239# Manage /data/misc/vpn.
240allow system_server vpn_data_file:dir create_dir_perms;
241allow system_server vpn_data_file:file create_file_perms;
242
243# Manage /data/misc/wifi.
244allow system_server wifi_data_file:dir create_dir_perms;
245allow system_server wifi_data_file:file create_file_perms;
246
247# Manage /data/misc/zoneinfo.
248allow system_server zoneinfo_data_file:dir create_dir_perms;
249allow system_server zoneinfo_data_file:file create_file_perms;
250
251# Walk /data/data subdirectories.
252# Types extracted from seapp_contexts type= fields.
253allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
254# Also permit for unlabeled /data/data subdirectories and
255# for unlabeled asec containers on upgrades from 4.2.
256allow system_server unlabeled:dir r_dir_perms;
257# Read pkg.apk file before it has been relabeled by vold.
258allow system_server unlabeled:file r_file_perms;
259
260# Populate com.android.providers.settings/databases/settings.db.
261allow system_server system_app_data_file:dir create_dir_perms;
262allow system_server system_app_data_file:file create_file_perms;
263
264# Receive and use open app data files passed over binder IPC.
265# Types extracted from seapp_contexts type= fields.
266allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
267
268# Receive and use open /data/media files passed over binder IPC.
269allow system_server media_rw_data_file:file { getattr read write };
270
271# Read /file_contexts and /data/security/file_contexts
272security_access_policy(system_server)
273
274# Relabel apk files.
275allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
276allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
277
278# Relabel wallpaper.
279allow system_server system_data_file:file relabelfrom;
280allow system_server wallpaper_file:file relabelto;
281allow system_server wallpaper_file:file { rw_file_perms unlink };
282
283# This was originally required for relabeling /data/anr,
284# but should not be used anymore. TODO: remove it.
285allow system_server system_data_file:dir relabelfrom;
286auditallow system_server system_data_file:dir relabelfrom;
287
288# Property Service write
289set_prop(system_server, system_prop)
290set_prop(system_server, dhcp_prop)
291set_prop(system_server, net_radio_prop)
292set_prop(system_server, system_radio_prop)
293set_prop(system_server, debug_prop)
294set_prop(system_server, powerctl_prop)
295set_prop(system_server, fingerprint_prop)
296
297# ctl interface
298set_prop(system_server, ctl_default_prop)
299set_prop(system_server, ctl_dhcp_pan_prop)
300set_prop(system_server, ctl_bugreport_prop)
301
302# Create a socket for receiving info from wpa.
303type_transition system_server wifi_data_file:sock_file system_wpa_socket;
304type_transition system_server wpa_socket:sock_file system_wpa_socket;
305allow system_server wpa_socket:dir rw_dir_perms;
306allow system_server system_wpa_socket:sock_file create_file_perms;
307
308# Remove sockets created by wpa_supplicant
309allow system_server wpa_socket:sock_file unlink;
310
311# Create a socket for connections from debuggerd.
312type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
313allow system_server system_ndebug_socket:sock_file create_file_perms;
314
315# Manage cache files.
316allow system_server cache_file:dir { relabelfrom create_dir_perms };
317allow system_server cache_file:file { relabelfrom create_file_perms };
318allow system_server cache_file:fifo_file create_file_perms;
319
320# Run system programs, e.g. dexopt.
321allow system_server system_file:file x_file_perms;
322
323# XXX Run toolbox.  Might not be needed.
324allow system_server toolbox_exec:file rx_file_perms;
325auditallow system_server toolbox_exec:file rx_file_perms;
326
327# LocationManager(e.g, GPS) needs to read and write
328# to uart driver and ctrl proc entry
329allow system_server gps_device:chr_file rw_file_perms;
330allow system_server gps_control:file rw_file_perms;
331
332# Allow system_server to use app-created sockets and pipes.
333allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
334allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
335
336# Allow abstract socket connection
337allow system_server rild:unix_stream_socket connectto;
338
339# BackupManagerService lets PMS create a data backup file
340allow system_server cache_backup_file:file create_file_perms;
341# Relabel /data/backup
342allow system_server backup_data_file:dir { relabelto relabelfrom };
343# Relabel /cache/.*\.{data|restore}
344allow system_server cache_backup_file:file { relabelto relabelfrom };
345# LocalTransport creates and relabels /cache/backup
346allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
347
348# Allow system to talk to usb device
349allow system_server usb_device:chr_file rw_file_perms;
350allow system_server usb_device:dir r_dir_perms;
351
352# Allow system to talk to sensors
353allow system_server sensors_device:chr_file rw_file_perms;
354
355# Read from HW RNG (needed by EntropyMixer).
