• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
5
6typeattribute system_server coredomain;
7typeattribute system_server mlstrustedsubject;
8typeattribute system_server scheduler_service_server;
9typeattribute system_server sensor_service_server;
10
11# Define a type for tmpfs-backed ashmem regions.
12tmpfs_domain(system_server)
13
14# Create a socket for connections from crash_dump.
15type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
16
17allow system_server zygote_tmpfs:file read;
18allow system_server appdomain_tmpfs:file { getattr map read write };
19
20# For art.
21allow system_server dalvikcache_data_file:dir r_dir_perms;
22allow system_server dalvikcache_data_file:file r_file_perms;
23
24# When running system server under --invoke-with, we'll try to load the boot image under the
25# system server domain, following links to the system partition.
26with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
27
28# /data/resource-cache
29allow system_server resourcecache_data_file:file r_file_perms;
30allow system_server resourcecache_data_file:dir r_dir_perms;
31
32# ptrace to processes in the same domain for debugging crashes.
33allow system_server self:process ptrace;
34
35# Child of the zygote.
36allow system_server zygote:fd use;
37allow system_server zygote:process sigchld;
38
39# May kill zygote on crashes.
40allow system_server zygote:process sigkill;
41allow system_server crash_dump:process sigkill;
42allow system_server webview_zygote:process sigkill;
43allow system_server app_zygote:process sigkill;
44
45# Read /system/bin/app_process.
46allow system_server zygote_exec:file r_file_perms;
47
48# Needed to close the zygote socket, which involves getopt / getattr
49allow system_server zygote:unix_stream_socket { getopt getattr };
50
51# system server gets network and bluetooth permissions.
52net_domain(system_server)
53# in addition to ioctls whitelisted for all domains, also allow system_server
54# to use privileged ioctls commands. Needed to set up VPNs.
55allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
56bluetooth_domain(system_server)
57
58# Allow setup of tcp keepalive offload. This gives system_server the permission to
59# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
60# be granted individually, except for a small set of safe values whitelisted in
61# public/domain.te.
62allow system_server appdomain:tcp_socket ioctl;
63
64# These are the capabilities assigned by the zygote to the
65# system server.
66allow system_server self:global_capability_class_set {
67    ipc_lock
68    kill
69    net_admin
70    net_bind_service
71    net_broadcast
72    net_raw
73    sys_boot
74    sys_nice
75    sys_ptrace
76    sys_time
77    sys_tty_config
78};
79
80# Trigger module auto-load.
81allow system_server kernel:system module_request;
82
83# Allow alarmtimers to be set
84allow system_server self:global_capability2_class_set wake_alarm;
85
86# Create and share netlink_netfilter_sockets for tetheroffload.
87allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
88
89# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
90allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
91
92# Use netlink uevent sockets.
93allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
94
95# Use generic netlink sockets.
96allow system_server self:netlink_socket create_socket_perms_no_ioctl;
97allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
98
99# libvintf reads the kernel config to verify vendor interface compatibility.
100allow system_server config_gz:file { read open };
101
102# Use generic "sockets" where the address family is not known
103# to the kernel. The ioctl permission is specifically omitted here, but may
104# be added to device specific policy along with the ioctl commands to be
105# whitelisted.
106allow system_server self:socket create_socket_perms_no_ioctl;
107
108# Set and get routes directly via netlink.
109allow system_server self:netlink_route_socket nlmsg_write;
110
111# Kill apps.
112allow system_server appdomain:process { getpgid sigkill signal };
113
114# Set scheduling info for apps.
115allow system_server appdomain:process { getsched setsched };
116allow system_server audioserver:process { getsched setsched };
117allow system_server hal_audio:process { getsched setsched };
118allow system_server hal_bluetooth:process { getsched setsched };
119allow system_server hal_codec2_server:process { getsched setsched };
120allow system_server hal_omx_server:process { getsched setsched };
121allow system_server mediaswcodec:process { getsched setsched };
122allow system_server cameraserver:process { getsched setsched };
123allow system_server hal_camera:process { getsched setsched };
124allow system_server mediaserver:process { getsched setsched };
125allow system_server bootanim:process { getsched setsched };
126
127# Set scheduling info for psi monitor thread.
128allow system_server kernel:process { getsched setsched };
129
130# Allow system_server to write to /proc/<pid>/*
131allow system_server domain:file w_file_perms;
132
133# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
134# within system_server to keep track of memory and CPU usage for
135# all processes on the device. In addition, /proc/pid files access is needed
136# for dumping stack traces of native processes.
137r_dir_file(system_server, domain)
138
139# Write /proc/uid_cputime/remove_uid_range.
140allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
141
142# Write /proc/uid_procstat/set.
143allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
144
145# Write to /proc/sysrq-trigger.
