1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server remote_provisioning_service_server; 9typeattribute system_server scheduler_service_server; 10typeattribute system_server sensor_service_server; 11typeattribute system_server stats_service_server; 12typeattribute system_server bpfdomain; 13 14# Define a type for tmpfs-backed ashmem regions. 15tmpfs_domain(system_server) 16 17userfaultfd_use(system_server) 18 19# Create a socket for connections from crash_dump. 20type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 21 22# Create a socket for connections from zygotes. 23type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 24 25allow system_server zygote_tmpfs:file { map read }; 26allow system_server appdomain_tmpfs:file { getattr map read write }; 27 28# For Incremental Service to check if incfs is available 29allow system_server proc_filesystems:file r_file_perms; 30 31# To create files, get permission to fill blocks, and configure Incremental File System 32allow system_server incremental_control_file:file { ioctl r_file_perms }; 33allowxperm system_server incremental_control_file:file ioctl { 34 INCFS_IOCTL_CREATE_FILE 35 INCFS_IOCTL_CREATE_MAPPED_FILE 36 INCFS_IOCTL_PERMIT_FILL 37 INCFS_IOCTL_GET_READ_TIMEOUTS 38 INCFS_IOCTL_SET_READ_TIMEOUTS 39 INCFS_IOCTL_GET_LAST_READ_ERROR 40}; 41 42# To get signature of an APK installed on Incremental File System, and fill in data 43# blocks and get the filesystem state 44allowxperm system_server apk_data_file:file ioctl { 45 INCFS_IOCTL_READ_SIGNATURE 46 INCFS_IOCTL_FILL_BLOCKS 47 INCFS_IOCTL_GET_FILLED_BLOCKS 48 INCFS_IOCTL_GET_BLOCK_COUNT 49 F2FS_IOC_GET_FEATURES 50 F2FS_IOC_GET_COMPRESS_BLOCKS 51 F2FS_IOC_COMPRESS_FILE 52 F2FS_IOC_DECOMPRESS_FILE 53 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 54 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 55 FS_IOC_SETFLAGS 56 FS_IOC_GETFLAGS 57}; 58 59allowxperm system_server apk_tmp_file:file ioctl { 60 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 61 FS_IOC_GETFLAGS 62}; 63 64# For Incremental Service to check incfs metrics 65allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 66 67# For f2fs-compression support 68allow system_server sysfs_fs_f2fs:dir r_dir_perms; 69allow system_server sysfs_fs_f2fs:file r_file_perms; 70 71# For SdkSandboxManagerService 72allow system_server sdk_sandbox_system_data_file:dir create_dir_perms; 73 74# For art. 75allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 76allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 77 78# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`. 79# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a 80# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks 81# system_server. It fails to be loaded when the jar is used as a shared library, which is expected. 82dontaudit system_server apex_art_data_file:file execute; 83 84# For release odex/vdex compress blocks 85allowxperm system_server dalvikcache_data_file:file ioctl { 86 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 87 FS_IOC_GETFLAGS 88}; 89 90# When running system server under --invoke-with, we'll try to load the boot image under the 91# system server domain, following links to the system partition. 92with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 93 94# /data/resource-cache 95allow system_server resourcecache_data_file:file r_file_perms; 96allow system_server resourcecache_data_file:dir r_dir_perms; 97 98# ptrace to processes in the same domain for debugging crashes. 99allow system_server self:process ptrace; 100 101# Child of the zygote. 102allow system_server zygote:fd use; 103allow system_server zygote:process sigchld; 104 105# May kill zygote (or its child processes) on crashes. 106allow system_server { 107 app_zygote 108 crash_dump 109 crosvm 110 virtualizationmanager 111 webview_zygote 112 zygote 113}:process { getpgid sigkill signull }; 114 115# Read /system/bin/app_process. 116allow system_server zygote_exec:file r_file_perms; 117 118# Needed to close the zygote socket, which involves getopt / getattr 119allow system_server zygote:unix_stream_socket { getopt getattr }; 120 121# system server gets network and bluetooth permissions. 122net_domain(system_server) 123# in addition to ioctls allowlisted for all domains, also allow system_server 124# to use privileged ioctls commands. Needed to set up VPNs. 125allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 126bluetooth_domain(system_server) 127 128# Allow setup of tcp keepalive offload. This gives system_server the permission to 129# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 130# be granted individually, except for a small set of safe values allowlisted in 131# public/domain.te. 132allow system_server appdomain:tcp_socket ioctl; 133 134# These are the capabilities assigned by the zygote to the 135# system server. 136allow system_server self:global_capability_class_set { 137 ipc_lock 138 kill 139 net_admin 140 net_bind_service 141 net_broadcast 142 net_raw 143 sys_boot 144 sys_nice 145 sys_ptrace 146 sys_time 147 sys_tty_config 148}; 149 150# Trigger module auto-load. 151allow system_server kernel:system module_request; 152 153# Allow alarmtimers to be set 154allow system_server self:global_capability2_class_set wake_alarm; 155 156# Create and share netlink_netfilter_sockets for tetheroffload. 157allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 158 159# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 160allow system_server self:netlink_tcpdiag_socket 161 { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 162 163# Use netlink uevent sockets. 164allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 165 166allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl; 167 168# Use generic netlink sockets. 169allow system_server self:netlink_socket create_socket_perms_no_ioctl; 170allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 171 172# libvintf reads the kernel config to verify vendor interface compatibility. 173allow system_server config_gz:file { read open }; 174 175# Use generic "sockets" where the address family is not known 176# to the kernel. The ioctl permission is specifically omitted here, but may 177# be added to device specific policy along with the ioctl commands to be 178# allowlisted. 179allow system_server self:socket create_socket_perms_no_ioctl; 180 181# Set and get routes directly via netlink. 182allow system_server self:netlink_route_socket nlmsg_write; 183 184# Use XFRM (IPsec) netlink sockets 185allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 186 187# Kill apps. 188allow system_server appdomain:process { getpgid sigkill signal }; 189# signull allowed for kill(pid, 0) existence test. 190allow system_server appdomain:process { signull }; 191 192# Set scheduling info for apps. 193allow system_server appdomain:process { getsched setsched }; 194allow system_server audioserver:process { getsched setsched }; 195allow system_server hal_audio:process { getsched setsched }; 196allow system_server hal_bluetooth:process { getsched setsched }; 197allow system_server hal_codec2_server:process { getsched setsched }; 198allow system_server hal_omx_server:process { getsched setsched }; 199allow system_server mediaswcodec:process { getsched setsched }; 200allow system_server cameraserver:process { getsched setsched }; 201allow system_server hal_camera:process { getsched setsched }; 202allow system_server mediaserver:process { getsched setsched }; 203allow system_server bootanim:process { getsched setsched }; 204 205# Set scheduling info for psi monitor thread. 206# TODO: delete this line b/131761776 207allow system_server kernel:process { getsched setsched }; 208 209# Allow system_server to write to /proc/<pid>/* 210allow system_server domain:file w_file_perms; 211 212# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 213# within system_server to keep track of memory and CPU usage for 214# all processes on the device. In addition, /proc/pid files access is needed 215# for dumping stack traces of native processes. 