system_server.te revision 596bcc768758f38534a537a3fb54875225417f2c
1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5type system_server, domain, mlstrustedsubject; 6 7# Define a type for tmpfs-backed ashmem regions. 8tmpfs_domain(system_server) 9 10# Dalvik Compiler JIT Mapping. 11allow system_server self:process execmem; 12allow system_server ashmem_device:chr_file execute; 13allow system_server system_server_tmpfs:file execute; 14 15# For art. 16allow system_server dalvikcache_data_file:file execute; 17 18# /data/resource-cache 19allow system_server resourcecache_data_file:file r_file_perms; 20allow system_server resourcecache_data_file:dir r_dir_perms; 21 22# ptrace to processes in the same domain for debugging crashes. 23allow system_server self:process ptrace; 24 25# Child of the zygote. 26allow system_server zygote:fd use; 27allow system_server zygote:process sigchld; 28allow system_server zygote_tmpfs:file read; 29 30# May kill zygote on crashes. 31allow system_server zygote:process sigkill; 32 33# Read /system/bin/app_process. 34allow system_server zygote_exec:file r_file_perms; 35 36# Needed to close the zygote socket, which involves getopt / getattr 37allow system_server zygote:unix_stream_socket { getopt getattr }; 38 39# system server gets network and bluetooth permissions. 40net_domain(system_server) 41bluetooth_domain(system_server) 42 43# These are the capabilities assigned by the zygote to the 44# system server. 45allow system_server self:capability { 46 kill 47 net_admin 48 net_bind_service 49 net_broadcast 50 net_raw 51 sys_boot 52 sys_module 53 sys_nice 54 sys_resource 55 sys_time 56 sys_tty_config 57}; 58 59wakelock_use(system_server) 60 61# Triggered by /proc/pid accesses, not allowed. 62dontaudit system_server self:capability sys_ptrace; 63 64# Trigger module auto-load. 65allow system_server kernel:system module_request; 66 67# Use netlink uevent sockets. 68allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 69 70# Use generic netlink sockets. 71allow system_server self:netlink_socket create_socket_perms; 72 73# Kill apps. 74allow system_server appdomain:process { sigkill signal }; 75 76# Set scheduling info for apps. 77allow system_server appdomain:process { getsched setsched }; 78allow system_server mediaserver:process { getsched setsched }; 79 80# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 81# within system_server to keep track of memory and CPU usage for 82# all processes on the device. 83r_dir_file(system_server, domain) 84 85# Write to /proc/pid/oom_adj_score for apps. 86allow system_server appdomain:file write; 87 88# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 89allow system_server qtaguid_proc:file rw_file_perms; 90allow system_server qtaguid_device:chr_file rw_file_perms; 91 92# Write to /proc/sysrq-trigger. 93allow system_server proc_sysrq:file rw_file_perms; 94 95# Read /sys/kernel/debug/wakeup_sources. 96allow system_server debugfs:file r_file_perms; 97 98# WifiWatchdog uses a packet_socket 99allow system_server self:packet_socket create_socket_perms; 100 101# 3rd party VPN clients require a tun_socket to be created 102allow system_server self:tun_socket create_socket_perms; 103 104# Notify init of death. 105allow system_server init:process sigchld; 106 107# Talk to init and various daemons via sockets. 108unix_socket_connect(system_server, property, init) 109unix_socket_connect(system_server, installd, installd) 110unix_socket_connect(system_server, lmkd, lmkd) 111unix_socket_connect(system_server, mtpd, mtp) 112unix_socket_connect(system_server, netd, netd) 113unix_socket_connect(system_server, vold, vold) 114unix_socket_connect(system_server, zygote, zygote) 115unix_socket_connect(system_server, gps, gpsd) 116unix_socket_connect(system_server, racoon, racoon) 117unix_socket_send(system_server, wpa, wpa) 118 119# Communicate over a socket created by surfaceflinger. 120allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 121 122# Perform Binder IPC. 123binder_use(system_server) 124binder_call(system_server, binderservicedomain) 125binder_call(system_server, appdomain) 126binder_call(system_server, dumpstate) 127binder_service(system_server) 128 129# Read /proc/pid files for dumping stack traces of native processes. 130r_dir_file(system_server, mediaserver) 131r_dir_file(system_server, sdcardd) 132r_dir_file(system_server, surfaceflinger) 133r_dir_file(system_server, inputflinger) 134 135# Use sockets received over binder from various services. 136allow system_server mediaserver:tcp_socket rw_socket_perms; 137allow system_server mediaserver:udp_socket rw_socket_perms; 138 139# Check SELinux permissions. 140selinux_check_access(system_server) 141 142# XXX Label sysfs files with a specific type? 143allow system_server sysfs:file rw_file_perms; 144allow system_server sysfs_nfc_power_writable:file rw_file_perms; 145allow system_server sysfs_devices_system_cpu:file w_file_perms; 146 147# Access devices. 