146allow system_server proc_sysrq:file rw_file_perms;
147
148# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
149allow system_server stats_data_file:dir { open read remove_name search write };
150allow system_server stats_data_file:file unlink;
151
152# Read /sys/kernel/debug/wakeup_sources.
153allow system_server debugfs_wakeup_sources:file r_file_perms;
154
155# The DhcpClient and WifiWatchdog use packet_sockets
156allow system_server self:packet_socket create_socket_perms_no_ioctl;
157
158# 3rd party VPN clients require a tun_socket to be created
159allow system_server self:tun_socket create_socket_perms_no_ioctl;
160
161# Talk to init and various daemons via sockets.
162unix_socket_connect(system_server, lmkd, lmkd)
163unix_socket_connect(system_server, mtpd, mtp)
164unix_socket_connect(system_server, zygote, zygote)
165unix_socket_connect(system_server, racoon, racoon)
166unix_socket_connect(system_server, uncrypt, uncrypt)
167
168# Allow system_server to write to statsd.
169unix_socket_send(system_server, statsdw, statsd)
170
171# Communicate over a socket created by surfaceflinger.
172allow system_server surfaceflinger:unix_stream_socket { read write setopt };
173
174allow system_server gpuservice:unix_stream_socket { read write setopt };
175
176# Communicate over a socket created by webview_zygote.
177allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
178
179# Communicate over a socket created by app_zygote.
180allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
181
182# Perform Binder IPC.
183binder_use(system_server)
184binder_call(system_server, appdomain)
185binder_call(system_server, binderservicedomain)
186binder_call(system_server, dumpstate)
187binder_call(system_server, fingerprintd)
188binder_call(system_server, gatekeeperd)
189binder_call(system_server, idmap)
190binder_call(system_server, installd)
191binder_call(system_server, incidentd)
192binder_call(system_server, iorapd)
193binder_call(system_server, netd)
194binder_call(system_server, notify_traceur)
195binder_call(system_server, statsd)
196binder_call(system_server, storaged)
197binder_call(system_server, update_engine)
198binder_call(system_server, vold)
199binder_call(system_server, wificond)
200binder_call(system_server, wpantund)
201userdebug_or_eng(`
202  binder_call(system_server, perfprofd)
203')
204binder_service(system_server)
205
206# Use HALs
207hal_client_domain(system_server, hal_allocator)
208hal_client_domain(system_server, hal_authsecret)
209hal_client_domain(system_server, hal_broadcastradio)
210hal_client_domain(system_server, hal_codec2)
211hal_client_domain(system_server, hal_configstore)
212hal_client_domain(system_server, hal_contexthub)
213hal_client_domain(system_server, hal_face)
214hal_client_domain(system_server, hal_fingerprint)
215hal_client_domain(system_server, hal_gnss)
216hal_client_domain(system_server, hal_graphics_allocator)
217hal_client_domain(system_server, hal_health)
218hal_client_domain(system_server, hal_input_classifier)
219hal_client_domain(system_server, hal_ir)
220hal_client_domain(system_server, hal_light)
221hal_client_domain(system_server, hal_memtrack)
222hal_client_domain(system_server, hal_neuralnetworks)
223hal_client_domain(system_server, hal_oemlock)
224hal_client_domain(system_server, hal_omx)
225hal_client_domain(system_server, hal_power)
226hal_client_domain(system_server, hal_power_stats)
227hal_client_domain(system_server, hal_sensors)
228hal_client_domain(system_server, hal_tetheroffload)
229hal_client_domain(system_server, hal_thermal)
230hal_client_domain(system_server, hal_tv_cec)
231hal_client_domain(system_server, hal_tv_input)
232hal_client_domain(system_server, hal_usb)
233hal_client_domain(system_server, hal_usb_gadget)
234hal_client_domain(system_server, hal_vibrator)
235hal_client_domain(system_server, hal_vr)
236hal_client_domain(system_server, hal_weaver)
237hal_client_domain(system_server, hal_wifi)
238hal_client_domain(system_server, hal_wifi_hostapd)
239hal_client_domain(system_server, hal_wifi_offload)
240hal_client_domain(system_server, hal_wifi_supplicant)
241
242# Talk with graphics composer fences
243allow system_server hal_graphics_composer:fd use;
244
245# Use RenderScript always-passthrough HAL
246allow system_server hal_renderscript_hwservice:hwservice_manager find;
247allow system_server same_process_hal_file:file { execute read open getattr map };
248
249# Talk to tombstoned to get ANR traces.
250unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
251
252# List HAL interfaces to get ANR traces.
253allow system_server hwservicemanager:hwservice_manager list;
254
255# Send signals to trigger ANR traces.
256allow system_server {
257  # This is derived from the list that system server defines as interesting native processes
258  # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
259  # frameworks/base/services/core/java/com/android/server/Watchdog.java.
