1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server scheduler_service_server; 9typeattribute system_server sensor_service_server; 10typeattribute system_server stats_service_server; 11 12# Define a type for tmpfs-backed ashmem regions. 13tmpfs_domain(system_server) 14 15userfaultfd_use(system_server) 16 17# Create a socket for connections from crash_dump. 18type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 19 20# Create a socket for connections from zygotes. 21type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 22 23allow system_server zygote_tmpfs:file read; 24allow system_server appdomain_tmpfs:file { getattr map read write }; 25 26# For Incremental Service to check if incfs is available 27allow system_server proc_filesystems:file r_file_perms; 28 29# To create files, get permission to fill blocks, and configure Incremental File System 30allow system_server incremental_control_file:file { ioctl r_file_perms }; 31allowxperm system_server incremental_control_file:file ioctl { 32 INCFS_IOCTL_CREATE_FILE 33 INCFS_IOCTL_CREATE_MAPPED_FILE 34 INCFS_IOCTL_PERMIT_FILL 35 INCFS_IOCTL_GET_READ_TIMEOUTS 36 INCFS_IOCTL_SET_READ_TIMEOUTS 37 INCFS_IOCTL_GET_LAST_READ_ERROR 38}; 39 40# To get signature of an APK installed on Incremental File System, and fill in data 41# blocks and get the filesystem state 42allowxperm system_server apk_data_file:file ioctl { 43 INCFS_IOCTL_READ_SIGNATURE 44 INCFS_IOCTL_FILL_BLOCKS 45 INCFS_IOCTL_GET_FILLED_BLOCKS 46 INCFS_IOCTL_GET_BLOCK_COUNT 47 F2FS_IOC_GET_FEATURES 48 F2FS_IOC_GET_COMPRESS_BLOCKS 49 F2FS_IOC_COMPRESS_FILE 50 F2FS_IOC_DECOMPRESS_FILE 51 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 52 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 53 FS_IOC_SETFLAGS 54 FS_IOC_GETFLAGS 55}; 56 57allowxperm system_server apk_tmp_file:file ioctl { 58 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 59 FS_IOC_GETFLAGS 60}; 61 62# For Incremental Service to check incfs metrics 63allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 64 65# For f2fs-compression support 66allow system_server sysfs_fs_f2fs:dir r_dir_perms; 67allow system_server sysfs_fs_f2fs:file r_file_perms; 68 69# For art. 70allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 71allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 72 73# When running system server under --invoke-with, we'll try to load the boot image under the 74# system server domain, following links to the system partition. 75with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 76 77# /data/resource-cache 78allow system_server resourcecache_data_file:file r_file_perms; 79allow system_server resourcecache_data_file:dir r_dir_perms; 80 81# ptrace to processes in the same domain for debugging crashes. 82allow system_server self:process ptrace; 83 84# Child of the zygote. 85allow system_server zygote:fd use; 86allow system_server zygote:process sigchld; 87 88# May kill zygote on crashes. 89allow system_server { 90 app_zygote 91 crash_dump 92 webview_zygote 93 zygote 94}:process { sigkill signull }; 95 96# Read /system/bin/app_process. 97allow system_server zygote_exec:file r_file_perms; 98 99# Needed to close the zygote socket, which involves getopt / getattr 100allow system_server zygote:unix_stream_socket { getopt getattr }; 101 102# system server gets network and bluetooth permissions. 103net_domain(system_server) 104# in addition to ioctls allowlisted for all domains, also allow system_server 105# to use privileged ioctls commands. Needed to set up VPNs. 106allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 107bluetooth_domain(system_server) 108 109# Allow setup of tcp keepalive offload. This gives system_server the permission to 110# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 111# be granted individually, except for a small set of safe values allowlisted in 112# public/domain.te. 113allow system_server appdomain:tcp_socket ioctl; 114 115# These are the capabilities assigned by the zygote to the 116# system server. 117allow system_server self:global_capability_class_set { 118 ipc_lock 119 kill 120 net_admin 121 net_bind_service 122 net_broadcast 123 net_raw 124 sys_boot 125 sys_nice 126 sys_ptrace 127 sys_time 128 sys_tty_config 129}; 130 131# Trigger module auto-load. 132allow system_server kernel:system module_request; 133 134# Allow alarmtimers to be set 135allow system_server self:global_capability2_class_set wake_alarm; 136 137# Create and share netlink_netfilter_sockets for tetheroffload. 138allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 139 140# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 141allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 142 143# Use netlink uevent sockets. 144allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 145 146# Use generic netlink sockets. 147allow system_server self:netlink_socket create_socket_perms_no_ioctl; 148allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 149 150# libvintf reads the kernel config to verify vendor interface compatibility. 151allow system_server config_gz:file { read open }; 152 153# Use generic "sockets" where the address family is not known 154# to the kernel. The ioctl permission is specifically omitted here, but may 155# be added to device specific policy along with the ioctl commands to be 156# allowlisted. 157allow system_server self:socket create_socket_perms_no_ioctl; 158 159# Set and get routes directly via netlink. 160allow system_server self:netlink_route_socket nlmsg_write; 161 162# Kill apps. 163allow system_server appdomain:process { getpgid sigkill signal }; 164# signull allowed for kill(pid, 0) existence test. 165allow system_server appdomain:process { signull }; 166 167# Set scheduling info for apps. 168allow system_server appdomain:process { getsched setsched }; 169allow system_server audioserver:process { getsched setsched }; 170allow system_server hal_audio:process { getsched setsched }; 171allow system_server hal_bluetooth:process { getsched setsched }; 172allow system_server hal_codec2_server:process { getsched setsched }; 173allow system_server hal_omx_server:process { getsched setsched }; 174allow system_server mediaswcodec:process { getsched setsched }; 175allow system_server cameraserver:process { getsched setsched }; 176allow system_server hal_camera:process { getsched setsched }; 177allow system_server mediaserver:process { getsched setsched }; 178allow system_server bootanim:process { getsched setsched }; 179 180# Set scheduling info for psi monitor thread. 181# TODO: delete this line b/131761776 182allow system_server kernel:process { getsched setsched }; 183 184# Allow system_server to write to /proc/<pid>/* 185allow system_server domain:file w_file_perms; 186 187# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 188# within system_server to keep track of memory and CPU usage for 189# all processes on the device. In addition, /proc/pid files access is needed 190# for dumping stack traces of native processes. 191r_dir_file(system_server, domain) 192 193# Write /proc/uid_cputime/remove_uid_range. 194allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 195 196# Write /proc/uid_procstat/set. 197allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 198 199# Write to /proc/sysrq-trigger. 200allow system_server proc_sysrq:file rw_file_perms; 201 202# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. 203allow system_server stats_data_file:dir { open read remove_name search write }; 204allow system_server stats_data_file:file unlink; 205 206# Read /sys/kernel/debug/wakeup_sources. 207no_debugfs_restriction(` 208 allow system_server debugfs_wakeup_sources:file r_file_perms; 209') 210 211# Read /sys/kernel/ion/*. 212allow system_server sysfs_ion:file r_file_perms; 213 214# Read /sys/kernel/dma_heap/*. 215allow system_server sysfs_dma_heap:file r_file_perms; 216 217# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 218allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 219allow system_server sysfs_dmabuf_stats:file r_file_perms; 220 221# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 222# for dumpsys meminfo 223allow system_server dmabuf_heap_device:dir r_dir_perms; 224 225# Allow reading /proc/vmstat for the oom kill count 226allow system_server proc_vmstat:file r_file_perms; 227 228# The DhcpClient and WifiWatchdog use packet_sockets 229allow system_server self:packet_socket create_socket_perms_no_ioctl; 230 231# 3rd party VPN clients require a tun_socket to be created 232allow system_server self:tun_socket create_socket_perms_no_ioctl; 233 234# Talk to init and various daemons via sockets. 235unix_socket_connect(system_server, lmkd, lmkd) 236unix_socket_connect(system_server, mtpd, mtp) 237unix_socket_connect(system_server, zygote, zygote) 238unix_socket_connect(system_server, racoon, racoon) 239unix_socket_connect(system_server, uncrypt, uncrypt) 240 241# Allow system_server to write to statsd. 242unix_socket_send(system_server, statsdw, statsd) 243 244# Communicate over a socket created by surfaceflinger. 245allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 246 247allow system_server gpuservice:unix_stream_socket { read write setopt }; 248 249# Communicate over a socket created by webview_zygote. 250allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 251 252# Communicate over a socket created by app_zygote. 253allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 254 255# Perform Binder IPC. 256binder_use(system_server) 257binder_call(system_server, appdomain) 258binder_call(system_server, binderservicedomain) 259binder_call(system_server, dumpstate) 260binder_call(system_server, fingerprintd) 261binder_call(system_server, gatekeeperd) 262binder_call(system_server, gpuservice) 263binder_call(system_server, idmap) 264binder_call(system_server, installd) 265binder_call(system_server, incidentd) 266binder_call(system_server, iorapd) 267binder_call(system_server, netd) 268userdebug_or_eng(`binder_call(system_server, profcollectd)') 269binder_call(system_server, statsd) 270binder_call(system_server, storaged) 271binder_call(system_server, update_engine) 272binder_call(system_server, vold) 273binder_call(system_server, wificond) 274binder_call(system_server, wpantund) 275binder_service(system_server) 276 277# Use HALs 278hal_client_domain(system_server, hal_allocator) 279hal_client_domain(system_server, hal_audio) 280hal_client_domain(system_server, hal_authsecret) 281hal_client_domain(system_server, hal_broadcastradio) 282hal_client_domain(system_server, hal_codec2) 283hal_client_domain(system_server, hal_configstore) 284hal_client_domain(system_server, hal_contexthub) 285hal_client_domain(system_server, hal_face) 286hal_client_domain(system_server, hal_fingerprint) 287hal_client_domain(system_server, hal_gnss) 288hal_client_domain(system_server, hal_graphics_allocator) 289hal_client_domain(system_server, hal_health) 290hal_client_domain(system_server, hal_input_classifier) 291hal_client_domain(system_server, hal_ir) 292hal_client_domain(system_server, hal_light) 293hal_client_domain(system_server, hal_memtrack) 294hal_client_domain(system_server, hal_neuralnetworks) 295hal_client_domain(system_server, hal_oemlock) 296hal_client_domain(system_server, hal_omx) 297hal_client_domain(system_server, hal_power) 298hal_client_domain(system_server, hal_power_stats) 299hal_client_domain(system_server, hal_rebootescrow) 300hal_client_domain(system_server, hal_sensors) 301hal_client_domain(system_server, hal_tetheroffload) 302hal_client_domain(system_server, hal_thermal) 303hal_client_domain(system_server, hal_tv_cec) 304hal_client_domain(system_server, hal_tv_input) 305hal_client_domain(system_server, hal_usb) 306hal_client_domain(system_server, hal_usb_gadget) 307hal_client_domain(system_server, hal_vibrator) 308hal_client_domain(system_server, hal_vr) 309hal_client_domain(system_server, hal_weaver) 310hal_client_domain(system_server, hal_wifi) 311hal_client_domain(system_server, hal_wifi_hostapd) 312hal_client_domain(system_server, hal_wifi_supplicant) 313# The bootctl is a pass through HAL mode under recovery mode. So we skip the 314# permission for recovery in order not to give system server the access to 315# the low level block devices. 316not_recovery(`hal_client_domain(system_server, hal_bootctl)') 317 318# Talk with graphics composer fences 319allow system_server hal_graphics_composer:fd use; 320 321# Use RenderScript always-passthrough HAL 322allow system_server hal_renderscript_hwservice:hwservice_manager find; 323allow system_server same_process_hal_file:file { execute read open getattr map }; 324 325# Talk to tombstoned to get ANR traces. 326unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 327 328# List HAL interfaces to get ANR traces. 329allow system_server hwservicemanager:hwservice_manager list; 330allow system_server servicemanager:service_manager list; 331 332# Send signals to trigger ANR traces. 333allow system_server { 334 # This is derived from the list that system server defines as interesting native processes 335 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 336 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 337 audioserver 338 cameraserver 339 drmserver 340 gpuservice 341 inputflinger 342 keystore 343 mediadrmserver 344 mediaextractor 345 mediametrics 346 mediaserver 347 mediaswcodec 348 mediatranscoding 349 mediatuner 350 netd 351 sdcardd 352 statsd 353 surfaceflinger 354 vold 355 356 # This list comes from HAL_INTERFACES_OF_INTEREST in 357 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 358 hal_audio_server 359 hal_bluetooth_server 360 hal_camera_server 361 hal_codec2_server 362 hal_face_server 363 hal_fingerprint_server 364 hal_gnss_server 365 hal_graphics_allocator_server 366 hal_graphics_composer_server 367 hal_health_server 368 hal_light_server 369 hal_neuralnetworks_server 370 hal_omx_server 371 hal_power_stats_server 372 hal_sensors_server 373 hal_vr_server 374 system_suspend_server 375}:process { signal }; 376 377# Use sockets received over binder from various services. 