216r_dir_file(system_server, domain) 217 218# Write /proc/uid_cputime/remove_uid_range. 219allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 220 221# Write /proc/uid_procstat/set. 222allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 223 224# Write to /proc/sysrq-trigger. 225allow system_server proc_sysrq:file rw_file_perms; 226 227# Delete /data/misc/stats-service/ directories. 228allow system_server stats_config_data_file:dir { open read remove_name search write }; 229allow system_server stats_config_data_file:file unlink; 230 231# Read metric file & upload to statsd 232allow system_server odsign_data_file:dir search; 233allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name }; 234allow system_server odsign_metrics_file:file { r_file_perms unlink }; 235 236# Read /sys/kernel/debug/wakeup_sources. 237no_debugfs_restriction(` 238 allow system_server debugfs_wakeup_sources:file r_file_perms; 239') 240 241# Read /sys/kernel/ion/*. 242allow system_server sysfs_ion:file r_file_perms; 243 244# Read /sys/kernel/dma_heap/*. 245allow system_server sysfs_dma_heap:file r_file_perms; 246 247# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 248allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 249allow system_server sysfs_dmabuf_stats:file r_file_perms; 250 251# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 252# for dumpsys meminfo 253allow system_server dmabuf_heap_device:dir r_dir_perms; 254 255# Allow reading /proc/vmstat for the oom kill count 256allow system_server proc_vmstat:file r_file_perms; 257 258# The DhcpClient and WifiWatchdog use packet_sockets 259allow system_server self:packet_socket create_socket_perms_no_ioctl; 260 261# 3rd party VPN clients require a tun_socket to be created 262allow system_server self:tun_socket create_socket_perms_no_ioctl; 263 264# Talk to init and various daemons via sockets. 265unix_socket_connect(system_server, lmkd, lmkd) 266unix_socket_connect(system_server, mtpd, mtp) 267unix_socket_connect(system_server, zygote, zygote) 268unix_socket_connect(system_server, racoon, racoon) 269unix_socket_connect(system_server, uncrypt, uncrypt) 270 271# Allow system_server to write to statsd. 272unix_socket_send(system_server, statsdw, statsd) 273 274# Communicate over a socket created by surfaceflinger. 275allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 276 277allow system_server gpuservice:unix_stream_socket { read write setopt }; 278 279# Communicate over a socket created by webview_zygote. 280allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 281 282# Communicate over a socket created by app_zygote. 283allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 284 285# Perform Binder IPC. 286binder_use(system_server) 287binder_call(system_server, appdomain) 288binder_call(system_server, artd) 289binder_call(system_server, binderservicedomain) 290binder_call(system_server, composd) 291binder_call(system_server, dumpstate) 292binder_call(system_server, fingerprintd) 293binder_call(system_server, gatekeeperd) 294binder_call(system_server, gpuservice) 295binder_call(system_server, idmap) 296binder_call(system_server, installd) 297binder_call(system_server, incidentd) 298binder_call(system_server, netd) 299userdebug_or_eng(`binder_call(system_server, profcollectd)') 300binder_call(system_server, statsd) 301binder_call(system_server, storaged) 302binder_call(system_server, update_engine) 303binder_call(system_server, vold) 304binder_call(system_server, logd) 305binder_call(system_server, wificond) 306binder_service(system_server) 307 308# Use HALs 309hal_client_domain(system_server, hal_allocator) 310hal_client_domain(system_server, hal_audio) 311hal_client_domain(system_server, hal_authsecret) 312hal_client_domain(system_server, hal_broadcastradio) 313hal_client_domain(system_server, hal_codec2) 314hal_client_domain(system_server, hal_configstore) 315hal_client_domain(system_server, hal_contexthub) 316hal_client_domain(system_server, hal_face) 317hal_client_domain(system_server, hal_fingerprint) 318hal_client_domain(system_server, hal_gnss) 319hal_client_domain(system_server, hal_graphics_allocator) 320hal_client_domain(system_server, hal_health) 321hal_client_domain(system_server, hal_input_classifier) 322hal_client_domain(system_server, hal_input_processor) 323hal_client_domain(system_server, hal_ir) 324hal_client_domain(system_server, hal_keymint) 325hal_client_domain(system_server, hal_light) 326hal_client_domain(system_server, hal_memtrack) 327hal_client_domain(system_server, hal_neuralnetworks) 328hal_client_domain(system_server, hal_oemlock) 329hal_client_domain(system_server, hal_omx) 330hal_client_domain(system_server, hal_power) 331hal_client_domain(system_server, hal_power_stats) 332hal_client_domain(system_server, hal_rebootescrow) 333hal_client_domain(system_server, hal_sensors) 334hal_client_domain(system_server, hal_tetheroffload) 335hal_client_domain(system_server, hal_thermal) 336hal_client_domain(system_server, hal_tv_cec) 337hal_client_domain(system_server, hal_tv_hdmi_cec) 338hal_client_domain(system_server, hal_tv_hdmi_connection) 339hal_client_domain(system_server, hal_tv_hdmi_earc) 340hal_client_domain(system_server, hal_tv_input) 341hal_client_domain(system_server, hal_usb) 342hal_client_domain(system_server, hal_usb_gadget) 343hal_client_domain(system_server, hal_uwb) 344hal_client_domain(system_server, hal_vibrator) 345hal_client_domain(system_server, hal_vr) 346hal_client_domain(system_server, hal_weaver) 347hal_client_domain(system_server, hal_wifi) 348hal_client_domain(system_server, hal_wifi_hostapd) 349hal_client_domain(system_server, hal_wifi_supplicant) 350# The bootctl is a pass through HAL mode under recovery mode. So we skip the 351# permission for recovery in order not to give system server the access to 352# the low level block devices. 353not_recovery(`hal_client_domain(system_server, hal_bootctl)') 354 355# Talk with graphics composer fences 356allow system_server hal_graphics_composer:fd use; 357 358# Use RenderScript always-passthrough HAL 359allow system_server hal_renderscript_hwservice:hwservice_manager find; 360allow system_server same_process_hal_file:file { execute read open getattr map }; 361 362# Talk to tombstoned to get ANR traces. 363unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 364 365# List HAL interfaces to get ANR traces. 366allow system_server hwservicemanager:hwservice_manager list; 367allow system_server servicemanager:service_manager list; 368 369# Send signals to trigger ANR traces. 370allow system_server { 371 # This is derived from the list that system server defines as interesting native processes 372 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 373 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 374 audioserver 375 cameraserver 376 drmserver 377 gpuservice 378 inputflinger 379 keystore 380 mediadrmserver 381 mediaextractor 382 mediametrics 383 mediaserver 384 mediaswcodec 385 mediatranscoding 386 mediatuner 387 netd 388 sdcardd 389 statsd 390 surfaceflinger 391 vold 392 393 # This list comes from HAL_INTERFACES_OF_INTEREST in 394 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 395 hal_audio_server 396 hal_bluetooth_server 397 hal_camera_server 398 hal_codec2_server 399 hal_face_server 400 hal_fingerprint_server 401 hal_gnss_server 402 hal_graphics_allocator_server 403 hal_graphics_composer_server 404 hal_health_server 405 hal_input_processor_server 406 hal_light_server 407 hal_neuralnetworks_server 408 hal_omx_server 409 hal_power_server 410 hal_power_stats_server 411 hal_sensors_server 412 hal_vibrator_server 413 hal_vr_server 414 system_suspend_server 415}:process { signal }; 416 417# Use sockets received over binder from various services. 