260  audioserver
261  cameraserver
262  drmserver
263  gpuservice
264  inputflinger
265  mediadrmserver
266  mediaextractor
267  mediametrics
268  mediaserver
269  mediaswcodec
270  sdcardd
271  statsd
272  surfaceflinger
273  vold
274
275  # This list comes from HAL_INTERFACES_OF_INTEREST in
276  # frameworks/base/services/core/java/com/android/server/Watchdog.java.
277  hal_audio_server
278  hal_bluetooth_server
279  hal_camera_server
280  hal_codec2_server
281  hal_face_server
282  hal_graphics_allocator_server
283  hal_graphics_composer_server
284  hal_health_server
285  hal_omx_server
286  hal_sensors_server
287  hal_vr_server
288}:process { signal };
289
290# Use sockets received over binder from various services.
291allow system_server audioserver:tcp_socket rw_socket_perms;
292allow system_server audioserver:udp_socket rw_socket_perms;
293allow system_server mediaserver:tcp_socket rw_socket_perms;
294allow system_server mediaserver:udp_socket rw_socket_perms;
295
296# Use sockets received over binder from various services.
297allow system_server mediadrmserver:tcp_socket rw_socket_perms;
298allow system_server mediadrmserver:udp_socket rw_socket_perms;
299
300# Get file context
301allow system_server file_contexts_file:file r_file_perms;
302# access for mac_permissions
303allow system_server mac_perms_file: file r_file_perms;
304# Check SELinux permissions.
305selinux_check_access(system_server)
306
307allow system_server sysfs_type:dir search;
308
309r_dir_file(system_server, sysfs_android_usb)
310allow system_server sysfs_android_usb:file w_file_perms;
311
312allow system_server sysfs_extcon:dir r_dir_perms;
313
314r_dir_file(system_server, sysfs_ipv4)
315allow system_server sysfs_ipv4:file w_file_perms;
316
317r_dir_file(system_server, sysfs_rtc)
318r_dir_file(system_server, sysfs_switch)
319r_dir_file(system_server, sysfs_wakeup_reasons)
320
321allow system_server sysfs_nfc_power_writable:file rw_file_perms;
322allow system_server sysfs_mac_address:file r_file_perms;
323allow system_server sysfs_power:dir search;
324allow system_server sysfs_power:file rw_file_perms;
325allow system_server sysfs_thermal:dir search;
326allow system_server sysfs_thermal:file r_file_perms;
327
328# TODO: Remove when HALs are forced into separate processes
329allow system_server sysfs_vibrator:file { write append };
330
331# TODO: added to match above sysfs rule. Remove me?
332allow system_server sysfs_usb:file w_file_perms;
333
334# Access devices.
335allow system_server device:dir r_dir_perms;
336allow system_server mdns_socket:sock_file rw_file_perms;
337allow system_server gpu_device:chr_file rw_file_perms;
338allow system_server input_device:dir r_dir_perms;
339allow system_server input_device:chr_file rw_file_perms;
340allow system_server tty_device:chr_file rw_file_perms;
341allow system_server usbaccessory_device:chr_file rw_file_perms;
342allow system_server video_device:dir r_dir_perms;
343allow system_server video_device:chr_file rw_file_perms;
344allow system_server adbd_socket:sock_file rw_file_perms;
345allow system_server rtc_device:chr_file rw_file_perms;
346allow system_server audio_device:dir r_dir_perms;
347
348# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
349allow system_server audio_device:chr_file rw_file_perms;
350
351# tun device used for 3rd party vpn apps
352allow system_server tun_device:chr_file rw_file_perms;
353allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
354
355# Manage data/ota_package
356allow system_server ota_package_file:dir rw_dir_perms;
357allow system_server ota_package_file:file create_file_perms;
358
359# Manage system data files.
360allow system_server system_data_file:dir create_dir_perms;
361allow system_server system_data_file:notdevfile_class_set create_file_perms;
362allow system_server packages_list_file:file create_file_perms;
363allow system_server keychain_data_file:dir create_dir_perms;
364allow system_server keychain_data_file:file create_file_perms;
365allow system_server keychain_data_file:lnk_file create_file_perms;
366
367# Manage /data/app.
368allow system_server apk_data_file:dir create_dir_perms;
369allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
370allow system_server apk_tmp_file:dir create_dir_perms;
371allow system_server apk_tmp_file:file create_file_perms;
372
373# Access input configuration files in the /vendor directory
374r_dir_file(system_server, vendor_keylayout_file)
375r_dir_file(system_server, vendor_keychars_file)
376r_dir_file(system_server, vendor_idc_file)
377
378# Access /vendor/{app,framework,overlay}
379r_dir_file(system_server, vendor_app_file)
380r_dir_file(system_server, vendor_framework_file)
381r_dir_file(system_server, vendor_overlay_file)
382
383# Manage /data/app-private.
