1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server remote_provisioning_service_server; 9typeattribute system_server scheduler_service_server; 10typeattribute system_server sensor_service_server; 11typeattribute system_server stats_service_server; 12typeattribute system_server bpfdomain; 13 14# Define a type for tmpfs-backed ashmem regions. 15tmpfs_domain(system_server) 16 17userfaultfd_use(system_server) 18 19# Create a socket for connections from crash_dump. 20type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 21 22# Create a socket for connections from zygotes. 23type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 24 25allow system_server zygote_tmpfs:file { map read }; 26allow system_server appdomain_tmpfs:file { getattr map read write }; 27 28# For Incremental Service to check if incfs is available 29allow system_server proc_filesystems:file r_file_perms; 30 31# To create files, get permission to fill blocks, and configure Incremental File System 32allow system_server incremental_control_file:file { ioctl r_file_perms }; 33allowxperm system_server incremental_control_file:file ioctl { 34 INCFS_IOCTL_CREATE_FILE 35 INCFS_IOCTL_CREATE_MAPPED_FILE 36 INCFS_IOCTL_PERMIT_FILL 37 INCFS_IOCTL_GET_READ_TIMEOUTS 38 INCFS_IOCTL_SET_READ_TIMEOUTS 39 INCFS_IOCTL_GET_LAST_READ_ERROR 40}; 41 42# To get signature of an APK installed on Incremental File System, and fill in data 43# blocks and get the filesystem state 44allowxperm system_server apk_data_file:file ioctl { 45 INCFS_IOCTL_READ_SIGNATURE 46 INCFS_IOCTL_FILL_BLOCKS 47 INCFS_IOCTL_GET_FILLED_BLOCKS 48 INCFS_IOCTL_GET_BLOCK_COUNT 49 F2FS_IOC_GET_FEATURES 50 F2FS_IOC_GET_COMPRESS_BLOCKS 51 F2FS_IOC_COMPRESS_FILE 52 F2FS_IOC_DECOMPRESS_FILE 53 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 54 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 55 FS_IOC_SETFLAGS 56 FS_IOC_GETFLAGS 57}; 58 59allowxperm system_server apk_tmp_file:file ioctl { 60 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 61 FS_IOC_GETFLAGS 62}; 63 64# For Incremental Service to check incfs metrics 65allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 66 67# For f2fs-compression support 68allow system_server sysfs_fs_f2fs:dir r_dir_perms; 69allow system_server sysfs_fs_f2fs:file r_file_perms; 70 71# For SdkSandboxManagerService 72allow system_server sdk_sandbox_system_data_file:dir create_dir_perms; 73 74# For art. 75allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 76allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 77 78# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`. 79# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a 80# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks 81# system_server. It fails to be loaded when the jar is used as a shared library, which is expected. 82dontaudit system_server apex_art_data_file:file execute; 83 84# For release odex/vdex compress blocks 85allowxperm system_server dalvikcache_data_file:file ioctl { 86 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 87 FS_IOC_GETFLAGS 88}; 89 90# When running system server under --invoke-with, we'll try to load the boot image under the 91# system server domain, following links to the system partition. 92with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 93 94# /data/resource-cache 95allow system_server resourcecache_data_file:file r_file_perms; 96allow system_server resourcecache_data_file:dir r_dir_perms; 97 98# ptrace to processes in the same domain for debugging crashes. 99allow system_server self:process ptrace; 100 101# Child of the zygote. 102allow system_server zygote:fd use; 103allow system_server zygote:process sigchld; 104 105# May kill zygote (or its child processes) on crashes. 106allow system_server { 107 app_zygote 108 crash_dump 109 crosvm 110 virtualizationmanager 111 webview_zygote 112 zygote 113}:process { getpgid sigkill signull }; 114 115# Read /system/bin/app_process. 116allow system_server zygote_exec:file r_file_perms; 117 118# Needed to close the zygote socket, which involves getopt / getattr 119allow system_server zygote:unix_stream_socket { getopt getattr }; 120 121# system server gets network and bluetooth permissions. 122net_domain(system_server) 123# in addition to ioctls allowlisted for all domains, also allow system_server 124# to use privileged ioctls commands. Needed to set up VPNs. 125allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 126bluetooth_domain(system_server) 127 128# Allow setup of tcp keepalive offload. This gives system_server the permission to 129# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 130# be granted individually, except for a small set of safe values allowlisted in 131# public/domain.te. 132allow system_server appdomain:tcp_socket ioctl; 133 134# These are the capabilities assigned by the zygote to the 135# system server. 