418allow system_server audioserver:tcp_socket rw_socket_perms; 419allow system_server audioserver:udp_socket rw_socket_perms; 420allow system_server mediaserver:tcp_socket rw_socket_perms; 421allow system_server mediaserver:udp_socket rw_socket_perms; 422 423# Use sockets received over binder from various services. 424allow system_server mediadrmserver:tcp_socket rw_socket_perms; 425allow system_server mediadrmserver:udp_socket rw_socket_perms; 426 427# Write trace data to the Perfetto traced daemon. This requires connecting to 428# its producer socket and obtaining a (per-process) tmpfs fd. 429perfetto_producer(system_server) 430 431# Get file context 432allow system_server file_contexts_file:file r_file_perms; 433# access for mac_permissions 434allow system_server mac_perms_file: file r_file_perms; 435# Check SELinux permissions. 436selinux_check_access(system_server) 437 438allow system_server sysfs_type:dir r_dir_perms; 439 440r_dir_file(system_server, sysfs_android_usb) 441allow system_server sysfs_android_usb:file w_file_perms; 442 443r_dir_file(system_server, sysfs_extcon) 444 445r_dir_file(system_server, sysfs_ipv4) 446allow system_server sysfs_ipv4:file w_file_perms; 447 448r_dir_file(system_server, sysfs_rtc) 449r_dir_file(system_server, sysfs_switch) 450 451allow system_server sysfs_nfc_power_writable:file rw_file_perms; 452allow system_server sysfs_power:dir search; 453allow system_server sysfs_power:file rw_file_perms; 454allow system_server sysfs_thermal:dir search; 455allow system_server sysfs_thermal:file r_file_perms; 456allow system_server sysfs_uhid:dir r_dir_perms; 457allow system_server sysfs_uhid:file rw_file_perms; 458 459# TODO: Remove when HALs are forced into separate processes 460allow system_server sysfs_vibrator:file { write append }; 461 462# TODO: added to match above sysfs rule. Remove me? 463allow system_server sysfs_usb:file w_file_perms; 464 465# Access devices. 466allow system_server device:dir r_dir_perms; 467allow system_server mdns_socket:sock_file rw_file_perms; 468allow system_server gpu_device:chr_file rw_file_perms; 469allow system_server gpu_device:dir r_dir_perms; 470allow system_server sysfs_gpu:file r_file_perms; 471allow system_server input_device:dir r_dir_perms; 472allow system_server input_device:chr_file rw_file_perms; 473allow system_server tty_device:chr_file rw_file_perms; 474allow system_server usbaccessory_device:chr_file rw_file_perms; 475allow system_server video_device:dir r_dir_perms; 476allow system_server video_device:chr_file rw_file_perms; 477allow system_server adbd_socket:sock_file rw_file_perms; 478allow system_server rtc_device:chr_file rw_file_perms; 479allow system_server audio_device:dir r_dir_perms; 480allow system_server uhid_device:chr_file rw_file_perms; 481 482# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 483allow system_server audio_device:chr_file rw_file_perms; 484 485# tun device used for 3rd party vpn apps and test network manager 486allow system_server tun_device:chr_file rw_file_perms; 487allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER }; 488 489# Manage data/ota_package 490allow system_server ota_package_file:dir rw_dir_perms; 491allow system_server ota_package_file:file create_file_perms; 492 493# Manage system data files. 494allow system_server system_data_file:dir create_dir_perms; 495allow system_server system_data_file:notdevfile_class_set create_file_perms; 496allow system_server packages_list_file:file create_file_perms; 497allow system_server game_mode_intervention_list_file:file create_file_perms; 498allow system_server keychain_data_file:dir create_dir_perms; 499allow system_server keychain_data_file:file create_file_perms; 500allow system_server keychain_data_file:lnk_file create_file_perms; 501 502# Read the user parent directories like /data/user. Don't allow write access, 503# as vold is responsible for creating and deleting the subdirectories. 504allow system_server system_userdir_file:dir r_dir_perms; 505 506# Manage /data/app. 507allow system_server apk_data_file:dir create_dir_perms; 508allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 509allow system_server apk_tmp_file:dir create_dir_perms; 510allow system_server apk_tmp_file:file create_file_perms; 511 512# Access input configuration files in the /vendor directory 513r_dir_file(system_server, vendor_keylayout_file) 514r_dir_file(system_server, vendor_keychars_file) 515r_dir_file(system_server, vendor_idc_file) 516 517# Access /vendor/{app,framework,overlay} 518r_dir_file(system_server, vendor_app_file) 519r_dir_file(system_server, vendor_framework_file) 520r_dir_file(system_server, vendor_overlay_file) 521 522# Manage /data/app-private. 523allow system_server apk_private_data_file:dir create_dir_perms; 524allow system_server apk_private_data_file:file create_file_perms; 525allow system_server apk_private_tmp_file:dir create_dir_perms; 526allow system_server apk_private_tmp_file:file create_file_perms; 527 528# Manage files within asec containers. 529allow system_server asec_apk_file:dir create_dir_perms; 530allow system_server asec_apk_file:file create_file_perms; 531allow system_server asec_public_file:file create_file_perms; 532 533# Manage /data/anr. 534# 535# TODO: Some of these permissions can be withdrawn once we've switched to the 536# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 537# the system_server should never need to create a new anr_data_file:file or write 538# to one, but it will still need to read and append to existing files. 539allow system_server anr_data_file:dir create_dir_perms; 540allow system_server anr_data_file:file create_file_perms; 541 542# New stack dumping scheme : request an output FD from tombstoned via a unix 543# domain socket. 544# 545# Allow system_server to connect and write to the tombstoned java trace socket in 546# order to dump its traces. Also allow the system server to write its traces to 547# dumpstate during bugreport capture and incidentd during incident collection. 548unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 549allow system_server tombstoned:fd use; 550allow system_server dumpstate:fifo_file append; 551allow system_server incidentd:fifo_file append; 552# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 553userdebug_or_eng(` 554 allow system_server su:fifo_file append; 555') 556 557# Allow system_server to read pipes from incidentd (used to deliver incident reports 558# to dropbox) 559allow system_server incidentd:fifo_file read; 560 561# Read /data/misc/incidents - only read. The fd will be sent over binder, 562# with no DAC access to it, for dropbox to read. 563allow system_server incident_data_file:file read; 564 565# Manage /data/misc/prereboot. 566allow system_server prereboot_data_file:dir rw_dir_perms; 567allow system_server prereboot_data_file:file create_file_perms; 568 569# Allow tracing proxy service to read traces. Only the fd is sent over 570# binder. 571allow system_server perfetto_traces_data_file:file { read getattr }; 572allow system_server perfetto:fd use; 573 574# Manage /data/backup. 575allow system_server backup_data_file:dir create_dir_perms; 576allow system_server backup_data_file:file create_file_perms; 577 578# Write to /data/system/dropbox 579allow system_server dropbox_data_file:dir create_dir_perms; 580allow system_server dropbox_data_file:file create_file_perms; 581 582# Write to /data/system/heapdump 583allow system_server heapdump_data_file:dir rw_dir_perms; 584allow system_server heapdump_data_file:file create_file_perms; 585 586# Manage /data/misc/adb. 587allow system_server adb_keys_file:dir create_dir_perms; 588allow system_server adb_keys_file:file create_file_perms; 589 590# Manage /data/misc/appcompat. 