384allow system_server apk_private_data_file:dir create_dir_perms;
385allow system_server apk_private_data_file:file create_file_perms;
386allow system_server apk_private_tmp_file:dir create_dir_perms;
387allow system_server apk_private_tmp_file:file create_file_perms;
388
389# Manage files within asec containers.
390allow system_server asec_apk_file:dir create_dir_perms;
391allow system_server asec_apk_file:file create_file_perms;
392allow system_server asec_public_file:file create_file_perms;
393
394# Manage /data/anr.
395#
396# TODO: Some of these permissions can be withdrawn once we've switched to the
397# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
398# the system_server should never need to create a new anr_data_file:file or write
399# to one, but it will still need to read and append to existing files.
400allow system_server anr_data_file:dir create_dir_perms;
401allow system_server anr_data_file:file create_file_perms;
402
403# New stack dumping scheme : request an output FD from tombstoned via a unix
404# domain socket.
405#
406# Allow system_server to connect and write to the tombstoned java trace socket in
407# order to dump its traces. Also allow the system server to write its traces to
408# dumpstate during bugreport capture and incidentd during incident collection.
409unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
410allow system_server tombstoned:fd use;
411allow system_server dumpstate:fifo_file append;
412allow system_server incidentd:fifo_file append;
413# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
414userdebug_or_eng(`
415  allow system_server su:fifo_file append;
416')
417
418# Allow system_server to read pipes from incidentd (used to deliver incident reports
419# to dropbox)
420allow system_server incidentd:fifo_file read;
421
422# Read /data/misc/incidents - only read. The fd will be sent over binder,
423# with no DAC access to it, for dropbox to read.
424allow system_server incident_data_file:file read;
425
426# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
427# binder.
428allow system_server perfetto_traces_data_file:file read;
429allow system_server perfetto:fd use;
430
431# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
432userdebug_or_eng(`
433  allow system_server perfprofd_data_file:file { getattr read };
434  allow system_server perfprofd:fd use;
435')
436
437# Manage /data/backup.
438allow system_server backup_data_file:dir create_dir_perms;
439allow system_server backup_data_file:file create_file_perms;
440
441# Write to /data/system/dropbox
442allow system_server dropbox_data_file:dir create_dir_perms;
443allow system_server dropbox_data_file:file create_file_perms;
444
445# Write to /data/system/heapdump
446allow system_server heapdump_data_file:dir rw_dir_perms;
447allow system_server heapdump_data_file:file create_file_perms;
448
449# Manage /data/misc/adb.
450allow system_server adb_keys_file:dir create_dir_perms;
451allow system_server adb_keys_file:file create_file_perms;
452
453# Manage /data/misc/network_watchlist
454allow system_server network_watchlist_data_file:dir create_dir_perms;
455allow system_server network_watchlist_data_file:file create_file_perms;
456
457# Manage /data/misc/sms.
458# TODO:  Split into a separate type?
459allow system_server radio_data_file:dir create_dir_perms;
460allow system_server radio_data_file:file create_file_perms;
461
462# Manage /data/misc/systemkeys.
463allow system_server systemkeys_data_file:dir create_dir_perms;
464allow system_server systemkeys_data_file:file create_file_perms;
465
466# Manage /data/misc/textclassifier.
467allow system_server textclassifier_data_file:dir create_dir_perms;
468allow system_server textclassifier_data_file:file create_file_perms;
469
470# Access /data/tombstones.
471allow system_server tombstone_data_file:dir r_dir_perms;
472allow system_server tombstone_data_file:file r_file_perms;
473
474# Manage /data/misc/vpn.
475allow system_server vpn_data_file:dir create_dir_perms;
476allow system_server vpn_data_file:file create_file_perms;
477
478# Manage /data/misc/wifi.
479allow system_server wifi_data_file:dir create_dir_perms;
480allow system_server wifi_data_file:file create_file_perms;
481
482# Manage /data/misc/zoneinfo.
483allow system_server zoneinfo_data_file:dir create_dir_perms;
484allow system_server zoneinfo_data_file:file create_file_perms;
485
486# Manage /data/app-staging.
487allow system_server staging_data_file:dir create_dir_perms;
488allow system_server staging_data_file:file create_file_perms;
489
490# Walk /data/data subdirectories.
491# Types extracted from seapp_contexts type= fields.
492allow system_server {
493  system_app_data_file
494  bluetooth_data_file
495  nfc_data_file
496  radio_data_file
497  shell_data_file
498  app_data_file
499  privapp_data_file
500}:dir { getattr read search };
501
502# Also permit for unlabeled /data/data subdirectories and
503# for unlabeled asec containers on upgrades from 4.2.
504allow system_server unlabeled:dir r_dir_perms;
505# Read pkg.apk file before it has been relabeled by vold.
506allow system_server unlabeled:file r_file_perms;
507
508# Populate com.android.providers.settings/databases/settings.db.
