1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server scheduler_service_server; 9typeattribute system_server sensor_service_server; 10typeattribute system_server stats_service_server; 11 12# Define a type for tmpfs-backed ashmem regions. 13tmpfs_domain(system_server) 14 15# Create a socket for connections from crash_dump. 16type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 17 18# Create a socket for connections from zygotes. 19type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 20 21allow system_server zygote_tmpfs:file read; 22allow system_server appdomain_tmpfs:file { getattr map read write }; 23 24# For Incremental Service to check if incfs is available 25allow system_server proc_filesystems:file r_file_perms; 26 27# To create files and get permission to fill blocks on Incremental File System 28allow system_server incremental_control_file:file { ioctl r_file_perms }; 29allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL }; 30 31# To get signature of an APK installed on Incremental File System and fill in data blocks 32allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS }; 33 34# For art. 35allow system_server dalvikcache_data_file:dir r_dir_perms; 36allow system_server dalvikcache_data_file:file r_file_perms; 37 38# When running system server under --invoke-with, we'll try to load the boot image under the 39# system server domain, following links to the system partition. 40with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 41 42# /data/resource-cache 43allow system_server resourcecache_data_file:file r_file_perms; 44allow system_server resourcecache_data_file:dir r_dir_perms; 45 46# ptrace to processes in the same domain for debugging crashes. 47allow system_server self:process ptrace; 48 49# Child of the zygote. 50allow system_server zygote:fd use; 51allow system_server zygote:process sigchld; 52 53# May kill zygote on crashes. 54allow system_server { 55 app_zygote 56 crash_dump 57 webview_zygote 58 zygote 59}:process { sigkill signull }; 60 61# Read /system/bin/app_process. 62allow system_server zygote_exec:file r_file_perms; 63 64# Needed to close the zygote socket, which involves getopt / getattr 65allow system_server zygote:unix_stream_socket { getopt getattr }; 66 67# system server gets network and bluetooth permissions. 68net_domain(system_server) 69# in addition to ioctls whitelisted for all domains, also allow system_server 70# to use privileged ioctls commands. Needed to set up VPNs. 71allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 72bluetooth_domain(system_server) 73 74# Allow setup of tcp keepalive offload. This gives system_server the permission to 75# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 76# be granted individually, except for a small set of safe values whitelisted in 77# public/domain.te. 78allow system_server appdomain:tcp_socket ioctl; 79 80# These are the capabilities assigned by the zygote to the 81# system server. 82allow system_server self:global_capability_class_set { 83 ipc_lock 84 kill 85 net_admin 86 net_bind_service 87 net_broadcast 88 net_raw 89 sys_boot 90 sys_nice 91 sys_ptrace 92 sys_time 93 sys_tty_config 94}; 95 96# Trigger module auto-load. 97allow system_server kernel:system module_request; 98 99# Allow alarmtimers to be set 100allow system_server self:global_capability2_class_set wake_alarm; 101 102# Create and share netlink_netfilter_sockets for tetheroffload. 103allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 104 105# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 106allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 107 108# Use netlink uevent sockets. 109allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 110 111# Use generic netlink sockets. 112allow system_server self:netlink_socket create_socket_perms_no_ioctl; 113allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 114 115# libvintf reads the kernel config to verify vendor interface compatibility. 116allow system_server config_gz:file { read open }; 117 118# Use generic "sockets" where the address family is not known 119# to the kernel. The ioctl permission is specifically omitted here, but may 120# be added to device specific policy along with the ioctl commands to be 121# whitelisted. 122allow system_server self:socket create_socket_perms_no_ioctl; 123 124# Set and get routes directly via netlink. 125allow system_server self:netlink_route_socket nlmsg_write; 126 127# Kill apps. 128allow system_server appdomain:process { getpgid sigkill signal }; 129# signull allowed for kill(pid, 0) existence test. 130allow system_server appdomain:process { signull }; 131 132# Set scheduling info for apps. 133allow system_server appdomain:process { getsched setsched }; 134allow system_server audioserver:process { getsched setsched }; 135allow system_server hal_audio:process { getsched setsched }; 136allow system_server hal_bluetooth:process { getsched setsched }; 137allow system_server hal_codec2_server:process { getsched setsched }; 138allow system_server hal_omx_server:process { getsched setsched }; 139allow system_server mediaswcodec:process { getsched setsched }; 140allow system_server cameraserver:process { getsched setsched }; 141allow system_server hal_camera:process { getsched setsched }; 142allow system_server mediaserver:process { getsched setsched }; 143allow system_server bootanim:process { getsched setsched }; 144 145# Set scheduling info for psi monitor thread. 146# TODO: delete this line b/131761776 147allow system_server kernel:process { getsched setsched }; 148 149# Allow system_server to write to /proc/<pid>/* 150allow system_server domain:file w_file_perms; 151 152# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 153# within system_server to keep track of memory and CPU usage for 154# all processes on the device. In addition, /proc/pid files access is needed 155# for dumping stack traces of native processes. 156r_dir_file(system_server, domain) 157 158# Write /proc/uid_cputime/remove_uid_range. 159allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 160 161# Write /proc/uid_procstat/set. 162allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 163 164# Write to /proc/sysrq-trigger. 165allow system_server proc_sysrq:file rw_file_perms; 166 167# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. 168allow system_server stats_data_file:dir { open read remove_name search write }; 169allow system_server stats_data_file:file unlink; 170 171# Read /sys/kernel/debug/wakeup_sources. 172allow system_server debugfs_wakeup_sources:file r_file_perms; 173 174# Read /sys/kernel/ion/*. 175allow system_server sysfs_ion:file r_file_perms; 176 177# The DhcpClient and WifiWatchdog use packet_sockets 178allow system_server self:packet_socket create_socket_perms_no_ioctl; 179 180# 3rd party VPN clients require a tun_socket to be created 181allow system_server self:tun_socket create_socket_perms_no_ioctl; 182 183# Talk to init and various daemons via sockets. 184unix_socket_connect(system_server, lmkd, lmkd) 185unix_socket_connect(system_server, mtpd, mtp) 186unix_socket_connect(system_server, zygote, zygote) 187unix_socket_connect(system_server, racoon, racoon) 188unix_socket_connect(system_server, uncrypt, uncrypt) 189 190# Allow system_server to write to statsd. 191unix_socket_send(system_server, statsdw, statsd) 192 193# Communicate over a socket created by surfaceflinger. 194allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 195 196allow system_server gpuservice:unix_stream_socket { read write setopt }; 197 198# Communicate over a socket created by webview_zygote. 199allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 200 201# Communicate over a socket created by app_zygote. 202allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 203 204# Perform Binder IPC. 205binder_use(system_server) 206binder_call(system_server, appdomain) 207binder_call(system_server, binderservicedomain) 208binder_call(system_server, dumpstate) 209binder_call(system_server, fingerprintd) 210binder_call(system_server, gatekeeperd) 211binder_call(system_server, gpuservice) 212binder_call(system_server, idmap) 213binder_call(system_server, installd) 214binder_call(system_server, incidentd) 215binder_call(system_server, iorapd) 216binder_call(system_server, netd) 217binder_call(system_server, notify_traceur) 218binder_call(system_server, statsd) 219binder_call(system_server, storaged) 220binder_call(system_server, update_engine) 221binder_call(system_server, vold) 222binder_call(system_server, wificond) 223binder_call(system_server, wpantund) 224binder_service(system_server) 225 226# Use HALs 227hal_client_domain(system_server, hal_allocator) 228hal_client_domain(system_server, hal_audio) 229hal_client_domain(system_server, hal_authsecret) 230hal_client_domain(system_server, hal_broadcastradio) 231hal_client_domain(system_server, hal_codec2) 232hal_client_domain(system_server, hal_configstore) 233hal_client_domain(system_server, hal_contexthub) 234hal_client_domain(system_server, hal_face) 235hal_client_domain(system_server, hal_fingerprint) 236hal_client_domain(system_server, hal_gnss) 237hal_client_domain(system_server, hal_graphics_allocator) 238hal_client_domain(system_server, hal_health) 239hal_client_domain(system_server, hal_input_classifier) 240hal_client_domain(system_server, hal_ir) 241hal_client_domain(system_server, hal_light) 242hal_client_domain(system_server, hal_memtrack) 243hal_client_domain(system_server, hal_neuralnetworks) 244hal_client_domain(system_server, hal_oemlock) 245hal_client_domain(system_server, hal_omx) 246hal_client_domain(system_server, hal_power) 247hal_client_domain(system_server, hal_power_stats) 248hal_client_domain(system_server, hal_rebootescrow) 249hal_client_domain(system_server, hal_sensors) 250hal_client_domain(system_server, hal_tetheroffload) 251hal_client_domain(system_server, hal_thermal) 252hal_client_domain(system_server, hal_tv_cec) 253hal_client_domain(system_server, hal_tv_input) 254hal_client_domain(system_server, hal_usb) 255hal_client_domain(system_server, hal_usb_gadget) 256hal_client_domain(system_server, hal_vibrator) 257hal_client_domain(system_server, hal_vr) 258hal_client_domain(system_server, hal_weaver) 259hal_client_domain(system_server, hal_wifi) 260hal_client_domain(system_server, hal_wifi_hostapd) 261hal_client_domain(system_server, hal_wifi_supplicant) 262 263# Talk with graphics composer fences 264allow system_server hal_graphics_composer:fd use; 265 266# Use RenderScript always-passthrough HAL 267allow system_server hal_renderscript_hwservice:hwservice_manager find; 268allow system_server same_process_hal_file:file { execute read open getattr map }; 269 270# Talk to tombstoned to get ANR traces. 271unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 272 273# List HAL interfaces to get ANR traces. 274allow system_server hwservicemanager:hwservice_manager list; 275 276# Send signals to trigger ANR traces. 277allow system_server { 278 # This is derived from the list that system server defines as interesting native processes 279 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 280 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 281 audioserver 282 cameraserver 283 drmserver 284 gpuservice 285 inputflinger 286 mediadrmserver 287 mediaextractor 288 mediametrics 289 mediaserver 290 mediaswcodec 291 netd 292 sdcardd 293 statsd 294 surfaceflinger 295 vold 296 297 # This list comes from HAL_INTERFACES_OF_INTEREST in 298 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 299 hal_audio_server 300 hal_bluetooth_server 301 hal_camera_server 302 hal_codec2_server 303 hal_face_server 304 hal_fingerprint_server 305 hal_gnss_server 306 hal_graphics_allocator_server 307 hal_graphics_composer_server 308 hal_health_server 309 hal_neuralnetworks_server 310 hal_omx_server 311 hal_power_stats_server 312 hal_sensors_server 313 hal_vr_server 314 system_suspend_server 315}:process { signal }; 316 317# Use sockets received over binder from various services. 