591allow system_server appcompat_data_file:dir rw_dir_perms; 592allow system_server appcompat_data_file:file create_file_perms; 593 594# Manage /data/misc/emergencynumberdb 595allow system_server emergency_data_file:dir create_dir_perms; 596allow system_server emergency_data_file:file create_file_perms; 597 598# Manage /data/misc/network_watchlist 599allow system_server network_watchlist_data_file:dir create_dir_perms; 600allow system_server network_watchlist_data_file:file create_file_perms; 601 602# Manage /data/misc/sms. 603# TODO: Split into a separate type? 604allow system_server radio_data_file:dir create_dir_perms; 605allow system_server radio_data_file:file create_file_perms; 606 607# Manage /data/misc/systemkeys. 608allow system_server systemkeys_data_file:dir create_dir_perms; 609allow system_server systemkeys_data_file:file create_file_perms; 610 611# Manage /data/misc/textclassifier. 612allow system_server textclassifier_data_file:dir create_dir_perms; 613allow system_server textclassifier_data_file:file create_file_perms; 614 615# Manage /data/tombstones. 616allow system_server tombstone_data_file:dir rw_dir_perms; 617allow system_server tombstone_data_file:file create_file_perms; 618 619# Manage /data/misc/vpn. 620allow system_server vpn_data_file:dir create_dir_perms; 621allow system_server vpn_data_file:file create_file_perms; 622 623# Manage /data/misc/wifi. 624allow system_server wifi_data_file:dir create_dir_perms; 625allow system_server wifi_data_file:file create_file_perms; 626 627# Manage /data/app-staging. 628allow system_server staging_data_file:dir create_dir_perms; 629allow system_server staging_data_file:file create_file_perms; 630 631# Manage /data/rollback. 632allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 633 634# Walk /data/data subdirectories. 635allow system_server app_data_file_type:dir { getattr read search }; 636 637# Also permit for unlabeled /data/data subdirectories and 638# for unlabeled asec containers on upgrades from 4.2. 639allow system_server unlabeled:dir r_dir_perms; 640# Read pkg.apk file before it has been relabeled by vold. 641allow system_server unlabeled:file r_file_perms; 642 643# Populate com.android.providers.settings/databases/settings.db. 644allow system_server system_app_data_file:dir create_dir_perms; 645allow system_server system_app_data_file:file create_file_perms; 646 647# Receive and use open app data files passed over binder IPC. 648allow system_server app_data_file_type:file { getattr read write append map }; 649 650# Access to /data/media for measuring disk usage. 651allow system_server media_rw_data_file:dir { search getattr open read }; 652 653# Receive and use open /data/media files passed over binder IPC. 654# Also used for measuring disk usage. 655allow system_server media_rw_data_file:file { getattr read write append }; 656 657# System server needs to setfscreate to packages_list_file when writing 658# /data/system/packages.list 659allow system_server system_server:process setfscreate; 660 661# Relabel apk files. 662allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 663allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 664# Allow PackageManager to: 665# 1. rename file from /data/app-staging folder to /data/app 666# 2. relabel files (linked to /data/rollback) under /data/app-staging 667# during staged apk/apex install. 668allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 669 670# Relabel wallpaper. 671allow system_server system_data_file:file relabelfrom; 672allow system_server wallpaper_file:file relabelto; 673allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 674 675# Backup of wallpaper imagery uses temporary hard links to avoid data churn 676allow system_server { system_data_file wallpaper_file }:file link; 677 678# ShortcutManager icons 679allow system_server system_data_file:dir relabelfrom; 680allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 681allow system_server shortcut_manager_icons:file create_file_perms; 682 683# Manage ringtones. 684allow system_server ringtone_file:dir { create_dir_perms relabelto }; 685allow system_server ringtone_file:file create_file_perms; 686 687# Relabel icon file. 688allow system_server icon_file:file relabelto; 689allow system_server icon_file:file { rw_file_perms unlink }; 690 691# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 692allow system_server system_data_file:dir relabelfrom; 693 694# server_configurable_flags_data_file is used for storing server configurable flags which 695# have been reset during current booting. system_server needs to read the data to perform related 696# disaster recovery actions. 697allow system_server server_configurable_flags_data_file:dir r_dir_perms; 698allow system_server server_configurable_flags_data_file:file r_file_perms; 699 700# Property Service write 701set_prop(system_server, system_prop) 702set_prop(system_server, bootanim_system_prop) 703set_prop(system_server, bluetooth_prop) 704set_prop(system_server, exported_system_prop) 705set_prop(system_server, exported3_system_prop) 706set_prop(system_server, safemode_prop) 707set_prop(system_server, theme_prop) 708set_prop(system_server, dhcp_prop) 709set_prop(system_server, net_connectivity_prop) 710set_prop(system_server, net_radio_prop) 711set_prop(system_server, net_dns_prop) 712set_prop(system_server, usb_control_prop) 713set_prop(system_server, usb_prop) 714set_prop(system_server, debug_prop) 715set_prop(system_server, powerctl_prop) 716set_prop(system_server, fingerprint_prop) 717set_prop(system_server, device_logging_prop) 718set_prop(system_server, dumpstate_options_prop) 719set_prop(system_server, overlay_prop) 720set_prop(system_server, exported_overlay_prop) 721set_prop(system_server, pm_prop) 722set_prop(system_server, exported_pm_prop) 723set_prop(system_server, socket_hook_prop) 724set_prop(system_server, audio_prop) 725set_prop(system_server, boot_status_prop) 726set_prop(system_server, surfaceflinger_color_prop) 727set_prop(system_server, provisioned_prop) 728set_prop(system_server, retaildemo_prop) 729set_prop(system_server, dmesgd_start_prop) 730set_prop(system_server, locale_prop) 731set_prop(system_server, timezone_metadata_prop) 732set_prop(system_server, timezone_prop) 733userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 734userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)') 735 736# ctl interface 737set_prop(system_server, ctl_default_prop) 738set_prop(system_server, ctl_bugreport_prop) 739set_prop(system_server, ctl_gsid_prop) 740 741# cppreopt property 742set_prop(system_server, cppreopt_prop) 743 744# server configurable flags properties 745set_prop(system_server, device_config_edgetpu_native_prop) 746set_prop(system_server, device_config_input_native_boot_prop) 747set_prop(system_server, device_config_netd_native_prop) 748set_prop(system_server, device_config_nnapi_native_prop) 749set_prop(system_server, device_config_activity_manager_native_boot_prop) 750set_prop(system_server, device_config_runtime_native_boot_prop) 751set_prop(system_server, device_config_runtime_native_prop) 752set_prop(system_server, device_config_lmkd_native_prop) 753set_prop(system_server, device_config_media_native_prop) 754set_prop(system_server, device_config_camera_native_prop) 755set_prop(system_server, device_config_mglru_native_prop) 756set_prop(system_server, device_config_profcollect_native_boot_prop) 757set_prop(system_server, device_config_statsd_native_prop) 758set_prop(system_server, device_config_statsd_native_boot_prop) 759set_prop(system_server, device_config_storage_native_boot_prop) 760set_prop(system_server, device_config_swcodec_native_prop) 761set_prop(system_server, device_config_sys_traced_prop) 762set_prop(system_server, device_config_window_manager_native_boot_prop) 763set_prop(system_server, device_config_configuration_prop) 764set_prop(system_server, device_config_connectivity_prop) 765set_prop(system_server, device_config_surface_flinger_native_boot_prop) 766set_prop(system_server, device_config_vendor_system_native_prop) 