356allow system_server hw_random_device:chr_file r_file_perms;
357
358# Read and delete files under /dev/fscklogs.
359r_dir_file(system_server, fscklogs)
360allow system_server fscklogs:dir { write remove_name };
361allow system_server fscklogs:file unlink;
362
363# For SELinuxPolicyInstallReceiver
364selinux_manage_policy(system_server)
365
366# logd access, system_server inherit logd write socket
367# (urge is to deprecate this long term)
368allow system_server zygote:unix_dgram_socket write;
369
370# Read from log daemon.
371read_logd(system_server)
372
373# Be consistent with DAC permissions. Allow system_server to write to
374# /sys/module/lowmemorykiller/parameters/adj
375# /sys/module/lowmemorykiller/parameters/minfree
376allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
377
378# Read /sys/fs/pstore/console-ramoops
379# Don't worry about overly broad permissions for now, as there's
380# only one file in /sys/fs/pstore
381allow system_server pstorefs:dir r_dir_perms;
382allow system_server pstorefs:file r_file_perms;
383
384allow system_server drmserver_service:service_manager find;
385allow system_server healthd_service:service_manager find;
386allow system_server keystore_service:service_manager find;
387allow system_server gatekeeper_service:service_manager find;
388allow system_server fingerprintd_service:service_manager find;
389allow system_server mediaserver_service:service_manager find;
390allow system_server nfc_service:service_manager find;
391allow system_server radio_service:service_manager find;
392allow system_server system_server_service:service_manager { add find };
393allow system_server surfaceflinger_service:service_manager find;
394
395allow system_server keystore:keystore_key {
396	get_state
397	get
398	insert
399	delete
400	exist
401	list
402	reset
403	password
404	lock
405	unlock
406	is_empty
407	sign
408	verify
409	grant
410	duplicate
411	clear_uid
412	add_auth
413	user_changed
414};
415
416# Allow system server to search and write to the persistent factory reset
417# protection partition. This block device does not get wiped in a factory reset.
418allow system_server block_device:dir search;
419allow system_server frp_block_device:blk_file rw_file_perms;
420
421# Clean up old cgroups
422allow system_server cgroup:dir { remove_name rmdir };
423
424# /oem access
425r_dir_file(system_server, oemfs)
426
427# Allow resolving per-user storage symlinks
428allow system_server { mnt_user_file storage_file }:dir { getattr search };
429allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
430
431# Allow statfs() on storage devices, which happens fast enough that
432# we shouldn't be killed during unsafe removal
433allow system_server sdcard_type:dir { getattr search };
434
435# Traverse into expanded storage
436allow system_server mnt_expand_file:dir r_dir_perms;
437
438# Allow system process to relabel the fingerprint directory after mkdir
439allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
440
441# Allow system process to read network MAC address
442allow system_server sysfs_mac_address:file r_file_perms;
443
444###
445### Neverallow rules
446###
447### system_server should NEVER do any of this
448
449# Do not allow opening files from external storage as unsafe ejection
450# could cause the kernel to kill the system_server.
451neverallow system_server sdcard_type:dir { open read write };
452neverallow system_server sdcard_type:file rw_file_perms;
453
454# system server should never be opening zygote spawned app data
455# files directly. Rather, they should always be passed via a
456# file descriptor.
457# Types extracted from seapp_contexts type= fields, excluding
458# those types that system_server needs to open directly.
459neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
460
461# system_server should never be executing dex2oat. This is either
462# a bug (for example, bug 16317188), or represents an attempt by
463# system server to dynamically load a dex file, something we do not
464# want to allow.
465neverallow system_server dex2oat_exec:file no_x_file_perms;
466
467# system_server should never execute anything from /data except for /data/dalvik-cache files.
468neverallow system_server {
469  data_file_type
470  -dalvikcache_data_file #mapping with PROT_EXEC
471}:file no_x_file_perms;
472
473# The only block device system_server should be accessing is
474# the frp_block_device. This helps avoid a system_server to root
475# escalation by writing to raw block devices.
476neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
477