509allow system_server system_app_data_file:dir create_dir_perms;
510allow system_server system_app_data_file:file create_file_perms;
511
512# Receive and use open app data files passed over binder IPC.
513# Types extracted from seapp_contexts type= fields.
514allow system_server {
515  system_app_data_file
516  bluetooth_data_file
517  nfc_data_file
518  radio_data_file
519  shell_data_file
520  app_data_file
521  privapp_data_file
522}:file { getattr read write append map };
523
524# Access to /data/media for measuring disk usage.
525allow system_server media_rw_data_file:dir { search getattr open read };
526
527# Receive and use open /data/media files passed over binder IPC.
528# Also used for measuring disk usage.
529allow system_server media_rw_data_file:file { getattr read write append };
530
531# System server needs to setfscreate to packages_list_file when writing
532# /data/system/packages.list
533allow system_server system_server:process setfscreate;
534
535# Relabel apk files.
536allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
537allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
538
539# Relabel wallpaper.
540allow system_server system_data_file:file relabelfrom;
541allow system_server wallpaper_file:file relabelto;
542allow system_server wallpaper_file:file { rw_file_perms rename unlink };
543
544# Backup of wallpaper imagery uses temporary hard links to avoid data churn
545allow system_server { system_data_file wallpaper_file }:file link;
546
547# ShortcutManager icons
548allow system_server system_data_file:dir relabelfrom;
549allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
550allow system_server shortcut_manager_icons:file create_file_perms;
551
552# Manage ringtones.
553allow system_server ringtone_file:dir { create_dir_perms relabelto };
554allow system_server ringtone_file:file create_file_perms;
555
556# Relabel icon file.
557allow system_server icon_file:file relabelto;
558allow system_server icon_file:file { rw_file_perms unlink };
559
560# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
561allow system_server system_data_file:dir relabelfrom;
562
563# server_configurable_flags_data_file is used for storing server configurable flags which
564# have been reset during current booting. system_server needs to read the data to perform related
565# disaster recovery actions.
566allow system_server server_configurable_flags_data_file:dir r_dir_perms;
567allow system_server server_configurable_flags_data_file:file r_file_perms;
568
569# Property Service write
570set_prop(system_server, system_prop)
571set_prop(system_server, exported_system_prop)
572set_prop(system_server, exported2_system_prop)
573set_prop(system_server, exported3_system_prop)
574set_prop(system_server, safemode_prop)
575set_prop(system_server, theme_prop)
576set_prop(system_server, dhcp_prop)
577set_prop(system_server, net_radio_prop)
578set_prop(system_server, net_dns_prop)
579set_prop(system_server, system_radio_prop)
580set_prop(system_server, exported_system_radio_prop)
581set_prop(system_server, debug_prop)
582set_prop(system_server, powerctl_prop)
583set_prop(system_server, fingerprint_prop)
584set_prop(system_server, exported_fingerprint_prop)
585set_prop(system_server, device_logging_prop)
586set_prop(system_server, dumpstate_options_prop)
587set_prop(system_server, overlay_prop)
588set_prop(system_server, exported_overlay_prop)
589set_prop(system_server, pm_prop)
590set_prop(system_server, exported_pm_prop)
591userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
592
593# ctl interface
594set_prop(system_server, ctl_default_prop)
595set_prop(system_server, ctl_bugreport_prop)
596set_prop(system_server, ctl_gsid_prop)
597
598# cppreopt property
599set_prop(system_server, cppreopt_prop)
600
601# server configurable flags properties
602set_prop(system_server, device_config_input_native_boot_prop)
603set_prop(system_server, device_config_netd_native_prop)
604set_prop(system_server, device_config_activity_manager_native_boot_prop)
605set_prop(system_server, device_config_runtime_native_boot_prop)
606set_prop(system_server, device_config_runtime_native_prop)
607set_prop(system_server, device_config_media_native_prop)
608
609# BootReceiver to read ro.boot.bootreason
610get_prop(system_server, bootloader_boot_reason_prop)
611# PowerManager to read sys.boot.reason
612get_prop(system_server, system_boot_reason_prop)
613
614# Collect metrics on boot time created by init
615get_prop(system_server, boottime_prop)
616
617# Read device's serial number from system properties
618get_prop(system_server, serialno_prop)
619
620# Read/write the property which keeps track of whether this is the first start of system_server
621set_prop(system_server, firstboot_prop)
622
623# Audio service in system server can read exported audio properties,
624# such as camera shutter enforcement
625get_prop(system_server, exported_audio_prop)
626
627# system server reads this property to keep track of whether server configurable flags have been
628# reset during current boot.
629get_prop(system_server, device_config_reset_performed_prop)
630
631# Read/write the property that enables Test Harness Mode
632set_prop(system_server, test_harness_prop)
633
634# Read gsid.image_running.