136allow system_server self:global_capability_class_set { 137 ipc_lock 138 kill 139 net_admin 140 net_bind_service 141 net_broadcast 142 net_raw 143 sys_boot 144 sys_nice 145 sys_ptrace 146 sys_time 147 sys_tty_config 148}; 149 150# Allow alarmtimers to be set 151allow system_server self:global_capability2_class_set wake_alarm; 152 153# Create and share netlink_netfilter_sockets for tetheroffload. 154allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 155 156# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 157allow system_server self:netlink_tcpdiag_socket 158 { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 159 160# Use netlink uevent sockets. 161allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 162 163allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl; 164 165# Use generic netlink sockets. 166allow system_server self:netlink_socket create_socket_perms_no_ioctl; 167allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 168 169# libvintf reads the kernel config to verify vendor interface compatibility. 170allow system_server config_gz:file { read open }; 171 172# Use generic "sockets" where the address family is not known 173# to the kernel. The ioctl permission is specifically omitted here, but may 174# be added to device specific policy along with the ioctl commands to be 175# allowlisted. 176allow system_server self:socket create_socket_perms_no_ioctl; 177 178# Set and get routes directly via netlink. 179allow system_server self:netlink_route_socket nlmsg_write; 180 181# Use XFRM (IPsec) netlink sockets 182allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 183 184# Kill apps. 185allow system_server appdomain:process { getpgid sigkill signal }; 186# signull allowed for kill(pid, 0) existence test. 187allow system_server appdomain:process { signull }; 188 189# Set scheduling info for apps. 190allow system_server appdomain:process { getsched setsched }; 191allow system_server audioserver:process { getsched setsched }; 192allow system_server hal_audio:process { getsched setsched }; 193allow system_server hal_bluetooth:process { getsched setsched }; 194allow system_server hal_codec2_server:process { getsched setsched }; 195allow system_server hal_omx_server:process { getsched setsched }; 196allow system_server mediaswcodec:process { getsched setsched }; 197allow system_server cameraserver:process { getsched setsched }; 198allow system_server hal_camera:process { getsched setsched }; 199allow system_server mediaserver:process { getsched setsched }; 200allow system_server bootanim:process { getsched setsched }; 201 202# Set scheduling info for psi monitor thread. 203# TODO: delete this line b/131761776 204allow system_server kernel:process { getsched setsched }; 205 206# Allow system_server to write to /proc/<pid>/* 207allow system_server domain:file w_file_perms; 208 209# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 210# within system_server to keep track of memory and CPU usage for 211# all processes on the device. In addition, /proc/pid files access is needed 212# for dumping stack traces of native processes. 213r_dir_file(system_server, domain) 214 215# Write /proc/uid_cputime/remove_uid_range. 216allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 217 218# Write /proc/uid_procstat/set. 219allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 220 221# Write to /proc/sysrq-trigger. 222allow system_server proc_sysrq:file rw_file_perms; 223 224# Delete /data/misc/stats-service/ directories. 225allow system_server stats_config_data_file:dir { open read remove_name search write }; 226allow system_server stats_config_data_file:file unlink; 227 228# Read metric file & upload to statsd 229allow system_server odsign_data_file:dir search; 230allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name }; 231allow system_server odsign_metrics_file:file { r_file_perms unlink }; 232 233# Read /sys/kernel/debug/wakeup_sources. 234no_debugfs_restriction(` 235 allow system_server debugfs_wakeup_sources:file r_file_perms; 236') 237 238# Read /sys/kernel/ion/*. 239allow system_server sysfs_ion:file r_file_perms; 240 241# Read /sys/kernel/dma_heap/*. 