378allow system_server audioserver:tcp_socket rw_socket_perms; 379allow system_server audioserver:udp_socket rw_socket_perms; 380allow system_server mediaserver:tcp_socket rw_socket_perms; 381allow system_server mediaserver:udp_socket rw_socket_perms; 382 383# Use sockets received over binder from various services. 384allow system_server mediadrmserver:tcp_socket rw_socket_perms; 385allow system_server mediadrmserver:udp_socket rw_socket_perms; 386 387userdebug_or_eng(`perfetto_producer({ system_server })') 388 389# Get file context 390allow system_server file_contexts_file:file r_file_perms; 391# access for mac_permissions 392allow system_server mac_perms_file: file r_file_perms; 393# Check SELinux permissions. 394selinux_check_access(system_server) 395 396allow system_server sysfs_type:dir search; 397 398r_dir_file(system_server, sysfs_android_usb) 399allow system_server sysfs_android_usb:file w_file_perms; 400 401allow system_server sysfs_extcon:dir r_dir_perms; 402 403r_dir_file(system_server, sysfs_ipv4) 404allow system_server sysfs_ipv4:file w_file_perms; 405 406r_dir_file(system_server, sysfs_rtc) 407r_dir_file(system_server, sysfs_switch) 408 409allow system_server sysfs_nfc_power_writable:file rw_file_perms; 410allow system_server sysfs_power:dir search; 411allow system_server sysfs_power:file rw_file_perms; 412allow system_server sysfs_thermal:dir search; 413allow system_server sysfs_thermal:file r_file_perms; 414allow system_server sysfs_uhid:dir r_dir_perms; 415allow system_server sysfs_uhid:file rw_file_perms; 416 417# TODO: Remove when HALs are forced into separate processes 418allow system_server sysfs_vibrator:file { write append }; 419 420# TODO: added to match above sysfs rule. Remove me? 421allow system_server sysfs_usb:file w_file_perms; 422 423# Access devices. 424allow system_server device:dir r_dir_perms; 425allow system_server mdns_socket:sock_file rw_file_perms; 426allow system_server gpu_device:chr_file rw_file_perms; 427allow system_server input_device:dir r_dir_perms; 428allow system_server input_device:chr_file rw_file_perms; 429allow system_server tty_device:chr_file rw_file_perms; 430allow system_server usbaccessory_device:chr_file rw_file_perms; 431allow system_server video_device:dir r_dir_perms; 432allow system_server video_device:chr_file rw_file_perms; 433allow system_server adbd_socket:sock_file rw_file_perms; 434allow system_server rtc_device:chr_file rw_file_perms; 435allow system_server audio_device:dir r_dir_perms; 436 437# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 438allow system_server audio_device:chr_file rw_file_perms; 439 440# tun device used for 3rd party vpn apps 441allow system_server tun_device:chr_file rw_file_perms; 442allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 443 444# Manage data/ota_package 445allow system_server ota_package_file:dir rw_dir_perms; 446allow system_server ota_package_file:file create_file_perms; 447 448# Manage system data files. 449allow system_server system_data_file:dir create_dir_perms; 450allow system_server system_data_file:notdevfile_class_set create_file_perms; 451allow system_server packages_list_file:file create_file_perms; 452allow system_server keychain_data_file:dir create_dir_perms; 453allow system_server keychain_data_file:file create_file_perms; 454allow system_server keychain_data_file:lnk_file create_file_perms; 455 456# Manage /data/app. 457allow system_server apk_data_file:dir create_dir_perms; 458allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 459allow system_server apk_tmp_file:dir create_dir_perms; 460allow system_server apk_tmp_file:file create_file_perms; 461 462# Access input configuration files in the /vendor directory 463r_dir_file(system_server, vendor_keylayout_file) 464r_dir_file(system_server, vendor_keychars_file) 465r_dir_file(system_server, vendor_idc_file) 466 467# Access /vendor/{app,framework,overlay} 468r_dir_file(system_server, vendor_app_file) 469r_dir_file(system_server, vendor_framework_file) 470r_dir_file(system_server, vendor_overlay_file) 471 472# Manage /data/app-private. 473allow system_server apk_private_data_file:dir create_dir_perms; 474allow system_server apk_private_data_file:file create_file_perms; 475allow system_server apk_private_tmp_file:dir create_dir_perms; 476allow system_server apk_private_tmp_file:file create_file_perms; 477 478# Manage files within asec containers. 479allow system_server asec_apk_file:dir create_dir_perms; 480allow system_server asec_apk_file:file create_file_perms; 481allow system_server asec_public_file:file create_file_perms; 482 483# Manage /data/anr. 484# 485# TODO: Some of these permissions can be withdrawn once we've switched to the 486# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 487# the system_server should never need to create a new anr_data_file:file or write 488# to one, but it will still need to read and append to existing files. 489allow system_server anr_data_file:dir create_dir_perms; 490allow system_server anr_data_file:file create_file_perms; 491 492# New stack dumping scheme : request an output FD from tombstoned via a unix 493# domain socket. 494# 495# Allow system_server to connect and write to the tombstoned java trace socket in 496# order to dump its traces. Also allow the system server to write its traces to 497# dumpstate during bugreport capture and incidentd during incident collection. 498unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 499allow system_server tombstoned:fd use; 500allow system_server dumpstate:fifo_file append; 501allow system_server incidentd:fifo_file append; 502# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 503userdebug_or_eng(` 504 allow system_server su:fifo_file append; 505') 506 507# Allow system_server to read pipes from incidentd (used to deliver incident reports 508# to dropbox) 509allow system_server incidentd:fifo_file read; 510 511# Read /data/misc/incidents - only read. The fd will be sent over binder, 512# with no DAC access to it, for dropbox to read. 513allow system_server incident_data_file:file read; 514 515# Manage /data/misc/prereboot. 516allow system_server prereboot_data_file:dir rw_dir_perms; 517allow system_server prereboot_data_file:file create_file_perms; 518 519# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over 520# binder. 521allow system_server perfetto_traces_data_file:file read; 522allow system_server perfetto:fd use; 523 524# Manage /data/backup. 525allow system_server backup_data_file:dir create_dir_perms; 526allow system_server backup_data_file:file create_file_perms; 527 528# Write to /data/system/dropbox 529allow system_server dropbox_data_file:dir create_dir_perms; 530allow system_server dropbox_data_file:file create_file_perms; 531 532# Write to /data/system/heapdump 533allow system_server heapdump_data_file:dir rw_dir_perms; 534allow system_server heapdump_data_file:file create_file_perms; 535 536# Manage /data/misc/adb. 537allow system_server adb_keys_file:dir create_dir_perms; 538allow system_server adb_keys_file:file create_file_perms; 539 540# Manage /data/misc/appcompat. 