1 /* 2 * Copyright (C) 2007 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /* 18 * This file is consumed by build/tools/fs_config and is used 19 * for generating various files. Anything #define AID_<name> 20 * becomes the mapping for getpwnam/getpwuid, etc. The <name> 21 * field is lowercased. 22 * For example: 23 * #define AID_FOO_BAR 6666 becomes a friendly name of "foo_bar" 24 * 25 * The above holds true with the exception of: 26 * mediacodec 27 * mediaex 28 * mediadrm 29 * Whose friendly names do not match the #define statements. 30 * 31 * This file must only be used for platform (Google managed, and submitted through AOSP), AIDs. 3rd 32 * party AIDs must be added via config.fs, which will place them in the corresponding partition's 33 * passwd and group files. There are ranges in this file reserved for AIDs for each 3rd party 34 * partition, from which the system reads passwd and group files. 35 */ 36 37 #ifndef _ANDROID_FILESYSTEM_CONFIG_H_ 38 #define _ANDROID_FILESYSTEM_CONFIG_H_ 39 40 #include <sys/types.h> 41 42 #if !defined(__ANDROID_VNDK__) && !defined(EXCLUDE_FS_CONFIG_STRUCTURES) 43 #include <private/fs_config.h> 44 #endif 45 46 /* This is the master Users and Groups config for the platform. 47 * DO NOT EVER RENUMBER 48 */ 49 50 #define AID_ROOT 0 /* traditional unix root user */ 51 /* The following are for LTP and should only be used for testing */ 52 #define AID_DAEMON 1 /* traditional unix daemon owner */ 53 #define AID_BIN 2 /* traditional unix binaries owner */ 54 55 #define AID_SYSTEM 1000 /* system server */ 56 57 #define AID_RADIO 1001 /* telephony subsystem, RIL */ 58 #define AID_BLUETOOTH 1002 /* bluetooth subsystem */ 59 #define AID_GRAPHICS 1003 /* graphics devices */ 60 #define AID_INPUT 1004 /* input devices */ 61 #define AID_AUDIO 1005 /* audio devices */ 62 #define AID_CAMERA 1006 /* camera devices */ 63 #define AID_LOG 1007 /* log devices */ 64 #define AID_COMPASS 1008 /* compass device */ 65 #define AID_MOUNT 1009 /* mountd socket */ 66 #define AID_WIFI 1010 /* wifi subsystem */ 67 #define AID_ADB 1011 /* android debug bridge (adbd) */ 68 #define AID_INSTALL 1012 /* group for installing packages */ 69 #define AID_MEDIA 1013 /* mediaserver process */ 70 #define AID_DHCP 1014 /* dhcp client */ 71 #define AID_SDCARD_RW 1015 /* external storage write access */ 72 #define AID_VPN 1016 /* vpn system */ 73 #define AID_KEYSTORE 1017 /* keystore subsystem */ 74 #define AID_USB 1018 /* USB devices */ 75 #define AID_DRM 1019 /* DRM server */ 76 #define AID_MDNSR 1020 /* MulticastDNSResponder (service discovery) */ 77 #define AID_GPS 1021 /* GPS daemon */ 78 #define AID_UNUSED1 1022 /* deprecated, DO NOT USE */ 79 #define AID_MEDIA_RW 1023 /* internal media storage write access */ 80 #define AID_MTP 1024 /* MTP USB driver access */ 81 #define AID_UNUSED2 1025 /* deprecated, DO NOT USE */ 82 #define AID_DRMRPC 1026 /* group for drm rpc */ 83 #define AID_NFC 1027 /* nfc subsystem */ 84 #define AID_SDCARD_R 1028 /* external storage read access */ 85 #define AID_CLAT 1029 /* clat part of nat464 */ 86 #define AID_LOOP_RADIO 1030 /* loop radio devices */ 87 #define AID_MEDIA_DRM 1031 /* MediaDrm plugins */ 88 #define AID_PACKAGE_INFO 1032 /* access to installed package details */ 89 #define AID_SDCARD_PICS 1033 /* external storage photos access */ 90 #define AID_SDCARD_AV 1034 /* external storage audio/video access */ 91 #define AID_SDCARD_ALL 1035 /* access all users external storage */ 92 #define AID_LOGD 1036 /* log daemon */ 93 #define AID_SHARED_RELRO 1037 /* creator of shared GNU RELRO files */ 94 #define AID_DBUS 1038 /* dbus-daemon IPC broker process */ 95 #define AID_TLSDATE 1039 /* tlsdate unprivileged