635get_prop(system_server, gsid_prop)
636
637# Create a socket for connections from debuggerd.
638allow system_server system_ndebug_socket:sock_file create_file_perms;
639
640# Manage cache files.
641allow system_server cache_file:lnk_file r_file_perms;
642allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
643allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
644allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
645
646allow system_server system_file:dir r_dir_perms;
647allow system_server system_file:lnk_file r_file_perms;
648
649# ART locks profile files.
650allow system_server system_file:file lock;
651
652# LocationManager(e.g, GPS) needs to read and write
653# to uart driver and ctrl proc entry
654allow system_server gps_control:file rw_file_perms;
655
656# Allow system_server to use app-created sockets and pipes.
657allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
658allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
659
660# BackupManagerService needs to manipulate backup data files
661allow system_server cache_backup_file:dir rw_dir_perms;
662allow system_server cache_backup_file:file create_file_perms;
663# LocalTransport works inside /cache/backup
664allow system_server cache_private_backup_file:dir create_dir_perms;
665allow system_server cache_private_backup_file:file create_file_perms;
666
667# Allow system to talk to usb device
668allow system_server usb_device:chr_file rw_file_perms;
669allow system_server usb_device:dir r_dir_perms;
670
671# Read from HW RNG (needed by EntropyMixer).
672allow system_server hw_random_device:chr_file r_file_perms;
673
674# Read and delete files under /dev/fscklogs.
675r_dir_file(system_server, fscklogs)
676allow system_server fscklogs:dir { write remove_name };
677allow system_server fscklogs:file unlink;
678
679# logd access, system_server inherit logd write socket
680# (urge is to deprecate this long term)
681allow system_server zygote:unix_dgram_socket write;
682
683# Read from log daemon.
684read_logd(system_server)
685read_runtime_log_tags(system_server)
686
687# Be consistent with DAC permissions. Allow system_server to write to
688# /sys/module/lowmemorykiller/parameters/adj
689# /sys/module/lowmemorykiller/parameters/minfree
690allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
691
692# Read /sys/fs/pstore/console-ramoops
693# Don't worry about overly broad permissions for now, as there's
694# only one file in /sys/fs/pstore
695allow system_server pstorefs:dir r_dir_perms;
696allow system_server pstorefs:file r_file_perms;
697
698# /sys access
699allow system_server sysfs_zram:dir search;
700allow system_server sysfs_zram:file rw_file_perms;
701
702add_service(system_server, system_server_service);
703allow system_server audioserver_service:service_manager find;
704allow system_server batteryproperties_service:service_manager find;
705allow system_server cameraserver_service:service_manager find;
706allow system_server dnsresolver_service:service_manager find;
707allow system_server drmserver_service:service_manager find;
708allow system_server dumpstate_service:service_manager find;
709allow system_server fingerprintd_service:service_manager find;
710allow system_server gatekeeper_service:service_manager find;
711allow system_server gpu_service:service_manager find;
712allow system_server gsi_service:service_manager find;
713allow system_server hal_fingerprint_service:service_manager find;
714allow system_server idmap_service:service_manager find;
715allow system_server incident_service:service_manager find;
716allow system_server installd_service:service_manager find;
717allow system_server iorapd_service:service_manager find;
718allow system_server keystore_service:service_manager find;
719allow system_server mediaserver_service:service_manager find;
720allow system_server mediametrics_service:service_manager find;
721allow system_server mediaextractor_service:service_manager find;
722allow system_server mediacodec_service:service_manager find;
723allow system_server mediadrmserver_service:service_manager find;
724allow system_server netd_service:service_manager find;
725allow system_server nfc_service:service_manager find;
726allow system_server radio_service:service_manager find;
727allow system_server stats_service:service_manager find;
728allow system_server storaged_service:service_manager find;
729allow system_server surfaceflinger_service:service_manager find;
730allow system_server update_engine_service:service_manager find;
731allow system_server vold_service:service_manager find;
732allow system_server wificond_service:service_manager find;
733userdebug_or_eng(`
734  allow system_server perfprofd_service:service_manager find;
735')
736
737add_service(system_server, batteryproperties_service)
738
739allow system_server keystore:keystore_key {
740	get_state
741	get
742	insert
743	delete
744	exist
745	list
746	reset
747	password
748	lock
749	unlock
750	is_empty
751	sign
752	verify
753	grant
754	duplicate
755	clear_uid
756	add_auth
757	user_changed
758};
759
760# Allow system server to search and write to the persistent factory reset
761# protection partition. This block device does not get wiped in a factory reset.