541allow system_server appcompat_data_file:dir rw_dir_perms; 542allow system_server appcompat_data_file:file create_file_perms; 543 544# Manage /data/misc/emergencynumberdb 545allow system_server emergency_data_file:dir create_dir_perms; 546allow system_server emergency_data_file:file create_file_perms; 547 548# Manage /data/misc/network_watchlist 549allow system_server network_watchlist_data_file:dir create_dir_perms; 550allow system_server network_watchlist_data_file:file create_file_perms; 551 552# Manage /data/misc/sms. 553# TODO: Split into a separate type? 554allow system_server radio_data_file:dir create_dir_perms; 555allow system_server radio_data_file:file create_file_perms; 556 557# Manage /data/misc/systemkeys. 558allow system_server systemkeys_data_file:dir create_dir_perms; 559allow system_server systemkeys_data_file:file create_file_perms; 560 561# Manage /data/misc/textclassifier. 562allow system_server textclassifier_data_file:dir create_dir_perms; 563allow system_server textclassifier_data_file:file create_file_perms; 564 565# Access /data/tombstones. 566allow system_server tombstone_data_file:dir r_dir_perms; 567allow system_server tombstone_data_file:file r_file_perms; 568 569# Allow write access to be able to truncate tombstones. 570allow system_server tombstone_data_file:file write; 571 572# Manage /data/misc/vpn. 573allow system_server vpn_data_file:dir create_dir_perms; 574allow system_server vpn_data_file:file create_file_perms; 575 576# Manage /data/misc/wifi. 577allow system_server wifi_data_file:dir create_dir_perms; 578allow system_server wifi_data_file:file create_file_perms; 579 580# Manage /data/misc/zoneinfo. 581allow system_server zoneinfo_data_file:dir create_dir_perms; 582allow system_server zoneinfo_data_file:file create_file_perms; 583 584# Manage /data/app-staging. 585allow system_server staging_data_file:dir create_dir_perms; 586allow system_server staging_data_file:file create_file_perms; 587 588# Manage /data/rollback. 589allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 590 591# Walk /data/data subdirectories. 592allow system_server app_data_file_type:dir { getattr read search }; 593 594# Also permit for unlabeled /data/data subdirectories and 595# for unlabeled asec containers on upgrades from 4.2. 596allow system_server unlabeled:dir r_dir_perms; 597# Read pkg.apk file before it has been relabeled by vold. 598allow system_server unlabeled:file r_file_perms; 599 600# Populate com.android.providers.settings/databases/settings.db. 601allow system_server system_app_data_file:dir create_dir_perms; 602allow system_server system_app_data_file:file create_file_perms; 603 604# Receive and use open app data files passed over binder IPC. 605allow system_server app_data_file_type:file { getattr read write append map }; 606 607# Access to /data/media for measuring disk usage. 608allow system_server media_rw_data_file:dir { search getattr open read }; 609 610# Receive and use open /data/media files passed over binder IPC. 611# Also used for measuring disk usage. 612allow system_server media_rw_data_file:file { getattr read write append }; 613 614# System server needs to setfscreate to packages_list_file when writing 615# /data/system/packages.list 616allow system_server system_server:process setfscreate; 617 618# Relabel apk files. 619allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 620allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 621# Allow PackageManager to: 622# 1. rename file from /data/app-staging folder to /data/app 623# 2. relabel files (linked to /data/rollback) under /data/app-staging 624# during staged apk/apex install. 625allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 626 627# Relabel wallpaper. 628allow system_server system_data_file:file relabelfrom; 629allow system_server wallpaper_file:file relabelto; 630allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 631 632# Backup of wallpaper imagery uses temporary hard links to avoid data churn 633allow system_server { system_data_file wallpaper_file }:file link; 634 635# ShortcutManager icons 636allow system_server system_data_file:dir relabelfrom; 637allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 638allow system_server shortcut_manager_icons:file create_file_perms; 639 640# Manage ringtones. 641allow system_server ringtone_file:dir { create_dir_perms relabelto }; 642allow system_server ringtone_file:file create_file_perms; 643 644# Relabel icon file. 645allow system_server icon_file:file relabelto; 646allow system_server icon_file:file { rw_file_perms unlink }; 647 648# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 649allow system_server system_data_file:dir relabelfrom; 650 651# server_configurable_flags_data_file is used for storing server configurable flags which 652# have been reset during current booting. system_server needs to read the data to perform related 653# disaster recovery actions. 654allow system_server server_configurable_flags_data_file:dir r_dir_perms; 655allow system_server server_configurable_flags_data_file:file r_file_perms; 656 657# Property Service write 658set_prop(system_server, system_prop) 659set_prop(system_server, bootanim_system_prop) 660set_prop(system_server, exported_system_prop) 661set_prop(system_server, exported3_system_prop) 662set_prop(system_server, safemode_prop) 663set_prop(system_server, theme_prop) 664set_prop(system_server, dhcp_prop) 665set_prop(system_server, net_connectivity_prop) 666set_prop(system_server, net_radio_prop) 667set_prop(system_server, net_dns_prop) 668set_prop(system_server, usb_control_prop) 669set_prop(system_server, usb_prop) 670set_prop(system_server, debug_prop) 671set_prop(system_server, powerctl_prop) 672set_prop(system_server, fingerprint_prop) 673set_prop(system_server, device_logging_prop) 674set_prop(system_server, dumpstate_options_prop) 675set_prop(system_server, overlay_prop) 676set_prop(system_server, exported_overlay_prop) 677set_prop(system_server, pm_prop) 678set_prop(system_server, exported_pm_prop) 679set_prop(system_server, socket_hook_prop) 680set_prop(system_server, audio_prop) 681set_prop(system_server, boot_status_prop) 682set_prop(system_server, surfaceflinger_color_prop) 683set_prop(system_server, provisioned_prop) 684set_prop(system_server, retaildemo_prop) 685userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 686 687# ctl interface 688set_prop(system_server, ctl_default_prop) 689set_prop(system_server, ctl_bugreport_prop) 690set_prop(system_server, ctl_gsid_prop) 691 692# cppreopt property 693set_prop(system_server, cppreopt_prop) 694 695# server configurable flags properties 696set_prop(system_server, device_config_input_native_boot_prop) 697set_prop(system_server, device_config_netd_native_prop) 698set_prop(system_server, device_config_activity_manager_native_boot_prop) 699set_prop(system_server, device_config_runtime_native_boot_prop) 700set_prop(system_server, device_config_runtime_native_prop) 701set_prop(system_server, device_config_lmkd_native_prop) 702set_prop(system_server, device_config_media_native_prop) 