318allow system_server audioserver:tcp_socket rw_socket_perms; 319allow system_server audioserver:udp_socket rw_socket_perms; 320allow system_server mediaserver:tcp_socket rw_socket_perms; 321allow system_server mediaserver:udp_socket rw_socket_perms; 322 323# Use sockets received over binder from various services. 324allow system_server mediadrmserver:tcp_socket rw_socket_perms; 325allow system_server mediadrmserver:udp_socket rw_socket_perms; 326 327userdebug_or_eng(`perfetto_producer({ system_server })') 328 329# Get file context 330allow system_server file_contexts_file:file r_file_perms; 331# access for mac_permissions 332allow system_server mac_perms_file: file r_file_perms; 333# Check SELinux permissions. 334selinux_check_access(system_server) 335 336allow system_server sysfs_type:dir search; 337 338r_dir_file(system_server, sysfs_android_usb) 339allow system_server sysfs_android_usb:file w_file_perms; 340 341allow system_server sysfs_extcon:dir r_dir_perms; 342 343r_dir_file(system_server, sysfs_ipv4) 344allow system_server sysfs_ipv4:file w_file_perms; 345 346r_dir_file(system_server, sysfs_rtc) 347r_dir_file(system_server, sysfs_switch) 348r_dir_file(system_server, sysfs_wakeup_reasons) 349 350allow system_server sysfs_nfc_power_writable:file rw_file_perms; 351allow system_server sysfs_power:dir search; 352allow system_server sysfs_power:file rw_file_perms; 353allow system_server sysfs_thermal:dir search; 354allow system_server sysfs_thermal:file r_file_perms; 355 356# TODO: Remove when HALs are forced into separate processes 357allow system_server sysfs_vibrator:file { write append }; 358 359# TODO: added to match above sysfs rule. Remove me? 360allow system_server sysfs_usb:file w_file_perms; 361 362# Access devices. 363allow system_server device:dir r_dir_perms; 364allow system_server mdns_socket:sock_file rw_file_perms; 365allow system_server gpu_device:chr_file rw_file_perms; 366allow system_server input_device:dir r_dir_perms; 367allow system_server input_device:chr_file rw_file_perms; 368allow system_server tty_device:chr_file rw_file_perms; 369allow system_server usbaccessory_device:chr_file rw_file_perms; 370allow system_server video_device:dir r_dir_perms; 371allow system_server video_device:chr_file rw_file_perms; 372allow system_server adbd_socket:sock_file rw_file_perms; 373allow system_server rtc_device:chr_file rw_file_perms; 374allow system_server audio_device:dir r_dir_perms; 375 376# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 377allow system_server audio_device:chr_file rw_file_perms; 378 379# tun device used for 3rd party vpn apps 380allow system_server tun_device:chr_file rw_file_perms; 381allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 382 383# Manage data/ota_package 384allow system_server ota_package_file:dir rw_dir_perms; 385allow system_server ota_package_file:file create_file_perms; 386 387# Manage system data files. 388allow system_server system_data_file:dir create_dir_perms; 389allow system_server system_data_file:notdevfile_class_set create_file_perms; 390allow system_server packages_list_file:file create_file_perms; 391allow system_server keychain_data_file:dir create_dir_perms; 392allow system_server keychain_data_file:file create_file_perms; 393allow system_server keychain_data_file:lnk_file create_file_perms; 394 395# Manage /data/app. 396allow system_server apk_data_file:dir create_dir_perms; 397allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 398allow system_server apk_tmp_file:dir create_dir_perms; 399allow system_server apk_tmp_file:file create_file_perms; 400 401# Access input configuration files in the /vendor directory 402r_dir_file(system_server, vendor_keylayout_file) 403r_dir_file(system_server, vendor_keychars_file) 404r_dir_file(system_server, vendor_idc_file) 405 406# Access /vendor/{app,framework,overlay} 407r_dir_file(system_server, vendor_app_file) 408r_dir_file(system_server, vendor_framework_file) 409r_dir_file(system_server, vendor_overlay_file) 410 411# Manage /data/app-private. 412allow system_server apk_private_data_file:dir create_dir_perms; 413allow system_server apk_private_data_file:file create_file_perms; 414allow system_server apk_private_tmp_file:dir create_dir_perms; 415allow system_server apk_private_tmp_file:file create_file_perms; 416 417# Manage files within asec containers. 418allow system_server asec_apk_file:dir create_dir_perms; 419allow system_server asec_apk_file:file create_file_perms; 420allow system_server asec_public_file:file create_file_perms; 421 422# Manage /data/anr. 423# 424# TODO: Some of these permissions can be withdrawn once we've switched to the 425# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 426# the system_server should never need to create a new anr_data_file:file or write 427# to one, but it will still need to read and append to existing files. 428allow system_server anr_data_file:dir create_dir_perms; 429allow system_server anr_data_file:file create_file_perms; 430 431# New stack dumping scheme : request an output FD from tombstoned via a unix 432# domain socket. 433# 434# Allow system_server to connect and write to the tombstoned java trace socket in 435# order to dump its traces. Also allow the system server to write its traces to 436# dumpstate during bugreport capture and incidentd during incident collection. 437unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 438allow system_server tombstoned:fd use; 439allow system_server dumpstate:fifo_file append; 440allow system_server incidentd:fifo_file append; 441# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 442userdebug_or_eng(` 443 allow system_server su:fifo_file append; 444') 445 446# Allow system_server to read pipes from incidentd (used to deliver incident reports 447# to dropbox) 448allow system_server incidentd:fifo_file read; 449 450# Read /data/misc/incidents - only read. The fd will be sent over binder, 451# with no DAC access to it, for dropbox to read. 452allow system_server incident_data_file:file read; 453 454# Manage /data/misc/prereboot. 