242allow system_server sysfs_dma_heap:file r_file_perms; 243 244# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 245allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 246allow system_server sysfs_dmabuf_stats:file r_file_perms; 247 248# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 249# for dumpsys meminfo 250allow system_server dmabuf_heap_device:dir r_dir_perms; 251 252# Allow reading /proc/vmstat for the oom kill count 253allow system_server proc_vmstat:file r_file_perms; 254 255# The DhcpClient and WifiWatchdog use packet_sockets 256allow system_server self:packet_socket create_socket_perms_no_ioctl; 257 258# 3rd party VPN clients require a tun_socket to be created 259allow system_server self:tun_socket create_socket_perms_no_ioctl; 260 261# Talk to init and various daemons via sockets. 262unix_socket_connect(system_server, lmkd, lmkd) 263unix_socket_connect(system_server, zygote, zygote) 264unix_socket_connect(system_server, uncrypt, uncrypt) 265 266# Allow system_server to write to statsd. 267unix_socket_send(system_server, statsdw, statsd) 268 269# Communicate over a socket created by surfaceflinger. 270allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 271 272allow system_server gpuservice:unix_stream_socket { read write setopt }; 273 274# Communicate over a socket created by webview_zygote. 275allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 276 277# Communicate over a socket created by app_zygote. 278allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 279 280# Perform Binder IPC. 281binder_use(system_server) 282binder_call(system_server, appdomain) 283binder_call(system_server, artd) 284binder_call(system_server, binderservicedomain) 285binder_call(system_server, composd) 286binder_call(system_server, dexopt_chroot_setup) 287binder_call(system_server, dumpstate) 288binder_call(system_server, fingerprintd) 289binder_call(system_server, gatekeeperd) 290binder_call(system_server, gpuservice) 291binder_call(system_server, idmap) 292binder_call(system_server, installd) 293binder_call(system_server, incidentd) 294binder_call(system_server, netd) 295binder_call(system_server, ot_daemon) 296userdebug_or_eng(`binder_call(system_server, profcollectd)') 297binder_call(system_server, statsd) 298binder_call(system_server, storaged) 299binder_call(system_server, update_engine) 300binder_call(system_server, virtual_camera) 301binder_call(system_server, vold) 302binder_call(system_server, logd) 303binder_call(system_server, wificond) 304binder_call(system_server, uprobestats) 305binder_service(system_server) 306 307# Use HALs 308hal_client_domain(system_server, hal_allocator) 309hal_client_domain(system_server, hal_audio) 310hal_client_domain(system_server, hal_authgraph) 311hal_client_domain(system_server, hal_authsecret) 312hal_client_domain(system_server, hal_bluetooth) 313hal_client_domain(system_server, hal_broadcastradio) 314hal_client_domain(system_server, hal_codec2) 315hal_client_domain(system_server, hal_configstore) 316hal_client_domain(system_server, hal_contexthub) 317hal_client_domain(system_server, hal_face) 318hal_client_domain(system_server, hal_fingerprint) 319hal_client_domain(system_server, hal_gnss) 320hal_client_domain(system_server, hal_graphics_allocator) 321hal_client_domain(system_server, hal_health) 322hal_client_domain(system_server, hal_input_classifier) 323hal_client_domain(system_server, hal_input_processor) 324hal_client_domain(system_server, hal_ir) 325hal_client_domain(system_server, hal_keymint) 326hal_client_domain(system_server, hal_light) 327hal_client_domain(system_server, hal_memtrack) 328hal_client_domain(system_server, hal_neuralnetworks) 329hal_client_domain(system_server, hal_oemlock) 330hal_client_domain(system_server, hal_omx) 331hal_client_domain(system_server, hal_power) 332hal_client_domain(system_server, hal_power_stats) 333hal_client_domain(system_server, hal_rebootescrow) 334hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf) 335hal_client_domain(system_server, hal_sensors) 336hal_client_domain(system_server, hal_secretkeeper) 337hal_client_domain(system_server, hal_tetheroffload) 338hal_client_domain(system_server, hal_thermal) 339hal_client_domain(system_server, hal_threadnetwork) 340hal_client_domain(system_server, hal_tv_cec) 341hal_client_domain(system_server, hal_tv_hdmi_cec) 342hal_client_domain(system_server, hal_tv_hdmi_connection) 343hal_client_domain(system_server, hal_tv_hdmi_earc) 344hal_client_domain(system_server, hal_tv_input) 345hal_client_domain(system_server, hal_usb) 346hal_client_domain(system_server, hal_usb_gadget) 347hal_client_domain(system_server, hal_uwb) 348hal_client_domain(system_server, hal_vibrator) 349hal_client_domain(system_server, hal_vr) 350hal_client_domain(system_server, hal_weaver) 351hal_client_domain(system_server, hal_wifi) 352hal_client_domain(system_server, hal_wifi_hostapd) 353hal_client_domain(system_server, hal_wifi_supplicant) 354# The bootctl is a pass through HAL mode under recovery mode. So we skip the 355# permission for recovery in order not to give system server the access to 356# the low level block devices. 