703set_prop(system_server, device_config_profcollect_native_boot_prop) 704set_prop(system_server, device_config_statsd_native_prop) 705set_prop(system_server, device_config_statsd_native_boot_prop) 706set_prop(system_server, device_config_storage_native_boot_prop) 707set_prop(system_server, device_config_swcodec_native_prop) 708set_prop(system_server, device_config_sys_traced_prop) 709set_prop(system_server, device_config_window_manager_native_boot_prop) 710set_prop(system_server, device_config_configuration_prop) 711set_prop(system_server, device_config_connectivity_prop) 712 713 714# Allow query ART device config properties 715get_prop(system_server, device_config_runtime_native_boot_prop) 716get_prop(system_server, device_config_runtime_native_prop) 717 718# BootReceiver to read ro.boot.bootreason 719get_prop(system_server, bootloader_boot_reason_prop) 720# PowerManager to read sys.boot.reason 721get_prop(system_server, system_boot_reason_prop) 722 723# Collect metrics on boot time created by init 724get_prop(system_server, boottime_prop) 725 726# Read device's serial number from system properties 727get_prop(system_server, serialno_prop) 728 729# Read/write the property which keeps track of whether this is the first start of system_server 730set_prop(system_server, firstboot_prop) 731 732# Audio service in system server can read audio config properties, 733# such as camera shutter enforcement 734get_prop(system_server, audio_config_prop) 735 736# system server reads this property to keep track of whether server configurable flags have been 737# reset during current boot. 738get_prop(system_server, device_config_reset_performed_prop) 739 740# Read/write the property that enables Test Harness Mode 741set_prop(system_server, test_harness_prop) 742 743# Read gsid.image_running. 744get_prop(system_server, gsid_prop) 745 746# Read the property that mocks an OTA 747get_prop(system_server, mock_ota_prop) 748 749# Read the property as feature flag for protecting apks with fs-verity. 750get_prop(system_server, apk_verity_prop) 751 752# Read wifi.interface 753get_prop(system_server, wifi_prop) 754 755# Read the vendor property that indicates if Incremental features is enabled 756get_prop(system_server, incremental_prop) 757 758# Read ro.zram. properties 759get_prop(system_server, zram_config_prop) 760 761# Read/write persist.sys.zram_enabled 762set_prop(system_server, zram_control_prop) 763 764# Read/write persist.sys.dalvik.vm.lib.2 765set_prop(system_server, dalvik_runtime_prop) 766 767# Read ro.control_privapp_permissions and ro.cp_system_other_odex 768get_prop(system_server, packagemanager_config_prop) 769 770# Read the net.464xlat.cellular.enabled property (written by init). 771get_prop(system_server, net_464xlat_fromvendor_prop) 772 773# Create a socket for connections from debuggerd. 774allow system_server system_ndebug_socket:sock_file create_file_perms; 775 776# Create a socket for connections from zygotes. 777allow system_server system_unsolzygote_socket:sock_file create_file_perms; 778 779# Manage cache files. 780allow system_server cache_file:lnk_file r_file_perms; 781allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 782allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 783allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 784 785allow system_server system_file:dir r_dir_perms; 786allow system_server system_file:lnk_file r_file_perms; 787 788# ART locks profile files. 789allow system_server system_file:file lock; 790 791# LocationManager(e.g, GPS) needs to read and write 792# to uart driver and ctrl proc entry 793allow system_server gps_control:file rw_file_perms; 794 795# Allow system_server to use app-created sockets and pipes. 796allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 797allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 798 799# BackupManagerService needs to manipulate backup data files 800allow system_server cache_backup_file:dir rw_dir_perms; 801allow system_server cache_backup_file:file create_file_perms; 802# LocalTransport works inside /cache/backup 803allow system_server cache_private_backup_file:dir create_dir_perms; 804allow system_server cache_private_backup_file:file create_file_perms; 805 806# Allow system to talk to usb device 807allow system_server usb_device:chr_file rw_file_perms; 808allow system_server usb_device:dir r_dir_perms; 809 810# Read and delete files under /dev/fscklogs. 811r_dir_file(system_server, fscklogs) 812allow system_server fscklogs:dir { write remove_name }; 813allow system_server fscklogs:file unlink; 814 815# logd access, system_server inherit logd write socket 816# (urge is to deprecate this long term) 817allow system_server zygote:unix_dgram_socket write; 818 819# Read from log daemon. 820read_logd(system_server) 821read_runtime_log_tags(system_server) 822 823# Be consistent with DAC permissions. Allow system_server to write to 824# /sys/module/lowmemorykiller/parameters/adj 825# /sys/module/lowmemorykiller/parameters/minfree 826allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 827 828# Read /sys/fs/pstore/console-ramoops 829# Don't worry about overly broad permissions for now, as there's 830# only one file in /sys/fs/pstore 831allow system_server pstorefs:dir r_dir_perms; 832allow system_server pstorefs:file r_file_perms; 833 834# /sys access 835allow system_server sysfs_zram:dir search; 836allow system_server sysfs_zram:file rw_file_perms; 837 838add_service(system_server, system_server_service); 839allow system_server audioserver_service:service_manager find; 840allow system_server authorization_service:service_manager find; 841allow system_server batteryproperties_service:service_manager find; 842allow system_server cameraserver_service:service_manager find; 843allow system_server dataloader_manager_service:service_manager find; 844allow system_server dnsresolver_service:service_manager find; 845allow system_server drmserver_service:service_manager find; 846allow system_server dumpstate_service:service_manager find; 847allow system_server fingerprintd_service:service_manager find; 848allow system_server gatekeeper_service:service_manager find; 849allow system_server gpu_service:service_manager find; 850allow system_server gsi_service:service_manager find; 851allow system_server idmap_service:service_manager find; 852allow system_server incident_service:service_manager find; 853allow system_server incremental_service:service_manager find; 854allow system_server installd_service:service_manager find; 855allow system_server iorapd_service:service_manager find; 856allow system_server keystore_maintenance_service:service_manager find; 857allow system_server keystore_metrics_service:service_manager find; 858allow system_server keystore_service:service_manager find; 859allow system_server mediaserver_service:service_manager find; 860allow system_server mediametrics_service:service_manager find; 861allow system_server mediaextractor_service:service_manager find; 862allow system_server mediadrmserver_service:service_manager find; 863allow system_server