767set_prop(system_server, device_config_vendor_system_native_boot_prop) 768set_prop(system_server, device_config_virtualization_framework_native_prop) 769set_prop(system_server, device_config_memory_safety_native_boot_prop) 770set_prop(system_server, device_config_memory_safety_native_prop) 771set_prop(system_server, device_config_remote_key_provisioning_native_prop) 772set_prop(system_server, device_config_tethering_u_or_later_native_prop) 773set_prop(system_server, smart_idle_maint_enabled_prop) 774set_prop(system_server, arm64_memtag_prop) 775 776# Allow query ART device config properties 777get_prop(system_server, device_config_runtime_native_boot_prop) 778get_prop(system_server, device_config_runtime_native_prop) 779 780# BootReceiver to read ro.boot.bootreason 781get_prop(system_server, bootloader_boot_reason_prop) 782# PowerManager to read sys.boot.reason 783get_prop(system_server, system_boot_reason_prop) 784 785# Collect metrics on boot time created by init 786get_prop(system_server, boottime_prop) 787 788# Read device's serial number from system properties 789get_prop(system_server, serialno_prop) 790 791# Read/write the property which keeps track of whether this is the first start of system_server 792set_prop(system_server, firstboot_prop) 793 794# Audio service in system server can read audio config properties, 795# such as camera shutter enforcement 796get_prop(system_server, audio_config_prop) 797 798# StorageManager service reads media config while checking if transcoding is supported. 799get_prop(system_server, media_config_prop) 800 801# system server reads this property to keep track of whether server configurable flags have been 802# reset during current boot. 803get_prop(system_server, device_config_reset_performed_prop) 804 805# Read/write the property that enables Test Harness Mode 806set_prop(system_server, test_harness_prop) 807 808# Read gsid.image_running. 809get_prop(system_server, gsid_prop) 810 811# Read the property that mocks an OTA 812get_prop(system_server, mock_ota_prop) 813 814# Read the property as feature flag for protecting apks with fs-verity. 815get_prop(system_server, apk_verity_prop) 816 817# Read wifi.interface 818get_prop(system_server, wifi_prop) 819 820# Read the vendor property that indicates if Incremental features is enabled 821get_prop(system_server, incremental_prop) 822 823# Read ro.zram. properties 824get_prop(system_server, zram_config_prop) 825 826# Read/write persist.sys.zram_enabled 827set_prop(system_server, zram_control_prop) 828 829# Read/write persist.sys.dalvik.vm.lib.2 830set_prop(system_server, dalvik_runtime_prop) 831 832# Read ro.control_privapp_permissions and ro.cp_system_other_odex 833get_prop(system_server, packagemanager_config_prop) 834 835# Read the net.464xlat.cellular.enabled property (written by init). 836get_prop(system_server, net_464xlat_fromvendor_prop) 837 838# Read hypervisor capabilities ro.boot.hypervisor.* 839get_prop(system_server, hypervisor_prop) 840 841# Read persist.wm.debug. properties 842get_prop(system_server, persist_wm_debug_prop) 843 844# Read persist.sysui.notification.builder_extras_override property 845get_prop(system_server, persist_sysui_builder_extras_prop) 846 847# Read ro.tuner.lazyhal 848get_prop(system_server, tuner_config_prop) 849# Write tuner.server.enable 850set_prop(system_server, tuner_server_ctl_prop) 851 852# Allow the heap dump ART plugin to the count of sessions waiting for OOME 853get_prop(system_server, traced_oome_heap_session_count_prop) 854 855# Create a socket for connections from debuggerd. 856allow system_server system_ndebug_socket:sock_file create_file_perms; 857 858# Create a socket for connections from zygotes. 859allow system_server system_unsolzygote_socket:sock_file create_file_perms; 860 861# Manage cache files. 862allow system_server cache_file:lnk_file r_file_perms; 863allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 864allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 865allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 866 867allow system_server system_file:dir r_dir_perms; 868allow system_server system_file:lnk_file r_file_perms; 869 870# ART locks profile files. 871allow system_server system_file:file lock; 872 873# LocationManager(e.g, GPS) needs to read and write 874# to uart driver and ctrl proc entry 875allow system_server gps_control:file rw_file_perms; 876 877# Allow system_server to use app-created sockets and pipes. 878allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 879allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 880 881# BackupManagerService needs to manipulate backup data files 882allow system_server cache_backup_file:dir rw_dir_perms; 883allow system_server cache_backup_file:file create_file_perms; 884# LocalTransport works inside /cache/backup 885allow system_server cache_private_backup_file:dir create_dir_perms; 886allow system_server cache_private_backup_file:file create_file_perms; 887 888# Allow system to talk to usb device 889allow system_server usb_device:chr_file rw_file_perms; 890allow system_server usb_device:dir r_dir_perms; 891 892# Read and delete files under /dev/fscklogs. 893r_dir_file(system_server, fscklogs) 894allow system_server fscklogs:dir { write remove_name add_name }; 895allow system_server fscklogs:file rename; 896 897# logd access, system_server inherit logd write socket 898# (urge is to deprecate this long term) 899allow system_server zygote:unix_dgram_socket write; 900 901# Read from log daemon. 902read_logd(system_server) 903read_runtime_log_tags(system_server) 904 905# Be consistent with DAC permissions. Allow system_server to write to 906# /sys/module/lowmemorykiller/parameters/adj 907# /sys/module/lowmemorykiller/parameters/minfree 908allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 909 910# Read /sys/fs/pstore/console-ramoops 911# Don't worry about overly broad permissions for now, as there's 912# only one file in /sys/fs/pstore 913allow system_server pstorefs:dir r_dir_perms; 914allow system_server pstorefs:file r_file_perms; 915 916# /sys access 917allow system_server sysfs_zram:dir search; 918allow system_server sysfs_zram:file rw_file_perms; 919 920add_service(system_server, system_server_service); 921allow system_server artd_service:service_manager find; 922allow system_server audioserver_service:service_manager find; 923allow system_server authorization_service:service_manager find; 924allow system_server batteryproperties_service:service_manager find; 925allow system_server cameraserver_service:service_manager find; 926allow system_server compos_service:service_manager find; 927allow system_server dataloader_manager_service:service_manager find; 928allow system_server dnsresolver_service:service_manager find; 929allow system_server drmserver_service:service_manager find; 930allow system_server dumpstate_service:service_manager find; 931allow system_server fingerprintd_service:service_manager find; 932allow system_server gatekeeper_service:service_manager find; 933allow system_server gpu_service:service_manager find; 934allow system_server gsi_service:service_manager find; 935allow system_server idmap_service:service_manager find; 936allow system_server incident_service:service_manager find; 937allow system_server incremental_service:service_manager find; 938allow system_server installd_service:service_manager find; 939allow system_server keystore_maintenance_service:service_manager find; 940allow system_server keystore_metrics_service:service_manager find; 941allow system_server keystore_service:service_manager find; 942allow system_server mdns_service:service_manager find; 943allow system_server mediaserver_service:service_manager find; 944allow system_server mediametrics_service:service_manager find; 945allow system_server mediaextractor_service:service_manager find; 946allow system_server