357not_recovery(`hal_client_domain(system_server, hal_bootctl)') 358 359# Talk with graphics composer fences 360allow system_server hal_graphics_composer:fd use; 361 362# Use RenderScript always-passthrough HAL 363allow system_server hal_renderscript_hwservice:hwservice_manager find; 364allow system_server same_process_hal_file:file { execute read open getattr map }; 365 366# Talk to tombstoned to get ANR traces. 367unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 368 369# List HAL interfaces to get ANR traces. 370allow system_server hwservicemanager:hwservice_manager list; 371allow system_server servicemanager:service_manager list; 372 373# Send signals to trigger ANR traces. 374allow system_server { 375 # This is derived from the list that system server defines as interesting native processes 376 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 377 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 378 artd 379 audioserver 380 cameraserver 381 drmserver 382 gpuservice 383 inputflinger 384 keystore 385 mediadrmserver 386 mediaextractor 387 mediametrics 388 mediaserver 389 mediaswcodec 390 mediatranscoding 391 mediatuner 392 netd 393 sdcardd 394 servicemanager 395 statsd 396 surfaceflinger 397 vold 398 399 # This list comes from HAL_INTERFACES_OF_INTEREST in 400 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 401 hal_audio_server 402 hal_bluetooth_server 403 hal_camera_server 404 hal_codec2_server 405 hal_drm_server 406 hal_face_server 407 hal_fingerprint_server 408 hal_gnss_server 409 hal_graphics_allocator_server 410 hal_graphics_composer_server 411 hal_health_server 412 hal_input_processor_server 413 hal_light_server 414 hal_neuralnetworks_server 415 hal_omx_server 416 hal_power_server 417 hal_power_stats_server 418 hal_sensors_server 419 hal_vibrator_server 420 hal_vr_server 421 system_suspend_server 422}:process { signal }; 423 424# Use sockets received over binder from various services. 425allow system_server audioserver:tcp_socket rw_socket_perms; 426allow system_server audioserver:udp_socket rw_socket_perms; 427allow system_server mediaserver:tcp_socket rw_socket_perms; 428allow system_server mediaserver:udp_socket rw_socket_perms; 429 430# Use sockets received over binder from various services. 431allow system_server mediadrmserver:tcp_socket rw_socket_perms; 432allow system_server mediadrmserver:udp_socket rw_socket_perms; 433 434# Write trace data to the Perfetto traced daemon. This requires connecting to 435# its producer socket and obtaining a (per-process) tmpfs fd. 436perfetto_producer(system_server) 437 438# Get file context 439allow system_server file_contexts_file:file r_file_perms; 440# access for mac_permissions 441allow system_server mac_perms_file: file r_file_perms; 442# Check SELinux permissions. 443selinux_check_access(system_server) 444 445allow system_server sysfs_type:dir r_dir_perms; 446 447r_dir_file(system_server, sysfs_android_usb) 448allow system_server sysfs_android_usb:file w_file_perms; 449 450r_dir_file(system_server, sysfs_extcon) 451 452r_dir_file(system_server, sysfs_ipv4) 453allow system_server sysfs_ipv4:file w_file_perms; 454 455r_dir_file(system_server, sysfs_rtc) 456r_dir_file(system_server, sysfs_switch) 457 458allow system_server sysfs_nfc_power_writable:file rw_file_perms; 459allow system_server sysfs_power:dir search; 460allow system_server sysfs_power:file rw_file_perms; 461allow system_server sysfs_thermal:dir search; 462allow system_server sysfs_thermal:file r_file_perms; 463allow system_server sysfs_uhid:dir r_dir_perms; 464allow system_server sysfs_uhid:file rw_file_perms; 465 466# TODO: Remove when HALs are forced into separate processes 467allow system_server sysfs_vibrator:file { write append }; 468 469# TODO: added to match above sysfs rule. Remove me? 470allow system_server sysfs_usb:file w_file_perms; 471 472# Access devices. 