455allow system_server prereboot_data_file:dir rw_dir_perms; 456allow system_server prereboot_data_file:file create_file_perms; 457 458# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over 459# binder. 460allow system_server perfetto_traces_data_file:file read; 461allow system_server perfetto:fd use; 462 463# Manage /data/backup. 464allow system_server backup_data_file:dir create_dir_perms; 465allow system_server backup_data_file:file create_file_perms; 466 467# Write to /data/system/dropbox 468allow system_server dropbox_data_file:dir create_dir_perms; 469allow system_server dropbox_data_file:file create_file_perms; 470 471# Write to /data/system/heapdump 472allow system_server heapdump_data_file:dir rw_dir_perms; 473allow system_server heapdump_data_file:file create_file_perms; 474 475# Manage /data/misc/adb. 476allow system_server adb_keys_file:dir create_dir_perms; 477allow system_server adb_keys_file:file create_file_perms; 478 479# Manage /data/misc/emergencynumberdb 480allow system_server emergency_data_file:dir create_dir_perms; 481allow system_server emergency_data_file:file create_file_perms; 482 483# Manage /data/misc/network_watchlist 484allow system_server network_watchlist_data_file:dir create_dir_perms; 485allow system_server network_watchlist_data_file:file create_file_perms; 486 487# Manage /data/misc/sms. 488# TODO: Split into a separate type? 489allow system_server radio_data_file:dir create_dir_perms; 490allow system_server radio_data_file:file create_file_perms; 491 492# Manage /data/misc/systemkeys. 493allow system_server systemkeys_data_file:dir create_dir_perms; 494allow system_server systemkeys_data_file:file create_file_perms; 495 496# Manage /data/misc/textclassifier. 497allow system_server textclassifier_data_file:dir create_dir_perms; 498allow system_server textclassifier_data_file:file create_file_perms; 499 500# Access /data/tombstones. 501allow system_server tombstone_data_file:dir r_dir_perms; 502allow system_server tombstone_data_file:file r_file_perms; 503 504# Manage /data/misc/vpn. 505allow system_server vpn_data_file:dir create_dir_perms; 506allow system_server vpn_data_file:file create_file_perms; 507 508# Manage /data/misc/wifi. 509allow system_server wifi_data_file:dir create_dir_perms; 510allow system_server wifi_data_file:file create_file_perms; 511 512# Manage /data/misc/zoneinfo. 513allow system_server zoneinfo_data_file:dir create_dir_perms; 514allow system_server zoneinfo_data_file:file create_file_perms; 515 516# Manage /data/app-staging. 517allow system_server staging_data_file:dir create_dir_perms; 518allow system_server staging_data_file:file create_file_perms; 519 520# Walk /data/data subdirectories. 521# Types extracted from seapp_contexts type= fields. 522allow system_server { 523 system_app_data_file 524 bluetooth_data_file 525 nfc_data_file 526 radio_data_file 527 shell_data_file 528 app_data_file 529 privapp_data_file 530}:dir { getattr read search }; 531 532# Also permit for unlabeled /data/data subdirectories and 533# for unlabeled asec containers on upgrades from 4.2. 534allow system_server unlabeled:dir r_dir_perms; 535# Read pkg.apk file before it has been relabeled by vold. 536allow system_server unlabeled:file r_file_perms; 537 538# Populate com.android.providers.settings/databases/settings.db. 539allow system_server system_app_data_file:dir create_dir_perms; 540allow system_server system_app_data_file:file create_file_perms; 541 542# Receive and use open app data files passed over binder IPC. 543# Types extracted from seapp_contexts type= fields. 544allow system_server { 545 system_app_data_file 546 bluetooth_data_file 547 nfc_data_file 548 radio_data_file 549 shell_data_file 550 app_data_file 551 privapp_data_file 552}:file { getattr read write append map }; 553 554# Access to /data/media for measuring disk usage. 555allow system_server media_rw_data_file:dir { search getattr open read }; 556 557# Receive and use open /data/media files passed over binder IPC. 558# Also used for measuring disk usage. 559allow system_server media_rw_data_file:file { getattr read write append }; 560 561# System server needs to setfscreate to packages_list_file when writing 562# /data/system/packages.list 563allow system_server system_server:process setfscreate; 564 565# Relabel apk files. 566allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 567allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 568 569# Relabel wallpaper. 570allow system_server system_data_file:file relabelfrom; 571allow system_server wallpaper_file:file relabelto; 572allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 573 574# Backup of wallpaper imagery uses temporary hard links to avoid data churn 575allow system_server { system_data_file wallpaper_file }:file link; 576 577# ShortcutManager icons 578allow system_server system_data_file:dir relabelfrom; 579allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 580allow system_server shortcut_manager_icons:file create_file_perms; 581 582# Manage ringtones. 583allow system_server ringtone_file:dir { create_dir_perms relabelto }; 584allow system_server ringtone_file:file create_file_perms; 585 586# Relabel icon file. 587allow system_server icon_file:file relabelto; 588allow system_server icon_file:file { rw_file_perms unlink }; 589 590# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 591allow system_server system_data_file:dir relabelfrom; 592 593# server_configurable_flags_data_file is used for storing server configurable flags which 594# have been reset during current booting. system_server needs to read the data to perform related 595# disaster recovery actions. 