762allow system_server block_device:dir search;
763allow system_server frp_block_device:blk_file rw_file_perms;
764allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
765
766# Clean up old cgroups
767allow system_server cgroup:dir { remove_name rmdir };
768
769# /oem access
770r_dir_file(system_server, oemfs)
771
772# Allow resolving per-user storage symlinks
773allow system_server { mnt_user_file storage_file }:dir { getattr search };
774allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
775
776# Allow statfs() on storage devices, which happens fast enough that
777# we shouldn't be killed during unsafe removal
778allow system_server sdcard_type:dir { getattr search };
779
780# Traverse into expanded storage
781allow system_server mnt_expand_file:dir r_dir_perms;
782
783# Allow system process to relabel the fingerprint directory after mkdir
784# and delete the directory and files when no longer needed
785allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
786allow system_server fingerprintd_data_file:file { getattr unlink };
787
788# Allow system process to read network MAC address
789allow system_server sysfs_mac_address:file r_file_perms;
790
791userdebug_or_eng(`
792  # Allow system server to create and write method traces in /data/misc/trace.
793  allow system_server method_trace_data_file:dir w_dir_perms;
794  allow system_server method_trace_data_file:file { create w_file_perms };
795
796  # Allow system server to read dmesg
797  allow system_server kernel:system syslog_read;
798
799  # Allow writing and removing window traces in /data/misc/wmtrace.
800  allow system_server wm_trace_data_file:dir rw_dir_perms;
801  allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
802')
803
804# For AppFuse.
805allow system_server vold:fd use;
806allow system_server fuse_device:chr_file { read write ioctl getattr };
807allow system_server app_fuse_file:file { read write getattr };
808
809# For configuring sdcardfs
810allow system_server configfs:dir { create_dir_perms };
811allow system_server configfs:file { getattr open create unlink write };
812
813# Connect to adbd and use a socket transferred from it.
814# Used for e.g. jdwp.
815allow system_server adbd:unix_stream_socket connectto;
816allow system_server adbd:fd use;
817allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
818
819# Allow invoking tools like "timeout"
820allow system_server toolbox_exec:file rx_file_perms;
821
822# Allow system process to setup and measure fs-verity
823allowxperm system_server apk_data_file:file ioctl {
824  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
825};
826
827# Postinstall
828#
829# For OTA dexopt, allow calls coming from postinstall.
830binder_call(system_server, postinstall)
831
832allow system_server postinstall:fifo_file write;
833allow system_server update_engine:fd use;
834allow system_server update_engine:fifo_file write;
835
836# Access to /data/preloads
837allow system_server preloads_data_file:file { r_file_perms unlink };
838allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
839allow system_server preloads_media_file:file { r_file_perms unlink };
840allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
841
842r_dir_file(system_server, cgroup)
843allow system_server ion_device:chr_file r_file_perms;
844
845r_dir_file(system_server, proc_asound)
846r_dir_file(system_server, proc_net_type)
847r_dir_file(system_server, proc_qtaguid_stat)
848allow system_server {
849  proc_loadavg
850  proc_meminfo
851  proc_pagetypeinfo
852  proc_pipe_conf
853  proc_stat
854  proc_uid_cputime_showstat
855  proc_uid_io_stats
856  proc_uid_time_in_state
857  proc_uid_concurrent_active_time
858  proc_uid_concurrent_policy_time
859  proc_version
860  proc_vmallocinfo
861}:file r_file_perms;
862
863allow system_server proc_uid_time_in_state:dir r_dir_perms;
864allow system_server proc_uid_cpupower:file r_file_perms;
865
866r_dir_file(system_server, rootfs)
867
868# Allow WifiService to start, stop, and read wifi-specific trace events.
869allow system_server debugfs_tracing_instances:dir search;
870allow system_server debugfs_wifi_tracing:dir search;
871allow system_server debugfs_wifi_tracing:file rw_file_perms;
872
873# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
874# asanwrapper.
875with_asan(`
876  allow system_server shell_exec:file rx_file_perms;
877  allow system_server asanwrapper_exec:file rx_file_perms;
878  allow system_server zygote_exec:file rx_file_perms;
879')
880
881# allow system_server to read the eBPF maps that stores the traffic stats information and update
882# the map after snapshot is recorded
883allow system_server fs_bpf:dir search;
884allow system_server fs_bpf:file { read write };
885allow system_server bpfloader:bpf { map_read map_write };
886
887# ART Profiles.
888# Allow system_server to open profile snapshots for read.
889# System server never reads the actual content. It passes the descriptor to
890# to privileged apps which acquire the permissions to inspect the profiles.
891allow system_server user_profile_data_file:dir { getattr search };
892allow system_server user_profile_data_file:file { getattr open read };
893
894# System server may dump profile data for debuggable apps in the /data/misc/profman.
895# As such it needs to be able create files but it should never read from them.
896allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
897allow system_server profman_dump_data_file:dir w_dir_perms;
898
899# On userdebug build we may profile system server. Allow it to write and create its own profile.