473allow system_server device:dir r_dir_perms; 474allow system_server mdns_socket:sock_file rw_file_perms; 475allow system_server gpu_device:chr_file rw_file_perms; 476allow system_server gpu_device:dir r_dir_perms; 477allow system_server sysfs_gpu:file r_file_perms; 478allow system_server input_device:dir r_dir_perms; 479allow system_server input_device:chr_file rw_file_perms; 480allow system_server tty_device:chr_file rw_file_perms; 481allow system_server usbaccessory_device:chr_file rw_file_perms; 482allow system_server video_device:dir r_dir_perms; 483allow system_server video_device:chr_file rw_file_perms; 484allow system_server adbd_socket:sock_file rw_file_perms; 485allow system_server rtc_device:chr_file rw_file_perms; 486allow system_server audio_device:dir r_dir_perms; 487allow system_server uhid_device:chr_file rw_file_perms; 488allow system_server hidraw_device:dir r_dir_perms; 489allow system_server hidraw_device:chr_file rw_file_perms; 490 491# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 492allow system_server audio_device:chr_file rw_file_perms; 493 494# tun device used for 3rd party vpn apps and test network manager 495allow system_server tun_device:chr_file rw_file_perms; 496allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER }; 497 498# Manage data/ota_package 499allow system_server ota_package_file:dir rw_dir_perms; 500allow system_server ota_package_file:file create_file_perms; 501 502# Manage system data files. 503allow system_server system_data_file:dir create_dir_perms; 504allow system_server system_data_file:notdevfile_class_set create_file_perms; 505allow system_server packages_list_file:file create_file_perms; 506allow system_server game_mode_intervention_list_file:file create_file_perms; 507allow system_server keychain_data_file:dir create_dir_perms; 508allow system_server keychain_data_file:file create_file_perms; 509allow system_server keychain_data_file:lnk_file create_file_perms; 510 511# Read the user parent directories like /data/user. Don't allow write access, 512# as vold is responsible for creating and deleting the subdirectories. 513allow system_server system_userdir_file:dir r_dir_perms; 514 515# Manage /data/app. 516allow system_server apk_data_file:dir create_dir_perms; 517allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 518allow system_server apk_tmp_file:dir create_dir_perms; 519allow system_server apk_tmp_file:file create_file_perms; 520 521# Manage /data/app-metadata 522allow system_server apk_metadata_file:dir create_dir_perms; 523allow system_server apk_metadata_file:file create_file_perms; 524 525# Access input configuration files in the /vendor directory 526r_dir_file(system_server, vendor_keylayout_file) 527r_dir_file(system_server, vendor_keychars_file) 528r_dir_file(system_server, vendor_idc_file) 529get_prop(system_server, input_device_config_prop) 530 531# Access /vendor/{app,framework,overlay} 532r_dir_file(system_server, vendor_app_file) 533r_dir_file(system_server, vendor_framework_file) 534r_dir_file(system_server, vendor_overlay_file) 535 536# Manage /data/app-private. 537allow system_server apk_private_data_file:dir create_dir_perms; 538allow system_server apk_private_data_file:file create_file_perms; 539allow system_server apk_private_tmp_file:dir create_dir_perms; 540allow system_server apk_private_tmp_file:file create_file_perms; 541 542# Manage files within asec containers. 543allow system_server asec_apk_file:dir create_dir_perms; 544allow system_server asec_apk_file:file create_file_perms; 545allow system_server asec_public_file:file create_file_perms; 546 547# Manage /data/anr. 548# 549# TODO: Some of these permissions can be withdrawn once we've switched to the 550# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 551# the system_server should never need to create a new anr_data_file:file or write 552# to one, but it will still need to read and append to existing files. 553allow system_server anr_data_file:dir create_dir_perms; 554allow system_server anr_data_file:file create_file_perms; 555 556# New stack dumping scheme : request an output FD from tombstoned via a unix 557# domain socket. 558# 559# Allow system_server to connect and write to the tombstoned java trace socket in 560# order to dump its traces. Also allow the system server to write its traces to 561# dumpstate during bugreport capture and incidentd during incident collection. 562unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 563allow system_server tombstoned:fd use; 564allow system_server dumpstate:fifo_file append; 565allow system_server incidentd:fifo_file append; 566# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 567userdebug_or_eng(` 568 allow system_server su:fifo_file append; 569') 570 571# Allow system_server to read pipes from incidentd (used to deliver incident reports 572# to dropbox) 573allow system_server incidentd:fifo_file read; 574 575# Read /data/misc/incidents - only read. The fd will be sent over binder, 576# with no DAC access to it, for dropbox to read. 577allow system_server incident_data_file:file read; 578 579# Manage /data/misc/prereboot. 