mediatuner_service:service_manager find; 864allow system_server netd_service:service_manager find; 865allow system_server nfc_service:service_manager find; 866allow system_server radio_service:service_manager find; 867allow system_server stats_service:service_manager find; 868allow system_server storaged_service:service_manager find; 869allow system_server surfaceflinger_service:service_manager find; 870allow system_server update_engine_service:service_manager find; 871allow system_server vold_service:service_manager find; 872allow system_server wifinl80211_service:service_manager find; 873userdebug_or_eng(` 874 allow system_server profcollectd_service:service_manager find; 875') 876 877add_service(system_server, batteryproperties_service) 878 879allow system_server keystore:keystore_key { 880 get_state 881 get 882 insert 883 delete 884 exist 885 list 886 reset 887 password 888 lock 889 unlock 890 is_empty 891 sign 892 verify 893 grant 894 duplicate 895 clear_uid 896 add_auth 897 user_changed 898}; 899 900allow system_server keystore:keystore2 { 901 add_auth 902 change_password 903 change_user 904 clear_ns 905 clear_uid 906 get_state 907 lock 908 pull_metrics 909 reset 910 unlock 911}; 912 913allow system_server keystore:keystore2_key { 914 delete 915 use_dev_id 916 grant 917 get_info 918 rebind 919 update 920 use 921}; 922 923# Allow Wifi module to manage Wi-Fi keys. 924allow system_server wifi_key:keystore2_key { 925 delete 926 get_info 927 rebind 928 update 929 use 930}; 931 932# Allow lock_settings service to manage RoR keys. 933allow system_server resume_on_reboot_key:keystore2_key { 934 delete 935 get_info 936 rebind 937 update 938 use 939}; 940 941# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 942allow system_server locksettings_key:keystore2_key { 943 delete 944 get_info 945 rebind 946 update 947 use 948}; 949 950 951# Allow system server to search and write to the persistent factory reset 952# protection partition. This block device does not get wiped in a factory reset. 953allow system_server block_device:dir search; 954allow system_server frp_block_device:blk_file rw_file_perms; 955allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 956 957# Create new process groups and clean up old cgroups 958allow system_server cgroup:dir { remove_name rmdir }; 959allow system_server cgroup_v2:dir create_dir_perms; 960allow system_server cgroup_v2:file { r_file_perms setattr }; 961 962# /oem access 963r_dir_file(system_server, oemfs) 964 965# Allow resolving per-user storage symlinks 966allow system_server { mnt_user_file storage_file }:dir { getattr search }; 967allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 968 969# Allow statfs() on storage devices, which happens fast enough that 970# we shouldn't be killed during unsafe removal 971allow system_server sdcard_type:dir { getattr search }; 972 973# Traverse into expanded storage 974allow system_server mnt_expand_file:dir r_dir_perms; 975 976# Allow system process to relabel the fingerprint directory after mkdir 977# and delete the directory and files when no longer needed 978allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 979allow system_server fingerprintd_data_file:file { getattr unlink }; 980 981userdebug_or_eng(` 982 # Allow system server to create and write method traces in /data/misc/trace. 983 allow system_server method_trace_data_file:dir w_dir_perms; 984 allow system_server method_trace_data_file:file { create w_file_perms }; 985 986 # Allow system server to read dmesg 987 allow system_server kernel:system syslog_read; 988 989 # Allow writing and removing window traces in /data/misc/wmtrace. 990 allow system_server wm_trace_data_file:dir rw_dir_perms; 991 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 992 993 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 994 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 995 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 996') 997 998# For AppFuse. 999allow system_server vold:fd use; 1000allow system_server fuse_device:chr_file { read write ioctl getattr }; 1001allow system_server app_fuse_file:file { read write getattr }; 1002 1003# For configuring sdcardfs 1004allow system_server configfs:dir { create_dir_perms }; 1005allow system_server configfs:file { getattr open create unlink write }; 1006 1007# Connect to adbd and use a socket transferred from it. 1008# Used for e.g. jdwp. 1009allow system_server adbd:unix_stream_socket connectto; 1010allow system_server adbd:fd use; 1011allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1012 1013# Read service.adb.tls.port, persist.adb.wifi. properties 1014get_prop(system_server, adbd_prop) 1015 1016# Set persist.adb.tls_server.enable property 1017set_prop(system_server, system_adbd_prop) 1018 1019# Allow invoking tools like "timeout" 1020allow system_server toolbox_exec:file rx_file_perms; 1021 1022# Allow system process to setup and measure fs-verity 1023allowxperm system_server apk_data_file:file ioctl { 1024 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 1025}; 1026 1027# Postinstall 1028# 1029# For OTA dexopt, allow calls coming from postinstall. 1030binder_call(system_server, postinstall) 1031 1032allow system_server postinstall:fifo_file write; 1033allow system_server update_engine:fd use; 1034allow system_server update_engine:fifo_file write; 1035 1036# Access to /data/preloads 1037allow system_server preloads_data_file:file { r_file_perms unlink }; 1038allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1039allow system_server preloads_media_file:file { r_file_perms unlink }; 1040allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1041 1042r_dir_file(system_server, cgroup) 1043r_dir_file(system_server, cgroup_v2) 1044allow system_server ion_device:chr_file r_file_perms; 1045 1046# Access to /dev/dma_heap/system 1047allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1048# Access to /dev/dma_heap/system-secure 1049allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1050 1051r_dir_file(system_server, proc_asound) 1052r_dir_file(system_server, proc_net_type) 1053r_dir_file(system_server, proc_qtaguid_stat) 1054allow system_server { 1055 proc_cmdline 1056 proc_loadavg 1057 proc_locks 1058 proc_meminfo 1059 proc_pagetypeinfo 1060 proc_pipe_conf 1061 proc_stat 1062 proc_uid_cputime_showstat 1063 proc_uid_io_stats 1064 proc_uid_time_in_state 1065 proc_uid_concurrent_active_time 1066 proc_uid_concurrent_policy_time 1067 proc_version 1068 proc_vmallocinfo 1069}:file r_file_perms; 1070 1071allow system_server proc_uid_time_in_state:dir r_dir_perms; 1072allow system_server proc_uid_cpupower:file r_file_perms; 1073 1074r_dir_file(system_server, rootfs) 1075 1076# Allow WifiService to start, stop, and read wifi-specific trace events. 1077allow system_server debugfs_tracing_instances:dir search; 1078allow system_server debugfs_wifi_tracing:dir search; 1079allow system_server debugfs_wifi_tracing:file rw_file_perms; 1080 1081# Allow BootReceiver to watch trace error_report events. 