596allow system_server server_configurable_flags_data_file:dir r_dir_perms; 597allow system_server server_configurable_flags_data_file:file r_file_perms; 598 599# Property Service write 600set_prop(system_server, system_prop) 601set_prop(system_server, exported_system_prop) 602set_prop(system_server, exported2_system_prop) 603set_prop(system_server, exported3_system_prop) 604set_prop(system_server, safemode_prop) 605set_prop(system_server, theme_prop) 606set_prop(system_server, dhcp_prop) 607set_prop(system_server, net_radio_prop) 608set_prop(system_server, net_dns_prop) 609set_prop(system_server, system_radio_prop) 610set_prop(system_server, exported_system_radio_prop) 611set_prop(system_server, debug_prop) 612set_prop(system_server, powerctl_prop) 613set_prop(system_server, fingerprint_prop) 614set_prop(system_server, exported_fingerprint_prop) 615set_prop(system_server, device_logging_prop) 616set_prop(system_server, dumpstate_options_prop) 617set_prop(system_server, overlay_prop) 618set_prop(system_server, exported_overlay_prop) 619set_prop(system_server, pm_prop) 620set_prop(system_server, exported_pm_prop) 621set_prop(system_server, socket_hook_prop) 622set_prop(system_server, audio_prop) 623userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 624 625# ctl interface 626set_prop(system_server, ctl_default_prop) 627set_prop(system_server, ctl_bugreport_prop) 628set_prop(system_server, ctl_gsid_prop) 629 630# cppreopt property 631set_prop(system_server, cppreopt_prop) 632 633# server configurable flags properties 634set_prop(system_server, device_config_input_native_boot_prop) 635set_prop(system_server, device_config_netd_native_prop) 636set_prop(system_server, device_config_activity_manager_native_boot_prop) 637set_prop(system_server, device_config_runtime_native_boot_prop) 638set_prop(system_server, device_config_runtime_native_prop) 639set_prop(system_server, device_config_media_native_prop) 640set_prop(system_server, device_config_storage_native_boot_prop) 641set_prop(system_server, device_config_sys_traced_prop) 642set_prop(system_server, device_config_window_manager_native_boot_prop) 643set_prop(system_server, device_config_configuration_prop) 644 645# BootReceiver to read ro.boot.bootreason 646get_prop(system_server, bootloader_boot_reason_prop) 647# PowerManager to read sys.boot.reason 648get_prop(system_server, system_boot_reason_prop) 649 650# Collect metrics on boot time created by init 651get_prop(system_server, boottime_prop) 652 653# Read device's serial number from system properties 654get_prop(system_server, serialno_prop) 655 656# Read/write the property which keeps track of whether this is the first start of system_server 657set_prop(system_server, firstboot_prop) 658 659# Audio service in system server can read exported audio properties, 660# such as camera shutter enforcement 661get_prop(system_server, exported_audio_prop) 662 663# system server reads this property to keep track of whether server configurable flags have been 664# reset during current boot. 665get_prop(system_server, device_config_reset_performed_prop) 666 667# Read/write the property that enables Test Harness Mode 668set_prop(system_server, test_harness_prop) 669 670# Read gsid.image_running. 671get_prop(system_server, gsid_prop) 672 673# Read the property that mocks an OTA 674get_prop(system_server, mock_ota_prop) 675 676# Read the property as feature flag for protecting apks with fs-verity. 677get_prop(system_server, apk_verity_prop) 678 679# Read wifi.interface 680get_prop(system_server, wifi_prop) 681 682# Read the vendor property that indicates if Incremental features is enabled 683get_prop(system_server, incremental_prop) 684 685# Create a socket for connections from debuggerd. 686allow system_server system_ndebug_socket:sock_file create_file_perms; 687 688# Create a socket for connections from zygotes. 689allow system_server system_unsolzygote_socket:sock_file create_file_perms; 690 691# Manage cache files. 692allow system_server cache_file:lnk_file r_file_perms; 693allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 694allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 695allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 696 697allow system_server system_file:dir r_dir_perms; 698allow system_server system_file:lnk_file r_file_perms; 699 700# ART locks profile files. 701allow system_server system_file:file lock; 702 703# LocationManager(e.g, GPS) needs to read and write 704# to uart driver and ctrl proc entry 705allow system_server gps_control:file rw_file_perms; 706 707# Allow system_server to use app-created sockets and pipes. 708allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 709allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 710 711# BackupManagerService needs to manipulate backup data files 712allow system_server cache_backup_file:dir rw_dir_perms; 713allow system_server cache_backup_file:file create_file_perms; 714# LocalTransport works inside /cache/backup 715allow system_server cache_private_backup_file:dir create_dir_perms; 716allow system_server cache_private_backup_file:file create_file_perms; 717 718# Allow system to talk to usb device 719allow system_server usb_device:chr_file rw_file_perms; 720allow system_server usb_device:dir r_dir_perms; 721 722# Read from HW RNG (needed by EntropyMixer). 723allow system_server hw_random_device:chr_file r_file_perms; 724 725# Read and delete files under /dev/fscklogs. 726r_dir_file(system_server, fscklogs) 727allow system_server fscklogs:dir { write remove_name }; 728allow system_server fscklogs:file unlink; 729 730# logd access, system_server inherit logd write socket 731# (urge is to deprecate this long term) 732allow system_server zygote:unix_dgram_socket write; 733 734# Read from log daemon. 