900userdebug_or_eng(`
901  allow system_server user_profile_data_file:file create_file_perms;
902')
903
904# UsbDeviceManager uses /dev/usb-ffs
905allow system_server functionfs:dir search;
906allow system_server functionfs:file rw_file_perms;
907
908# system_server contains time / time zone detection logic so reads the associated properties.
909get_prop(system_server, time_prop)
910
911###
912### Neverallow rules
913###
914### system_server should NEVER do any of this
915
916# Do not allow opening files from external storage as unsafe ejection
917# could cause the kernel to kill the system_server.
918neverallow system_server sdcard_type:dir { open read write };
919neverallow system_server sdcard_type:file rw_file_perms;
920
921# system server should never be operating on zygote spawned app data
922# files directly. Rather, they should always be passed via a
923# file descriptor.
924# Types extracted from seapp_contexts type= fields, excluding
925# those types that system_server needs to open directly.
926neverallow system_server {
927  bluetooth_data_file
928  nfc_data_file
929  shell_data_file
930  app_data_file
931  privapp_data_file
932}:file { open create unlink link };
933
934# Forking and execing is inherently dangerous and racy. See, for
935# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
936# Prevent the addition of new file execs to stop the problem from
937# getting worse. b/28035297
938neverallow system_server {
939  file_type
940  -toolbox_exec
941  -logcat_exec
942  with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
943}:file execute_no_trans;
944
945# Ensure that system_server doesn't perform any domain transitions other than
946# transitioning to the crash_dump domain when a crash occurs.
947neverallow system_server { domain -crash_dump }:process transition;
948neverallow system_server *:process dyntransition;
949
950# Only allow crash_dump to connect to system_ndebug_socket.
951neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
952
953# Only allow init, system_server, flags_health_check to set properties for server configurable flags
954neverallow {
955  domain
956  -init
957  -system_server
958  -flags_health_check
959} {
960  device_config_activity_manager_native_boot_prop
961  device_config_input_native_boot_prop
962  device_config_netd_native_prop
963  device_config_runtime_native_boot_prop
964  device_config_runtime_native_prop
965  device_config_media_native_prop
966}:property_service set;
967
968# system_server should never be executing dex2oat. This is either
969# a bug (for example, bug 16317188), or represents an attempt by
970# system server to dynamically load a dex file, something we do not
971# want to allow.
972neverallow system_server dex2oat_exec:file no_x_file_perms;
973
974# system_server should never execute or load executable shared libraries
975# in /data. Executable files in /data are a persistence vector.
976# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
977neverallow system_server data_file_type:file no_x_file_perms;
978
979# The only block device system_server should be accessing is
980# the frp_block_device. This helps avoid a system_server to root
981# escalation by writing to raw block devices.
982neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
983
984# system_server should never use JIT functionality
985# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
986# in the section titled "A Short ROP Chain" for why.
987neverallow system_server self:process execmem;
988neverallow system_server ashmem_device:chr_file execute;
989
990# TODO: deal with tmpfs_domain pub/priv split properly
991neverallow system_server system_server_tmpfs:file execute;
992
993# Resources handed off by system_server_startup
994allow system_server system_server_startup:fd use;
995allow system_server system_server_startup_tmpfs:file { read write map };
996allow system_server system_server_startup:unix_dgram_socket write;
997
998# Allow system server to communicate to apexd
999allow system_server apex_service:service_manager find;
1000allow system_server apexd:binder call;
1001
1002# Allow system server to communicate to system-suspend's control interface
1003allow system_server system_suspend_control_service:service_manager find;
1004binder_call(system_server, system_suspend)
1005binder_call(system_suspend, system_server)
1006
1007# Allow system server to communicate to system-suspend's wakelock interface
1008wakelock_use(system_server)
1009
1010# Allow the system server to read files under /data/apex. The system_server
1011# needs these privileges to compare file signatures while processing installs.
1012#
1013# Only apexd is allowed to create new entries or write to any file under /data/apex.
1014allow system_server apex_data_file:dir { getattr search };
1015allow system_server apex_data_file:file r_file_perms;
1016
1017# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
1018# communicate which slots are available for use.
1019allow system_server metadata_file:dir search;
1020allow system_server password_slot_metadata_file:dir rw_dir_perms;
1021allow system_server password_slot_metadata_file:file create_file_perms;
1022
1023# Read/Write /proc/pressure/memory
1024allow system_server proc_pressure_mem:file rw_file_perms;
1025
1026# dexoptanalyzer is currently used only for secondary dex files which
1027# system_server should never access.
1028neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
1029
1030# No ptracing others
1031neverallow system_server { domain -system_server }:process ptrace;
1032
1033# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
1034# file read access. However, that is now unnecessary (b/34951864)
1035neverallow system_server system_server:global_capability_class_set sys_resource;
1036
1037# Only system_server/init should access /metadata/password_slots.
1038neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
1039neverallow {
1040  domain
1041  -init
1042  -system_server
1043} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
1044neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
1045