1082allow system_server debugfs_bootreceiver_tracing:dir search; 1083allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1084 1085# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1086allow system_server debugfs_tracing:file r_file_perms; 1087 1088# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1089# asanwrapper. 1090with_asan(` 1091 allow system_server shell_exec:file rx_file_perms; 1092 allow system_server asanwrapper_exec:file rx_file_perms; 1093 allow system_server zygote_exec:file rx_file_perms; 1094') 1095 1096# allow system_server to read the eBPF maps that stores the traffic stats information and update 1097# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1098# time in state accounting 1099allow system_server fs_bpf:dir search; 1100allow system_server fs_bpf:file { read write }; 1101allow system_server bpfloader:bpf { map_read map_write prog_run }; 1102 1103# ART Profiles. 1104# Allow system_server to open profile snapshots for read. 1105# System server never reads the actual content. It passes the descriptor to 1106# to privileged apps which acquire the permissions to inspect the profiles. 1107allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1108allow system_server user_profile_data_file:file { getattr open read }; 1109 1110# System server may dump profile data for debuggable apps in the /data/misc/profman. 1111# As such it needs to be able create files but it should never read from them. 1112allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1113allow system_server profman_dump_data_file:dir w_dir_perms; 1114 1115# On userdebug build we may profile system server. Allow it to write and create its own profile. 1116userdebug_or_eng(` 1117 allow system_server user_profile_data_file:file create_file_perms; 1118') 1119# Allow system server to load JVMTI agents under control of a property. 1120get_prop(system_server,system_jvmti_agent_prop) 1121 1122# UsbDeviceManager uses /dev/usb-ffs 1123allow system_server functionfs:dir search; 1124allow system_server functionfs:file rw_file_perms; 1125 1126# system_server contains time / time zone detection logic so reads the associated properties. 1127get_prop(system_server, time_prop) 1128 1129# system_server reads this property to know it should expect the lmkd sends notification to it 1130# on low memory kills. 1131get_prop(system_server, system_lmk_prop) 1132 1133get_prop(system_server, wifi_config_prop) 1134 1135# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1136allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1137 1138# Watchdog prints debugging log to /dev/kmsg_debug. 1139userdebug_or_eng(` 1140 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1141') 1142# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1143get_prop(system_server, framework_watchdog_config_prop) 1144 1145 1146# Font files are written by system server 1147allow system_server font_data_file:file create_file_perms; 1148allow system_server font_data_file:dir create_dir_perms; 1149# Allow system process to setup fs-verity for font files 1150allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY; 1151 1152# Read qemu.hw.mainkeys property 1153get_prop(system_server, qemu_hw_prop) 1154 1155# Allow system server to read profcollectd reports for upload. 1156userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1157 1158### 1159### Neverallow rules 1160### 1161### system_server should NEVER do any of this 1162 1163# Do not allow opening files from external storage as unsafe ejection 1164# could cause the kernel to kill the system_server. 1165neverallow system_server sdcard_type:dir { open read write }; 1166neverallow system_server sdcard_type:file rw_file_perms; 1167 1168# system server should never be operating on zygote spawned app data 1169# files directly. Rather, they should always be passed via a 1170# file descriptor. 1171# Exclude those types that system_server needs to open directly. 1172neverallow system_server { 1173 app_data_file_type 1174 -system_app_data_file 1175 -radio_data_file 1176}:file { open create unlink link }; 1177 1178# Forking and execing is inherently dangerous and racy. See, for 1179# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1180# Prevent the addition of new file execs to stop the problem from 1181# getting worse. b/28035297 1182neverallow system_server { 1183 file_type 1184 -toolbox_exec 1185 -logcat_exec 1186 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1187}:file execute_no_trans; 1188 1189# Ensure that system_server doesn't perform any domain transitions other than 1190# transitioning to the crash_dump domain when a crash occurs. 1191neverallow system_server { domain -crash_dump }:process transition; 1192neverallow system_server *:process dyntransition; 1193 1194# Only allow crash_dump to connect to system_ndebug_socket. 1195neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1196 1197# Only allow zygotes to connect to system_unsolzygote_socket. 1198neverallow { 1199 domain 1200 -init 1201 -system_server 1202 -zygote 1203 -app_zygote 1204 -webview_zygote 1205} system_unsolzygote_socket:sock_file { open write }; 1206 1207# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1208neverallow { 1209 domain 1210 -init 1211 -system_server 1212 -flags_health_check 1213} { 1214 device_config_activity_manager_native_boot_prop 1215 device_config_connectivity_prop 1216 device_config_input_native_boot_prop 1217 device_config_lmkd_native_prop 1218 device_config_netd_native_prop 1219 device_config_runtime_native_boot_prop 1220 device_config_runtime_native_prop 1221 device_config_media_native_prop 1222 device_config_storage_native_boot_prop 1223 device_config_sys_traced_prop 1224 device_config_swcodec_native_prop 1225 device_config_window_manager_native_boot_prop 1226}:property_service set; 1227 1228# system_server should never be executing dex2oat. This is either 1229# a bug (for example, bug 16317188), or represents an attempt by 1230# system server to dynamically load a dex file, something we do not 1231# want to allow. 1232neverallow system_server dex2oat_exec:file no_x_file_perms; 1233 1234# system_server should never execute or load executable shared libraries 1235# in /data. Executable files in /data are a persistence vector. 1236# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1237neverallow system_server data_file_type:file no_x_file_perms; 1238 1239# The only block device system_server should be accessing is 1240# the frp_block_device. This helps avoid a system_server to root 1241# escalation by writing to raw block devices. 1242neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 1243 1244# system_server should never use JIT functionality 1245# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1246# in the section titled "A Short ROP Chain" for why. 1247# However, in emulator builds without OpenGL passthrough, we use software 1248# rendering via SwiftShader, which requires JIT support. These builds are 1249# never shipped to users. 