735read_logd(system_server) 736read_runtime_log_tags(system_server) 737 738# Be consistent with DAC permissions. Allow system_server to write to 739# /sys/module/lowmemorykiller/parameters/adj 740# /sys/module/lowmemorykiller/parameters/minfree 741allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 742 743# Read /sys/fs/pstore/console-ramoops 744# Don't worry about overly broad permissions for now, as there's 745# only one file in /sys/fs/pstore 746allow system_server pstorefs:dir r_dir_perms; 747allow system_server pstorefs:file r_file_perms; 748 749# /sys access 750allow system_server sysfs_zram:dir search; 751allow system_server sysfs_zram:file rw_file_perms; 752 753add_service(system_server, system_server_service); 754allow system_server audioserver_service:service_manager find; 755allow system_server batteryproperties_service:service_manager find; 756allow system_server cameraserver_service:service_manager find; 757allow system_server dataloader_manager_service:service_manager find; 758allow system_server dnsresolver_service:service_manager find; 759allow system_server drmserver_service:service_manager find; 760allow system_server dumpstate_service:service_manager find; 761allow system_server fingerprintd_service:service_manager find; 762allow system_server gatekeeper_service:service_manager find; 763allow system_server gpu_service:service_manager find; 764allow system_server gsi_service:service_manager find; 765allow system_server hal_fingerprint_service:service_manager find; 766allow system_server idmap_service:service_manager find; 767allow system_server incident_service:service_manager find; 768allow system_server incremental_service:service_manager find; 769allow system_server installd_service:service_manager find; 770allow system_server iorapd_service:service_manager find; 771allow system_server keystore_service:service_manager find; 772allow system_server mediaserver_service:service_manager find; 773allow system_server mediametrics_service:service_manager find; 774allow system_server mediaextractor_service:service_manager find; 775allow system_server mediadrmserver_service:service_manager find; 776allow system_server netd_service:service_manager find; 777allow system_server nfc_service:service_manager find; 778allow system_server radio_service:service_manager find; 779allow system_server stats_service:service_manager find; 780allow system_server storaged_service:service_manager find; 781allow system_server surfaceflinger_service:service_manager find; 782allow system_server update_engine_service:service_manager find; 783allow system_server vold_service:service_manager find; 784allow system_server wifinl80211_service:service_manager find; 785 786add_service(system_server, batteryproperties_service) 787 788allow system_server keystore:keystore_key { 789 get_state 790 get 791 insert 792 delete 793 exist 794 list 795 reset 796 password 797 lock 798 unlock 799 is_empty 800 sign 801 verify 802 grant 803 duplicate 804 clear_uid 805 add_auth 806 user_changed 807}; 808 809# Allow system server to search and write to the persistent factory reset 810# protection partition. This block device does not get wiped in a factory reset. 811allow system_server block_device:dir search; 812allow system_server frp_block_device:blk_file rw_file_perms; 813allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 814 815# Clean up old cgroups 816allow system_server cgroup:dir { remove_name rmdir }; 817 818# /oem access 819r_dir_file(system_server, oemfs) 820 821# Allow resolving per-user storage symlinks 822allow system_server { mnt_user_file storage_file }:dir { getattr search }; 823allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 824 825# Allow statfs() on storage devices, which happens fast enough that 826# we shouldn't be killed during unsafe removal 827allow system_server sdcard_type:dir { getattr search }; 828 829# Traverse into expanded storage 830allow system_server mnt_expand_file:dir r_dir_perms; 831 832# Allow system process to relabel the fingerprint directory after mkdir 833# and delete the directory and files when no longer needed 834allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 835allow system_server fingerprintd_data_file:file { getattr unlink }; 836 837userdebug_or_eng(` 838 # Allow system server to create and write method traces in /data/misc/trace. 839 allow system_server method_trace_data_file:dir w_dir_perms; 840 allow system_server method_trace_data_file:file { create w_file_perms }; 841 842 # Allow system server to read dmesg 843 allow system_server kernel:system syslog_read; 844 845 # Allow writing and removing window traces in /data/misc/wmtrace. 846 allow system_server wm_trace_data_file:dir rw_dir_perms; 847 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 848') 849 850# For AppFuse. 851allow system_server vold:fd use; 852allow system_server fuse_device:chr_file { read write ioctl getattr }; 853allow system_server app_fuse_file:file { read write getattr }; 854 855# For configuring sdcardfs 856allow system_server configfs:dir { create_dir_perms }; 857allow system_server configfs:file { getattr open create unlink write }; 858 859# Connect to adbd and use a socket transferred from it. 860# Used for e.g. jdwp. 861allow system_server adbd:unix_stream_socket connectto; 862allow system_server adbd:fd use; 863allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 864 865# Read service.adb.tls.port, persist.adb.wifi. properties 866get_prop(system_server, adbd_prop) 867 868# Set persist.adb.tls_server.enable property 869set_prop(system_server, system_adbd_prop) 870 871# Allow invoking tools like "timeout" 872allow system_server toolbox_exec:file rx_file_perms; 873 874# Allow system process to setup and measure fs-verity 875allowxperm system_server apk_data_file:file ioctl { 876 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 877}; 878 879# Postinstall 880# 881# For OTA dexopt, allow calls coming from postinstall. 