user */ 96 #define AID_MEDIA_EX 1040 /* mediaextractor process */ 97 #define AID_AUDIOSERVER 1041 /* audioserver process */ 98 #define AID_METRICS_COLL 1042 /* metrics_collector process */ 99 #define AID_METRICSD 1043 /* metricsd process */ 100 #define AID_WEBSERV 1044 /* webservd process */ 101 #define AID_DEBUGGERD 1045 /* debuggerd unprivileged user */ 102 #define AID_MEDIA_CODEC 1046 /* mediacodec process */ 103 #define AID_CAMERASERVER 1047 /* cameraserver process */ 104 #define AID_FIREWALL 1048 /* firewalld process */ 105 #define AID_TRUNKS 1049 /* trunksd process (TPM daemon) */ 106 #define AID_NVRAM 1050 /* Access-controlled NVRAM */ 107 #define AID_DNS 1051 /* DNS resolution daemon (system: netd) */ 108 #define AID_DNS_TETHER 1052 /* DNS resolution daemon (tether: dnsmasq) */ 109 #define AID_WEBVIEW_ZYGOTE 1053 /* WebView zygote process */ 110 #define AID_VEHICLE_NETWORK 1054 /* Vehicle network service */ 111 #define AID_MEDIA_AUDIO 1055 /* GID for audio files on internal media storage */ 112 #define AID_MEDIA_VIDEO 1056 /* GID for video files on internal media storage */ 113 #define AID_MEDIA_IMAGE 1057 /* GID for image files on internal media storage */ 114 #define AID_TOMBSTONED 1058 /* tombstoned user */ 115 #define AID_MEDIA_OBB 1059 /* GID for OBB files on internal media storage */ 116 #define AID_ESE 1060 /* embedded secure element (eSE) subsystem */ 117 #define AID_OTA_UPDATE 1061 /* resource tracking UID for OTA updates */ 118 #define AID_AUTOMOTIVE_EVS 1062 /* Automotive rear and surround view system */ 119 #define AID_LOWPAN 1063 /* LoWPAN subsystem */ 120 #define AID_HSM 1064 /* hardware security module subsystem */ 121 #define AID_RESERVED_DISK 1065 /* GID that has access to reserved disk space */ 122 #define AID_STATSD 1066 /* statsd daemon */ 123 #define AID_INCIDENTD 1067 /* incidentd daemon */ 124 #define AID_SECURE_ELEMENT 1068 /* secure element subsystem */ 125 #define AID_LMKD 1069 /* low memory killer daemon */ 126 #define AID_LLKD 1070 /* live lock daemon */ 127 #define AID_IORAPD 1071 /* input/output readahead and pin daemon */ 128 #define AID_GPU_SERVICE 1072 /* GPU service daemon */ 129 #define AID_NETWORK_STACK 1073 /* network stack service */ 130 #define AID_GSID 1074 /* GSI service daemon */ 131 #define AID_FSVERITY_CERT 1075 /* fs-verity key ownership in keystore */ 132 #define AID_CREDSTORE 1076 /* identity credential manager service */ 133 #define AID_EXTERNAL_STORAGE 1077 /* Full external storage access including USB OTG volumes */ 134 #define AID_EXT_DATA_RW 1078 /* GID for app-private data directories on external storage */ 135 #define AID_EXT_OBB_RW 1079 /* GID for OBB directories on external storage */ 136 #define AID_CONTEXT_HUB 1080 /* GID for access to the Context Hub */ 137 /* Changes to this file must be made in AOSP, *not* in internal branches. */ 138 139 #define AID_SHELL 2000 /* adb and debug shell user */ 140 #define AID_CACHE 2001 /* cache access */ 141 #define AID_DIAG 2002 /* access to diagnostic resources */ 142 143 /* The range 2900-2999 is reserved for the vendor partition */ 144 /* Note that the two 'OEM' ranges pre-dated the vendor partition, so they take the legacy 'OEM' 145 * name. Additionally, they pre-dated passwd/group files, so there are users and groups named oem_# 146 * created automatically for all values in these ranges. If there is a user/group in a passwd/group 147 * file corresponding to this range, both the oem_# and user/group names will resolve to the same 148 * value. */ 149 #define AID_OEM_RESERVED_START 2900 150 #define AID_OEM_RESERVED_END 2999 151 152 /* The 3000 series are intended for use as supplemental group id's only. 153 * They indicate