mediadrmserver_service:service_manager find; 947allow system_server mediatuner_service:service_manager find; 948allow system_server netd_service:service_manager find; 949allow system_server nfc_service:service_manager find; 950allow system_server radio_service:service_manager find; 951allow system_server stats_service:service_manager find; 952allow system_server storaged_service:service_manager find; 953allow system_server surfaceflinger_service:service_manager find; 954allow system_server update_engine_service:service_manager find; 955allow system_server vold_service:service_manager find; 956allow system_server wifinl80211_service:service_manager find; 957allow system_server logd_service:service_manager find; 958userdebug_or_eng(` 959 allow system_server profcollectd_service:service_manager find; 960') 961 962add_service(system_server, batteryproperties_service) 963 964allow system_server keystore:keystore_key { 965 get_state 966 get 967 insert 968 delete 969 exist 970 list 971 reset 972 password 973 lock 974 unlock 975 is_empty 976 sign 977 verify 978 grant 979 duplicate 980 clear_uid 981 add_auth 982 user_changed 983}; 984 985allow system_server keystore:keystore2 { 986 add_auth 987 change_password 988 change_user 989 clear_ns 990 clear_uid 991 get_state 992 lock 993 pull_metrics 994 reset 995 unlock 996}; 997 998allow system_server keystore:keystore2_key { 999 delete 1000 use_dev_id 1001 grant 1002 get_info 1003 rebind 1004 update 1005 use 1006}; 1007 1008# Allow Wifi module to manage Wi-Fi keys. 1009allow system_server wifi_key:keystore2_key { 1010 delete 1011 get_info 1012 rebind 1013 update 1014 use 1015}; 1016 1017# Allow lock_settings service to manage RoR keys. 1018allow system_server resume_on_reboot_key:keystore2_key { 1019 delete 1020 get_info 1021 rebind 1022 update 1023 use 1024}; 1025 1026# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 1027allow system_server locksettings_key:keystore2_key { 1028 delete 1029 get_info 1030 rebind 1031 update 1032 use 1033}; 1034 1035 1036# Allow system server to search and write to the persistent factory reset 1037# protection partition. This block device does not get wiped in a factory reset. 1038allow system_server block_device:dir search; 1039allow system_server frp_block_device:blk_file rw_file_perms; 1040allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 1041 1042# Create new process groups and clean up old cgroups 1043allow system_server cgroup:dir { remove_name rmdir }; 1044allow system_server cgroup_v2:dir create_dir_perms; 1045allow system_server cgroup_v2:file { r_file_perms setattr }; 1046 1047# /oem access 1048r_dir_file(system_server, oemfs) 1049 1050# Allow resolving per-user storage symlinks 1051allow system_server { mnt_user_file storage_file }:dir { getattr search }; 1052allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 1053 1054# Allow statfs() on storage devices, which happens fast enough that 1055# we shouldn't be killed during unsafe removal 1056allow system_server { sdcard_type fuse }:dir { getattr search }; 1057 1058# Traverse into expanded storage 1059allow system_server mnt_expand_file:dir r_dir_perms; 1060 1061# Allow system process to relabel the fingerprint directory after mkdir 1062# and delete the directory and files when no longer needed 1063allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 1064allow system_server fingerprintd_data_file:file { getattr unlink }; 1065 1066userdebug_or_eng(` 1067 # Allow system server to create and write method traces in /data/misc/trace. 1068 allow system_server method_trace_data_file:dir w_dir_perms; 1069 allow system_server method_trace_data_file:file { create w_file_perms }; 1070 1071 # Allow system server to read dmesg 1072 allow system_server kernel:system syslog_read; 1073 1074 # Allow writing and removing window traces in /data/misc/wmtrace. 1075 allow system_server wm_trace_data_file:dir rw_dir_perms; 1076 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1077 1078 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 1079 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 1080 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1081') 1082 1083# For AppFuse. 1084allow system_server vold:fd use; 1085allow system_server fuse_device:chr_file { read write ioctl getattr }; 1086allow system_server app_fuse_file:file { read write getattr }; 1087 1088# For configuring sdcardfs 1089allow system_server configfs:dir { create_dir_perms }; 1090allow system_server configfs:file { getattr open create unlink write }; 1091 1092# Connect to adbd and use a socket transferred from it. 1093# Used for e.g. jdwp. 1094allow system_server adbd:unix_stream_socket connectto; 1095allow system_server adbd:fd use; 1096allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1097 1098# Read service.adb.tls.port, persist.adb.wifi. properties 1099get_prop(system_server, adbd_prop) 1100 1101# Set persist.adb.tls_server.enable property 1102set_prop(system_server, system_adbd_prop) 1103 1104# Allow invoking tools like "timeout" 1105allow system_server toolbox_exec:file rx_file_perms; 1106 1107# Allow system process to setup fs-verity 1108allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY; 1109 1110# Allow system process to measure fs-verity for apps, apps being installed and system files 1111allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY; 1112allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS; 1113allow system_server system_file:file ioctl; 1114 1115# Postinstall 1116# 1117# For OTA dexopt, allow calls coming from postinstall. 1118binder_call(system_server, postinstall) 1119 1120allow system_server postinstall:fifo_file write; 1121allow system_server update_engine:fd use; 1122allow system_server update_engine:fifo_file write; 1123 1124# Access to /data/preloads 1125allow system_server preloads_data_file:file { r_file_perms unlink }; 1126allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1127allow system_server preloads_media_file:file { r_file_perms unlink }; 1128allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1129 1130r_dir_file(system_server, cgroup) 1131r_dir_file(system_server, cgroup_v2) 1132allow system_server ion_device:chr_file r_file_perms; 1133 1134# Access to /dev/dma_heap/system 1135allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1136# Access to /dev/dma_heap/system-secure 1137allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1138 1139r_dir_file(system_server, proc_asound) 1140r_dir_file(system_server, proc_net_type) 1141r_dir_file(system_server, proc_qtaguid_stat) 1142allow system_server { 1143 proc_cmdline 1144 proc_loadavg 1145 proc_locks 1146 proc_meminfo 1147 proc_pagetypeinfo 1148 proc_pipe_conf 1149 proc_stat 1150 proc_uid_cputime_showstat 1151 proc_uid_io_stats 1152 proc_uid_time_in_state 1153 proc_uid_concurrent_active_time 1154 proc_uid_concurrent_policy_time 1155 proc_version 1156 proc_vmallocinfo 1157}:file r_file_perms; 1158 1159allow system_server proc_uid_time_in_state:dir r_dir_perms; 1160allow system_server proc_uid_cpupower:file r_file_perms; 1161 1162r_dir_file(system_server, rootfs) 1163 1164# Allow WifiService to start, stop, and read wifi-specific trace events. 1165allow system_server debugfs_tracing_instances:dir search; 1166allow system_server debugfs_wifi_tracing:dir search; 1167allow system_server debugfs_wifi_tracing:file rw_file_perms; 1168 1169# Allow BootReceiver to watch trace error_report events. 1170allow system_server debugfs_bootreceiver_tracing:dir search; 1171allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1172 1173# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1174allow system_server debugfs_tracing:file r_file_perms; 1175 1176# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1177# asanwrapper. 