882binder_call(system_server, postinstall) 883 884allow system_server postinstall:fifo_file write; 885allow system_server update_engine:fd use; 886allow system_server update_engine:fifo_file write; 887 888# Access to /data/preloads 889allow system_server preloads_data_file:file { r_file_perms unlink }; 890allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 891allow system_server preloads_media_file:file { r_file_perms unlink }; 892allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 893 894r_dir_file(system_server, cgroup) 895allow system_server ion_device:chr_file r_file_perms; 896allow system_server cgroup_bpf:dir rw_dir_perms; 897allow system_server cgroup_bpf:file rw_file_perms; 898 899r_dir_file(system_server, proc_asound) 900r_dir_file(system_server, proc_net_type) 901r_dir_file(system_server, proc_qtaguid_stat) 902allow system_server { 903 proc_cmdline 904 proc_loadavg 905 proc_locks 906 proc_meminfo 907 proc_pagetypeinfo 908 proc_pipe_conf 909 proc_stat 910 proc_uid_cputime_showstat 911 proc_uid_io_stats 912 proc_uid_time_in_state 913 proc_uid_concurrent_active_time 914 proc_uid_concurrent_policy_time 915 proc_version 916 proc_vmallocinfo 917}:file r_file_perms; 918 919allow system_server proc_uid_time_in_state:dir r_dir_perms; 920allow system_server proc_uid_cpupower:file r_file_perms; 921 922r_dir_file(system_server, rootfs) 923 924# Allow WifiService to start, stop, and read wifi-specific trace events. 925allow system_server debugfs_tracing_instances:dir search; 926allow system_server debugfs_wifi_tracing:dir search; 927allow system_server debugfs_wifi_tracing:file rw_file_perms; 928 929# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 930allow system_server debugfs_tracing:file r_file_perms; 931 932# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 933# asanwrapper. 934with_asan(` 935 allow system_server shell_exec:file rx_file_perms; 936 allow system_server asanwrapper_exec:file rx_file_perms; 937 allow system_server zygote_exec:file rx_file_perms; 938') 939 940# allow system_server to read the eBPF maps that stores the traffic stats information and update 941# the map after snapshot is recorded, and to read, update and run the maps and programs used for 942# time in state accounting 943allow system_server fs_bpf:dir search; 944allow system_server fs_bpf:file { read write }; 945allow system_server bpfloader:bpf { map_read map_write prog_run }; 946 947# ART Profiles. 948# Allow system_server to open profile snapshots for read. 949# System server never reads the actual content. It passes the descriptor to 950# to privileged apps which acquire the permissions to inspect the profiles. 951allow system_server user_profile_data_file:dir { getattr search }; 952allow system_server user_profile_data_file:file { getattr open read }; 953 954# System server may dump profile data for debuggable apps in the /data/misc/profman. 955# As such it needs to be able create files but it should never read from them. 956allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 957allow system_server profman_dump_data_file:dir w_dir_perms; 958 959# On userdebug build we may profile system server. Allow it to write and create its own profile. 960userdebug_or_eng(` 961 allow system_server user_profile_data_file:file create_file_perms; 962') 963# Allow system server to load JVMTI agents under control of a property. 964get_prop(system_server,system_jvmti_agent_prop) 965 966# UsbDeviceManager uses /dev/usb-ffs 967allow system_server functionfs:dir search; 968allow system_server functionfs:file rw_file_perms; 969 970# system_server contains time / time zone detection logic so reads the associated properties. 971get_prop(system_server, time_prop) 972 973# system_server reads this property to know it should expect the lmkd sends notification to it 974# on low memory kills. 975get_prop(system_server, system_lmk_prop) 976 977# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 978allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 979 980### 981### Neverallow rules 982### 983### system_server should NEVER do any of this 984 985# Do not allow opening files from external storage as unsafe ejection 986# could cause the kernel to kill the system_server. 987neverallow system_server sdcard_type:dir { open read write }; 988neverallow system_server sdcard_type:file rw_file_perms; 989 990# system server should never be operating on zygote spawned app data 991# files directly. Rather, they should always be passed via a 992# file descriptor. 993# Types extracted from seapp_contexts type= fields, excluding 994# those types that system_server needs to open directly. 995neverallow system_server { 996 bluetooth_data_file 997 nfc_data_file 998 shell_data_file 999 app_data_file 1000 privapp_data_file 1001}:file { open create unlink link }; 1002 1003# Forking and execing is inherently dangerous and racy. See, for 1004# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1005# Prevent the addition of new file execs to stop the problem from 1006# getting worse. b/28035297 1007neverallow system_server { 1008 file_type 1009 -toolbox_exec 1010 -logcat_exec 1011 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1012}:file execute_no_trans; 1013 1014# Ensure that system_server doesn't perform any domain transitions other than 1015# transitioning to the crash_dump domain when a crash occurs. 1016neverallow system_server { domain -crash_dump }:process transition; 1017neverallow system_server *:process dyntransition; 1018 1019# Only allow crash_dump to connect to system_ndebug_socket. 1020neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1021 1022# Only allow zygotes to connect to system_unsolzygote_socket. 1023neverallow { 1024 domain 1025 -init 1026 -system_server 1027 -zygote 1028 -app_zygote 1029 -webview_zygote 1030} system_unsolzygote_socket:sock_file { open write }; 1031 1032# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1033neverallow { 1034 domain 1035 -init 1036 -system_server 1037 -flags_health_check 1038} { 1039 device_config_activity_manager_native_boot_prop 1040 device_config_input_native_boot_prop 1041 device_config_netd_native_prop 1042 device_config_runtime_native_boot_prop 1043 device_config_runtime_native_prop 1044 device_config_media_native_prop 1045 device_config_storage_native_boot_prop 1046 device_config_sys_traced_prop 1047 device_config_window_manager_native_boot_prop 1048}:property_service set; 1049 1050# system_server should never be executing dex2oat. This is either 1051# a bug (for example, bug 16317188), or represents an attempt by 1052# system server to dynamically load a dex file, something we do not 1053# want to allow. 