148allow system_server device:dir r_dir_perms; 149allow system_server mdns_socket:sock_file rw_file_perms; 150allow system_server alarm_device:chr_file rw_file_perms; 151allow system_server gpu_device:chr_file rw_file_perms; 152allow system_server iio_device:chr_file rw_file_perms; 153allow system_server input_device:dir r_dir_perms; 154allow system_server input_device:chr_file rw_file_perms; 155allow system_server radio_device:chr_file r_file_perms; 156allow system_server tty_device:chr_file rw_file_perms; 157allow system_server usbaccessory_device:chr_file rw_file_perms; 158allow system_server video_device:dir r_dir_perms; 159allow system_server video_device:chr_file rw_file_perms; 160allow system_server adbd_socket:sock_file rw_file_perms; 161allow system_server audio_device:dir r_dir_perms; 162allow system_server audio_device:chr_file r_file_perms; 163 164# tun device used for 3rd party vpn apps 165allow system_server tun_device:chr_file rw_file_perms; 166 167# Manage system data files. 168allow system_server system_data_file:dir create_dir_perms; 169allow system_server system_data_file:notdevfile_class_set create_file_perms; 170 171# Manage /data/app. 172allow system_server apk_data_file:dir create_dir_perms; 173allow system_server apk_data_file:file create_file_perms; 174allow system_server apk_tmp_file:file create_file_perms; 175 176# Manage /data/app-private. 177allow system_server apk_private_data_file:dir create_dir_perms; 178allow system_server apk_private_data_file:file create_file_perms; 179allow system_server apk_private_tmp_file:file create_file_perms; 180 181# Manage files within asec containers. 182allow system_server asec_apk_file:dir create_dir_perms; 183allow system_server asec_apk_file:file create_file_perms; 184allow system_server asec_public_file:file create_file_perms; 185 186# Manage /data/anr. 187allow system_server anr_data_file:dir create_dir_perms; 188allow system_server anr_data_file:file create_file_perms; 189 190# Manage /data/backup. 191allow system_server backup_data_file:dir create_dir_perms; 192allow system_server backup_data_file:file create_file_perms; 193 194# Manage /data/dalvik-cache. 195allow system_server dalvikcache_data_file:dir create_dir_perms; 196allow system_server dalvikcache_data_file:file create_file_perms; 197 198# Read from /data/dalvik-cache/profiles 199allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; 200allow system_server dalvikcache_profiles_data_file:file create_file_perms; 201 202# Manage /data/misc/adb. 203allow system_server adb_keys_file:dir create_dir_perms; 204allow system_server adb_keys_file:file create_file_perms; 205 206# Manage /data/misc/sms. 207# TODO: Split into a separate type? 208allow system_server radio_data_file:dir create_dir_perms; 209allow system_server radio_data_file:file create_file_perms; 210 211# Manage /data/misc/systemkeys. 212allow system_server systemkeys_data_file:dir create_dir_perms; 213allow system_server systemkeys_data_file:file create_file_perms; 214 215# Access /data/tombstones. 216allow system_server tombstone_data_file:dir r_dir_perms; 217allow system_server tombstone_data_file:file r_file_perms; 218 219# Manage /data/misc/vpn. 220allow system_server vpn_data_file:dir create_dir_perms; 221allow system_server vpn_data_file:file create_file_perms; 222 223# Manage /data/misc/wifi. 224allow system_server wifi_data_file:dir create_dir_perms; 225allow system_server wifi_data_file:file create_file_perms; 226 227# Manage /data/misc/zoneinfo. 228allow system_server zoneinfo_data_file:dir create_dir_perms; 229allow system_server zoneinfo_data_file:file create_file_perms; 230 231# Walk /data/data subdirectories. 232# Types extracted from seapp_contexts type= fields. 233allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; 234# Also permit for unlabeled /data/data subdirectories and 235# for unlabeled asec containers on upgrades from 4.2. 236allow system_server unlabeled:dir r_dir_perms; 237# Read pkg.apk file before it has been relabeled by vold. 238allow system_server unlabeled:file r_file_perms; 239 240# Populate com.android.providers.settings/databases/settings.db. 241allow system_server system_app_data_file:dir create_dir_perms; 242allow system_server system_app_data_file:file create_file_perms; 243 244# Receive and use open app data files passed over binder IPC. 245# Types extracted from seapp_contexts type= fields. 246allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 247 248# Receive and use open /data/media files passed over binder IPC. 249allow system_server media_rw_data_file:file { getattr read write }; 250 251# Read /file_contexts and /data/security/file_contexts 252security_access_policy(system_server) 253 254# Relabel apk files. 255allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto }; 256allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto }; 257 258# Relabel wallpaper. 259allow system_server system_data_file:file relabelfrom; 260allow system_server wallpaper_file:file relabelto; 261allow system_server wallpaper_file:file { rw_file_perms unlink }; 262 263# Relabel /data/anr. 264allow system_server system_data_file:dir relabelfrom; 265allow system_server anr_data_file:dir relabelto; 266 267# Property Service write 268allow system_server system_prop:property_service set; 269allow system_server dhcp_prop:property_service set; 270allow system_server net_radio_prop:property_service set; 271allow system_server system_radio_prop:property_service set; 272allow system_server debug_prop:property_service set; 273allow system_server powerctl_prop:property_service set; 274 275# ctl interface 276allow system_server ctl_default_prop:property_service set; 277allow system_server ctl_dhcp_pan_prop:property_service set; 278allow system_server ctl_bugreport_prop:property_service set; 279 280# Create a socket for receiving info from wpa. 281type_transition system_server wifi_data_file:sock_file system_wpa_socket; 282type_transition system_server wpa_socket:sock_file system_wpa_socket; 283allow system_server wpa_socket:dir rw_dir_perms; 284allow system_server system_wpa_socket:sock_file create_file_perms; 285 286# Remove sockets created by wpa_supplicant 287allow system_server wpa_socket:sock_file unlink; 288 289# Create a socket for connections from debuggerd. 290type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 291allow system_server system_ndebug_socket:sock_file create_file_perms; 292 293# Specify any arguments to zygote. 294allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; 295 296# Manage cache files. 297allow system_server cache_file:dir { relabelfrom create_dir_perms }; 298allow system_server cache_file:file { relabelfrom create_file_perms }; 299 300# Run system programs, e.g. dexopt. 301allow system_server system_file:file x_file_perms; 302 303# LocationManager(e.g, GPS) needs to read and write 304# to uart driver and ctrl proc entry 305allow system_server gps_device:chr_file rw_file_perms; 306allow system_server gps_control:file rw_file_perms; 307 308# Allow system_server to use app-created sockets and pipes. 309allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 310allow system_server appdomain:fifo_file { getattr read write }; 311 312# Allow abstract socket connection 313allow system_server rild:unix_stream_socket connectto; 314 315# BackupManagerService lets PMS create a data backup file 316allow system_server cache_backup_file:file create_file_perms; 317# Relabel /data/backup 318allow system_server backup_data_file:dir { relabelto relabelfrom }; 319# Relabel /cache/.*\.{data|restore} 320allow system_server cache_backup_file:file { relabelto relabelfrom }; 321# LocalTransport creates and relabels /cache/backup 322allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; 323 324# Allow system to talk to usb device 325allow system_server usb_device:chr_file rw_file_perms; 326allow system_server usb_device:dir r_dir_perms; 327 328# Allow system to talk to sensors 329allow system_server sensors_device:chr_file rw_file_perms; 330 331# Read from HW RNG (needed by EntropyMixer). 332allow system_server hw_random_device:chr_file r_file_perms; 333 334# Read and delete files under /dev/fscklogs. 335r_dir_file(system_server, fscklogs) 336allow system_server fscklogs:dir { write remove_name }; 337allow system_server fscklogs:file unlink; 338 339# For SELinuxPolicyInstallReceiver 340selinux_manage_policy(system_server) 341 342# logd access, system_server inherit logd write socket 343# (urge is to deprecate this long term) 344allow system_server zygote:unix_dgram_socket write; 345 346# Read from log daemon. 347read_logd(system_server) 348 349# Be consistent with DAC permissions. Allow system_server to write to 350# /sys/module/lowmemorykiller/parameters/adj 351# /sys/module/lowmemorykiller/parameters/minfree 352allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 353 354# Read /sys/fs/pstore/console-ramoops 355# Don't worry about overly broad permissions for now, as there's 356# only one file in /sys/fs/pstore 357allow system_server pstorefs:dir r_dir_perms; 358allow system_server pstorefs:file r_file_perms; 359 360allow system_server system_server_service:service_manager add; 361 362allow system_server keystore:keystore_key { 363 test 364 get 365 insert 366 delete 367 exist 368 saw 369 reset 370 password 371 lock 372 unlock 373 zero 374 sign 375 verify 376 grant 377 duplicate 378 clear_uid 379}; 380 381### 382### Neverallow rules 383### 384### system_server should NEVER do any of this 385 386# Do not allow accessing SDcard files as unsafe ejection could 387# cause the kernel to kill the system_server. 388# neverallow system_server sdcard_type:file rw_file_perms; 389