1178with_asan(` 1179 allow system_server shell_exec:file rx_file_perms; 1180 allow system_server asanwrapper_exec:file rx_file_perms; 1181 allow system_server zygote_exec:file rx_file_perms; 1182') 1183 1184# allow system_server to read the eBPF maps that stores the traffic stats information and update 1185# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1186# time in state accounting 1187allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 1188allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; 1189allow system_server bpfloader:bpf { map_read map_write prog_run }; 1190# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 1191allow system_server self:key_socket create; 1192 1193# Allow system_server to start clatd in its own domain and kill it. 1194domain_auto_trans(system_server, clatd_exec, clatd) 1195allow system_server clatd:process { sigkill signal }; 1196 1197# ART Profiles. 1198# Allow system_server to open profile snapshots for read. 1199# System server never reads the actual content. It passes the descriptor to 1200# to privileged apps which acquire the permissions to inspect the profiles. 1201allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1202allow system_server user_profile_data_file:file { getattr open read }; 1203 1204# System server may dump profile data for debuggable apps in the /data/misc/profman. 1205# As such it needs to be able create files but it should never read from them. 1206# It also needs to stat the directory to check if it has the right permissions. 1207allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1208allow system_server profman_dump_data_file:dir rw_dir_perms; 1209 1210# On userdebug build we may profile system server. Allow it to write and create its own profile. 1211userdebug_or_eng(` 1212 allow system_server user_profile_data_file:dir w_dir_perms; 1213 allow system_server user_profile_data_file:file create_file_perms; 1214') 1215# Allow system server to load JVMTI agents under control of a property. 1216get_prop(system_server,system_jvmti_agent_prop) 1217 1218# UsbDeviceManager uses /dev/usb-ffs 1219allow system_server functionfs:dir search; 1220allow system_server functionfs:file rw_file_perms; 1221 1222# system_server contains time / time zone detection logic so reads the associated properties. 1223get_prop(system_server, time_prop) 1224 1225# system_server reads this property to know it should expect the lmkd sends notification to it 1226# on low memory kills. 1227get_prop(system_server, system_lmk_prop) 1228 1229get_prop(system_server, wifi_config_prop) 1230 1231# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1232allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1233 1234# Watchdog prints debugging log to /dev/kmsg_debug. 1235userdebug_or_eng(` 1236 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1237') 1238# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1239get_prop(system_server, framework_watchdog_config_prop) 1240 1241 1242# Font files are written by system server 1243allow system_server font_data_file:file create_file_perms; 1244allow system_server font_data_file:dir create_dir_perms; 1245# Allow system process to setup and measure fs-verity for font files 1246allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; 1247 1248# Read qemu.hw.mainkeys property 1249get_prop(system_server, qemu_hw_prop) 1250 1251# Allow system server to read profcollectd reports for upload. 1252userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1253 1254### 1255### Neverallow rules 1256### 1257### system_server should NEVER do any of this 1258 1259# Do not allow opening files from external storage as unsafe ejection 1260# could cause the kernel to kill the system_server. 1261neverallow system_server { sdcard_type fuse }:dir { open read write }; 1262neverallow system_server { sdcard_type fuse }:file rw_file_perms; 1263 1264# system server should never be operating on zygote spawned app data 1265# files directly. Rather, they should always be passed via a 1266# file descriptor. 1267# Exclude those types that system_server needs to open directly. 1268neverallow system_server { 1269 app_data_file_type 1270 -system_app_data_file 1271 -radio_data_file 1272}:file { open create unlink link }; 1273 1274# Forking and execing is inherently dangerous and racy. See, for 1275# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1276# Prevent the addition of new file execs to stop the problem from 1277# getting worse. b/28035297 1278neverallow system_server { 1279 file_type 1280 -toolbox_exec 1281 -logcat_exec 1282 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1283}:file execute_no_trans; 1284 1285# Ensure that system_server doesn't perform any domain transitions other than 1286# transitioning to the crash_dump domain when a crash occurs or fork clatd. 1287neverallow system_server { domain -clatd -crash_dump }:process transition; 1288neverallow system_server *:process dyntransition; 1289 1290# Only allow crash_dump to connect to system_ndebug_socket. 1291neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1292 1293# Only allow zygotes to connect to system_unsolzygote_socket. 1294neverallow { 1295 domain 1296 -init 1297 -system_server 1298 -zygote 1299 -app_zygote 1300 -webview_zygote 1301} system_unsolzygote_socket:sock_file { open write }; 1302 1303# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1304neverallow { 1305 domain 1306 -init 1307 -system_server 1308 -flags_health_check 1309} { 1310 device_config_activity_manager_native_boot_prop 1311 device_config_connectivity_prop 1312 device_config_input_native_boot_prop 1313 device_config_lmkd_native_prop 1314 device_config_netd_native_prop 1315 device_config_nnapi_native_prop 1316 device_config_edgetpu_native_prop 1317 device_config_runtime_native_boot_prop 1318 device_config_runtime_native_prop 1319 device_config_media_native_prop 1320 device_config_mglru_native_prop 1321 device_config_remote_key_provisioning_native_prop 1322 device_config_storage_native_boot_prop 1323 device_config_surface_flinger_native_boot_prop 1324 device_config_sys_traced_prop 1325 device_config_swcodec_native_prop 1326 device_config_window_manager_native_boot_prop 1327 device_config_tethering_u_or_later_native_prop 1328}:property_service set; 1329 1330# Only allow system_server and init to set tuner_server_ctl_prop 1331neverallow { 1332 domain 1333 -system_server 1334 -init 1335} tuner_server_ctl_prop:property_service set; 1336 1337# system_server should never be executing dex2oat. This is either 1338# a bug (for example, bug 16317188), or represents an attempt by 1339# system server to dynamically load a dex file, something we do not 1340# want to allow. 1341neverallow system_server dex2oat_exec:file no_x_file_perms; 1342 1343# system_server should never execute or load executable shared libraries 1344# in /data. Executable files in /data are a persistence vector. 1345# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1346neverallow system_server data_file_type:file no_x_file_perms; 1347 1348# The only block device system_server should be writing to is 1349# the frp_block_device. This helps avoid a system_server to root 1350# escalation by writing to raw block devices. 1351# The system_server may need to read from vd_device if it uses 1352# block apexes. 1353neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; 1354neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; 1355 1356# system_server should never use JIT functionality 1357# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1358# in the section titled "A Short ROP Chain" for why. 1359# However, in emulator builds without OpenGL passthrough, we use software 1360# rendering via SwiftShader, which requires JIT support. These builds are 1361# never shipped to users. 