special Android capabilities that the kernel is aware of. */ 154 #define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */ 155 #define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */ 156 #define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */ 157 #define AID_NET_RAW 3004 /* can create raw INET sockets */ 158 #define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */ 159 #define AID_NET_BW_STATS 3006 /* read bandwidth statistics */ 160 #define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */ 161 #define AID_READPROC 3009 /* Allow /proc read access */ 162 #define AID_WAKELOCK 3010 /* Allow system wakelock read/write access */ 163 #define AID_UHID 3011 /* Allow read/write to /dev/uhid node */ 164 165 /* The range 5000-5999 is also reserved for vendor partition. */ 166 #define AID_OEM_RESERVED_2_START 5000 167 #define AID_OEM_RESERVED_2_END 5999 168 169 /* The range 6000-6499 is reserved for the system partition. */ 170 #define AID_SYSTEM_RESERVED_START 6000 171 #define AID_SYSTEM_RESERVED_END 6499 172 173 /* The range 6500-6999 is reserved for the odm partition. */ 174 #define AID_ODM_RESERVED_START 6500 175 #define AID_ODM_RESERVED_END 6999 176 177 /* The range 7000-7499 is reserved for the product partition. */ 178 #define AID_PRODUCT_RESERVED_START 7000 179 #define AID_PRODUCT_RESERVED_END 7499 180 181 /* The range 7500-7999 is reserved for the system_ext partition. */ 182 #define AID_SYSTEM_EXT_RESERVED_START 7500 183 #define AID_SYSTEM_EXT_RESERVED_END 7999 184 185 #define AID_EVERYBODY 9997 /* shared between all apps in the same profile */ 186 #define AID_MISC 9998 /* access to misc storage */ 187 #define AID_NOBODY 9999 188 189 #define AID_APP 10000 /* TODO: switch users over to AID_APP_START */ 190 #define AID_APP_START 10000 /* first app user */ 191 #define AID_APP_END 19999 /* last app user */ 192 193 #define AID_CACHE_GID_START 20000 /* start of gids for apps to mark cached data */ 194 #define AID_CACHE_GID_END 29999 /* end of gids for apps to mark cached data */ 195 196 #define AID_EXT_GID_START 30000 /* start of gids for apps to mark external data */ 197 #define AID_EXT_GID_END 39999 /* end of gids for apps to mark external data */ 198 199 #define AID_EXT_CACHE_GID_START 40000 /* start of gids for apps to mark external cached data */ 200 #define AID_EXT_CACHE_GID_END 49999 /* end of gids for apps to mark external cached data */ 201 202 #define AID_SHARED_GID_START 50000 /* start of gids for apps in each user to share */ 203 #define AID_SHARED_GID_END 59999 /* end of gids for apps in each user to share */ 204 205 /* 206 * This is a magic number in the kernel and not something that was picked 207 * arbitrarily. This value is returned whenever a uid that has no mapping in the 208 * user namespace is returned to userspace: 209 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/highuid.h?h=v4.4#n40 210 */ 211 #define AID_OVERFLOWUID 65534 /* unmapped user in the user namespace */ 212 213 /* use the ranges below to determine whether a process is isolated */ 214 #define AID_ISOLATED_START 90000 /* start of uids for fully isolated sandboxed processes */ 215 #define AID_ISOLATED_END 99999 /* end of uids for fully isolated sandboxed processes */ 216 217 #define AID_USER 100000 /* TODO: switch users over to AID_USER_OFFSET */ 218 #define AID_USER_OFFSET 100000 /* offset for uid ranges for each user */ 219 220 /* 221 * android_ids has moved to pwd/grp functionality. 222 * If you need to add one, the structure is now 223 * auto-generated based on the AID_ constraints 224 * documented at the top of this header file. 225 * Also see build/tools/fs_config for more details. 226 */ 227 228 #endif 229