1054neverallow system_server dex2oat_exec:file no_x_file_perms; 1055 1056# system_server should never execute or load executable shared libraries 1057# in /data. Executable files in /data are a persistence vector. 1058# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1059neverallow system_server data_file_type:file no_x_file_perms; 1060 1061# The only block device system_server should be accessing is 1062# the frp_block_device. This helps avoid a system_server to root 1063# escalation by writing to raw block devices. 1064neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 1065 1066# system_server should never use JIT functionality 1067# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1068# in the section titled "A Short ROP Chain" for why. 1069# However, in emulator builds without OpenGL passthrough, we use software 1070# rendering via SwiftShader, which requires JIT support. These builds are 1071# never shipped to users. 1072ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1073 `allow system_server self:process execmem;', 1074 `neverallow system_server self:process execmem;') 1075neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1076 1077# TODO: deal with tmpfs_domain pub/priv split properly 1078neverallow system_server system_server_tmpfs:file execute; 1079 1080# Resources handed off by system_server_startup 1081allow system_server system_server_startup:fd use; 1082allow system_server system_server_startup_tmpfs:file { read write map }; 1083allow system_server system_server_startup:unix_dgram_socket write; 1084 1085# Allow system server to communicate to apexd 1086allow system_server apex_service:service_manager find; 1087allow system_server apexd:binder call; 1088 1089# Allow system server to scan /apex for flattened APEXes 1090allow system_server apex_mnt_dir:dir r_dir_perms; 1091 1092# Allow system server to communicate to system-suspend's control interface 1093allow system_server system_suspend_control_service:service_manager find; 1094binder_call(system_server, system_suspend) 1095binder_call(system_suspend, system_server) 1096 1097# Allow system server to communicate to system-suspend's wakelock interface 1098wakelock_use(system_server) 1099 1100# Allow the system server to read files under /data/apex. The system_server 1101# needs these privileges to compare file signatures while processing installs. 1102# 1103# Only apexd is allowed to create new entries or write to any file under /data/apex. 1104allow system_server apex_data_file:dir { getattr search }; 1105allow system_server apex_data_file:file r_file_perms; 1106 1107# Allow the system server to read files under /vendor/apex. This is where 1108# vendor APEX packages might be installed and system_server needs to parse 1109# these packages to inspect the signatures and other metadata. 1110allow system_server vendor_apex_file:dir { getattr search }; 1111allow system_server vendor_apex_file:file r_file_perms; 1112 1113# Allow the system server to manage relevant apex module data files. 1114allow system_server apex_module_data_file:dir { getattr search }; 1115allow system_server apex_permission_data_file:dir create_dir_perms; 1116allow system_server apex_permission_data_file:file create_file_perms; 1117allow system_server apex_wifi_data_file:dir create_dir_perms; 1118allow system_server apex_wifi_data_file:file create_file_perms; 1119 1120# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1121# communicate which slots are available for use. 1122allow system_server metadata_file:dir search; 1123allow system_server password_slot_metadata_file:dir rw_dir_perms; 1124allow system_server password_slot_metadata_file:file create_file_perms; 1125 1126# Allow system server rw access to files in /metadata/staged-install folder 1127allow system_server staged_install_file:dir rw_dir_perms; 1128allow system_server staged_install_file:file create_file_perms; 1129 1130# Allow init to set sysprop used to compute stats about userspace reboot. 1131set_prop(system_server, userspace_reboot_log_prop) 1132 1133# JVMTI agent settings are only readable from the system server. 1134neverallow { 1135 domain 1136 -system_server 1137 -dumpstate 1138 -init 1139 -vendor_init 1140} { 1141 system_jvmti_agent_prop 1142}:file no_rw_file_perms; 1143 1144# Read/Write /proc/pressure/memory 1145allow system_server proc_pressure_mem:file rw_file_perms; 1146 1147# dexoptanalyzer is currently used only for secondary dex files which 1148# system_server should never access. 1149neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1150 1151# No ptracing others 1152neverallow system_server { domain -system_server }:process ptrace; 1153 1154# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1155# file read access. However, that is now unnecessary (b/34951864) 1156neverallow system_server system_server:global_capability_class_set sys_resource; 1157 1158# Only system_server/init should access /metadata/password_slots. 1159neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1160neverallow { 1161 domain 1162 -init 1163 -system_server 1164} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1165neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1166 1167# Allow systemserver to read/write the invalidation property 1168set_prop(system_server, binder_cache_system_server_prop) 1169neverallow { domain -system_server -init } 1170 binder_cache_system_server_prop:property_service set; 1171 1172# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1173# system_server cannot use this access to read perf event data like process stacks. 1174allow system_server self:perf_event { open write cpu kernel }; 1175neverallow system_server self:perf_event ~{ open write cpu kernel }; 1176 1177# Do not allow any domain other than init or system server to set the property 1178neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1179 1180# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1181# can be accessed by system_server only (b/143717177) 1182# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1183# interface 1184neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1185