1362ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1363 `allow system_server self:process execmem;', 1364 `neverallow system_server self:process execmem;') 1365neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1366 1367# TODO: deal with tmpfs_domain pub/priv split properly 1368neverallow system_server system_server_tmpfs:file execute; 1369 1370# Resources handed off by system_server_startup 1371allow system_server system_server_startup:fd use; 1372allow system_server system_server_startup_tmpfs:file { read write map }; 1373allow system_server system_server_startup:unix_dgram_socket write; 1374 1375# Allow system server to communicate to apexd 1376allow system_server apex_service:service_manager find; 1377allow system_server apexd:binder call; 1378 1379# Allow system server to scan /apex for flattened APEXes 1380allow system_server apex_mnt_dir:dir r_dir_perms; 1381 1382# Allow system server to read /apex/apex-info-list.xml 1383allow system_server apex_info_file:file r_file_perms; 1384 1385# Allow system server to communicate to system-suspend's control interface 1386allow system_server system_suspend_control_internal_service:service_manager find; 1387allow system_server system_suspend_control_service:service_manager find; 1388binder_call(system_server, system_suspend) 1389binder_call(system_suspend, system_server) 1390 1391# Allow system server to communicate to system-suspend's wakelock interface 1392wakelock_use(system_server) 1393 1394# Allow the system server to read files under /data/apex. The system_server 1395# needs these privileges to compare file signatures while processing installs. 1396# 1397# Only apexd is allowed to create new entries or write to any file under /data/apex. 1398allow system_server apex_data_file:dir { getattr search }; 1399allow system_server apex_data_file:file r_file_perms; 1400 1401# Allow the system server to read files under /vendor/apex. This is where 1402# vendor APEX packages might be installed and system_server needs to parse 1403# these packages to inspect the signatures and other metadata. 1404allow system_server vendor_apex_file:dir { getattr search }; 1405allow system_server vendor_apex_file:file r_file_perms; 1406 1407# Allow the system server to manage relevant apex module data files. 1408allow system_server apex_module_data_file:dir { getattr search }; 1409# These are modules where the code runs in system_server, so we need full access. 1410allow system_server apex_system_server_data_file:dir create_dir_perms; 1411allow system_server apex_system_server_data_file:file create_file_perms; 1412# Legacy labels that we still need to support (b/217581286) 1413allow system_server { 1414 apex_appsearch_data_file 1415 apex_permission_data_file 1416 apex_scheduling_data_file 1417 apex_tethering_data_file 1418 apex_wifi_data_file 1419}:dir create_dir_perms; 1420allow system_server { 1421 apex_appsearch_data_file 1422 apex_permission_data_file 1423 apex_scheduling_data_file 1424 apex_tethering_data_file 1425 apex_wifi_data_file 1426}:file create_file_perms; 1427 1428# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1429# communicate which slots are available for use. 1430allow system_server metadata_file:dir search; 1431allow system_server password_slot_metadata_file:dir rw_dir_perms; 1432allow system_server password_slot_metadata_file:file create_file_perms; 1433 1434allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1435allow system_server userspace_reboot_metadata_file:file create_file_perms; 1436 1437# Allow system server rw access to files in /metadata/staged-install folder 1438allow system_server staged_install_file:dir rw_dir_perms; 1439allow system_server staged_install_file:file create_file_perms; 1440 1441allow system_server watchdog_metadata_file:dir rw_dir_perms; 1442allow system_server watchdog_metadata_file:file create_file_perms; 1443 1444allow system_server repair_mode_metadata_file:dir rw_dir_perms; 1445allow system_server repair_mode_metadata_file:file create_file_perms; 1446 1447allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1448allow system_server gsi_persistent_data_file:file create_file_perms; 1449 1450# Allow system server read and remove files under /data/misc/odrefresh 1451allow system_server odrefresh_data_file:dir rw_dir_perms; 1452allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1453 1454# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1455allow system_server surfaceflinger_exec:file r_file_perms; 1456 1457# Allow init to set sysprop used to compute stats about userspace reboot. 1458set_prop(system_server, userspace_reboot_log_prop) 1459 1460# JVMTI agent settings are only readable from the system server. 1461neverallow { 1462 domain 1463 -system_server 1464 -dumpstate 1465 -init 1466 -vendor_init 1467} { 1468 system_jvmti_agent_prop 1469}:file no_rw_file_perms; 1470 1471# Read/Write /proc/pressure/memory 1472allow system_server proc_pressure_mem:file rw_file_perms; 1473# Read /proc/pressure/cpu and /proc/pressure/io 1474allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms; 1475 1476# dexoptanalyzer is currently used only for secondary dex files which 1477# system_server should never access. 1478neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1479 1480# No ptracing others 1481neverallow system_server { domain -system_server }:process ptrace; 1482 1483# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1484# file read access. However, that is now unnecessary (b/34951864) 1485neverallow system_server system_server:global_capability_class_set sys_resource; 1486 1487# Only system_server/init should access /metadata/password_slots. 1488neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1489neverallow { 1490 domain 1491 -init 1492 -system_server 1493} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1494neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1495 1496# Only system_server/init should access /metadata/userspacereboot. 1497neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; 1498neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms; 1499 1500# Allow systemserver to read/write the invalidation property 1501set_prop(system_server, binder_cache_system_server_prop) 1502neverallow { domain -system_server -init } 1503 binder_cache_system_server_prop:property_service set; 1504 1505# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1506# system_server cannot use this access to read perf event data like process stacks. 1507allow system_server self:perf_event { open write cpu kernel }; 1508neverallow system_server self:perf_event ~{ open write cpu kernel }; 1509 1510# Allow writing files under /data/system/shutdown-checkpoints/ 1511allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms; 1512allow system_server shutdown_checkpoints_system_data_file:file create_file_perms; 1513 1514# Do not allow any domain other than init or system server to set the property 1515neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1516 1517neverallow { domain -init -system_server } boot_status_prop:property_service set; 1518 1519neverallow { 1520 domain 1521 -init 1522 -vendor_init 1523 -dumpstate 1524 -system_server 1525} wifi_config_prop:file no_rw_file_perms; 1526 1527# Only allow system server to write uhid sysfs files 1528neverallow { 1529 domain 1530 -init 1531 -system_server 1532 -ueventd 1533 -vendor_init 1534} sysfs_uhid:file no_w_file_perms; 1535 1536# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1537# can be accessed by system_server only (b/143717177) 1538# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1539# interface 1540neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1541 1542# Only system server can write the font files. 1543neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1544neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1545 1546# Allow system server to set dynamic ART properties. 1547set_prop(system_server, dalvik_dynamic_config_prop) 1548 1549# Allow system server to read binderfs 1550allow system_server binderfs_logs:dir r_dir_perms; 1551allow system_server binderfs_logs_stats:file r_file_perms; 1552