1250ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1251 `allow system_server self:process execmem;', 1252 `neverallow system_server self:process execmem;') 1253neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1254 1255# TODO: deal with tmpfs_domain pub/priv split properly 1256neverallow system_server system_server_tmpfs:file execute; 1257 1258# Resources handed off by system_server_startup 1259allow system_server system_server_startup:fd use; 1260allow system_server system_server_startup_tmpfs:file { read write map }; 1261allow system_server system_server_startup:unix_dgram_socket write; 1262 1263# Allow system server to communicate to apexd 1264allow system_server apex_service:service_manager find; 1265allow system_server apexd:binder call; 1266 1267# Allow system server to scan /apex for flattened APEXes 1268allow system_server apex_mnt_dir:dir r_dir_perms; 1269 1270# Allow system server to read /apex/apex-info-list.xml 1271allow system_server apex_info_file:file r_file_perms; 1272 1273# Allow system server to communicate to system-suspend's control interface 1274allow system_server system_suspend_control_internal_service:service_manager find; 1275allow system_server system_suspend_control_service:service_manager find; 1276binder_call(system_server, system_suspend) 1277binder_call(system_suspend, system_server) 1278 1279# Allow system server to communicate to system-suspend's wakelock interface 1280wakelock_use(system_server) 1281 1282# Allow the system server to read files under /data/apex. The system_server 1283# needs these privileges to compare file signatures while processing installs. 1284# 1285# Only apexd is allowed to create new entries or write to any file under /data/apex. 1286allow system_server apex_data_file:dir { getattr search }; 1287allow system_server apex_data_file:file r_file_perms; 1288 1289# Allow the system server to read files under /vendor/apex. This is where 1290# vendor APEX packages might be installed and system_server needs to parse 1291# these packages to inspect the signatures and other metadata. 1292allow system_server vendor_apex_file:dir { getattr search }; 1293allow system_server vendor_apex_file:file r_file_perms; 1294 1295# Allow the system server to manage relevant apex module data files. 1296allow system_server apex_module_data_file:dir { getattr search }; 1297allow system_server apex_appsearch_data_file:dir create_dir_perms; 1298allow system_server apex_appsearch_data_file:file create_file_perms; 1299allow system_server apex_permission_data_file:dir create_dir_perms; 1300allow system_server apex_permission_data_file:file create_file_perms; 1301allow system_server apex_scheduling_data_file:dir create_dir_perms; 1302allow system_server apex_scheduling_data_file:file create_file_perms; 1303allow system_server apex_wifi_data_file:dir create_dir_perms; 1304allow system_server apex_wifi_data_file:file create_file_perms; 1305 1306# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1307# communicate which slots are available for use. 1308allow system_server metadata_file:dir search; 1309allow system_server password_slot_metadata_file:dir rw_dir_perms; 1310allow system_server password_slot_metadata_file:file create_file_perms; 1311 1312allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1313allow system_server userspace_reboot_metadata_file:file create_file_perms; 1314 1315# Allow system server rw access to files in /metadata/staged-install folder 1316allow system_server staged_install_file:dir rw_dir_perms; 1317allow system_server staged_install_file:file create_file_perms; 1318 1319allow system_server watchdog_metadata_file:dir rw_dir_perms; 1320allow system_server watchdog_metadata_file:file create_file_perms; 1321 1322allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1323allow system_server gsi_persistent_data_file:file create_file_perms; 1324 1325# Allow system server read and remove files under /data/misc/odrefresh 1326allow system_server odrefresh_data_file:dir rw_dir_perms; 1327allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1328 1329# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1330allow system_server surfaceflinger_exec:file r_file_perms; 1331 1332# Allow init to set sysprop used to compute stats about userspace reboot. 1333set_prop(system_server, userspace_reboot_log_prop) 1334 1335# JVMTI agent settings are only readable from the system server. 1336neverallow { 1337 domain 1338 -system_server 1339 -dumpstate 1340 -init 1341 -vendor_init 1342} { 1343 system_jvmti_agent_prop 1344}:file no_rw_file_perms; 1345 1346# Read/Write /proc/pressure/memory 1347allow system_server proc_pressure_mem:file rw_file_perms; 1348 1349# dexoptanalyzer is currently used only for secondary dex files which 1350# system_server should never access. 1351neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1352 1353# No ptracing others 1354neverallow system_server { domain -system_server }:process ptrace; 1355 1356# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1357# file read access. However, that is now unnecessary (b/34951864) 1358neverallow system_server system_server:global_capability_class_set sys_resource; 1359 1360# Only system_server/init should access /metadata/password_slots. 1361neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1362neverallow { 1363 domain 1364 -init 1365 -system_server 1366} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1367neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1368 1369# Only system_server/init should access /metadata/userspacereboot. 1370neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; 1371neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms; 1372 1373# Allow systemserver to read/write the invalidation property 1374set_prop(system_server, binder_cache_system_server_prop) 1375neverallow { domain -system_server -init } 1376 binder_cache_system_server_prop:property_service set; 1377 1378# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1379# system_server cannot use this access to read perf event data like process stacks. 1380allow system_server self:perf_event { open write cpu kernel }; 1381neverallow system_server self:perf_event ~{ open write cpu kernel }; 1382 1383# Do not allow any domain other than init or system server to set the property 1384neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1385 1386neverallow { domain -init -system_server } boot_status_prop:property_service set; 1387 1388neverallow { 1389 domain 1390 -init 1391 -vendor_init 1392 -dumpstate 1393 -system_server 1394} wifi_config_prop:file no_rw_file_perms; 1395 1396# Only allow system server to write uhid sysfs files 1397neverallow { 1398 domain 1399 -init 1400 -system_server 1401 -ueventd 1402 -vendor_init 1403} sysfs_uhid:file no_w_file_perms; 1404 1405# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1406# can be accessed by system_server only (b/143717177) 1407# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1408# interface 1409neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1410 1411# Only system server can write the font files. 1412neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1413neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1414