580allow system_server prereboot_data_file:dir rw_dir_perms; 581allow system_server prereboot_data_file:file create_file_perms; 582 583# Allow tracing proxy service to read traces. Only the fd is sent over 584# binder. 585allow system_server perfetto_traces_data_file:file { read getattr }; 586allow system_server perfetto:fd use; 587 588# Allow system_server to exec the perfetto cmdline client and pass it a trace config 589domain_auto_trans(system_server, perfetto_exec, perfetto); 590allow system_server perfetto:fifo_file { read write }; 591 592# Allow system server to manage perfetto traces for ProfilingService. 593allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms; 594allow system_server perfetto_traces_profiling_data_file:file create_file_perms; 595allow system_server perfetto_traces_data_file:dir search; 596 597# Allow system server to exec the trace redactor cmdline client and kill the process for 598# ProfilingService. 599domain_auto_trans(system_server, trace_redactor_exec, trace_redactor); 600allow system_server trace_redactor:process signal; 601 602# Allow system server to kill perfetto processes for ProfilingService. 603allow system_server perfetto:process signal; 604 605# Manage /data/backup. 606allow system_server backup_data_file:dir create_dir_perms; 607allow system_server backup_data_file:file create_file_perms; 608 609# Write to /data/system/dropbox 610allow system_server dropbox_data_file:dir create_dir_perms; 611allow system_server dropbox_data_file:file create_file_perms; 612 613# Write to /data/system/heapdump 614allow system_server heapdump_data_file:dir rw_dir_perms; 615allow system_server heapdump_data_file:file create_file_perms; 616 617# Manage /data/misc/adb. 618allow system_server adb_keys_file:dir create_dir_perms; 619allow system_server adb_keys_file:file create_file_perms; 620 621# Manage /data/misc/appcompat. 622allow system_server appcompat_data_file:dir rw_dir_perms; 623allow system_server appcompat_data_file:file create_file_perms; 624 625# Manage /data/misc/connectivityblobdb. 626# Specifically, for vpn and wifi to create, read and write to an sqlite database. 627allow system_server connectivityblob_data_file:dir create_dir_perms; 628allow system_server connectivityblob_data_file:file create_file_perms; 629 630# Manage /data/misc/emergencynumberdb 631allow system_server emergency_data_file:dir create_dir_perms; 632allow system_server emergency_data_file:file create_file_perms; 633 634# Manage /data/misc/network_watchlist 635allow system_server network_watchlist_data_file:dir create_dir_perms; 636allow system_server network_watchlist_data_file:file create_file_perms; 637 638# Manage /data/misc/sms. 639# TODO: Split into a separate type? 640allow system_server radio_data_file:dir create_dir_perms; 641allow system_server radio_data_file:file create_file_perms; 642 643# Manage /data/misc/systemkeys. 644allow system_server systemkeys_data_file:dir create_dir_perms; 645allow system_server systemkeys_data_file:file create_file_perms; 646 647# Manage /data/misc/textclassifier. 648allow system_server textclassifier_data_file:dir create_dir_perms; 649allow system_server textclassifier_data_file:file create_file_perms; 650 651# Manage /data/tombstones. 652allow system_server tombstone_data_file:dir rw_dir_perms; 653allow system_server tombstone_data_file:file create_file_perms; 654 655# Manage /data/misc/vpn. 656allow system_server vpn_data_file:dir create_dir_perms; 657allow system_server vpn_data_file:file create_file_perms; 658 659# Manage /data/misc/wifi. 660allow system_server wifi_data_file:dir create_dir_perms; 661allow system_server wifi_data_file:file create_file_perms; 662 663# Manage /data/app-staging. 664allow system_server staging_data_file:dir create_dir_perms; 665allow system_server staging_data_file:file create_file_perms; 666 667# Manage /data/rollback. 668allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 669 670# Walk /data/data subdirectories. 671allow system_server app_data_file_type:dir { getattr read search }; 672 673# Also permit for unlabeled /data/data subdirectories and 674# for unlabeled asec containers on upgrades from 4.2. 675allow system_server unlabeled:dir r_dir_perms; 676# Read pkg.apk file before it has been relabeled by vold. 677allow system_server unlabeled:file r_file_perms; 678 679# Populate com.android.providers.settings/databases/settings.db. 680allow system_server system_app_data_file:dir create_dir_perms; 681allow system_server system_app_data_file:file create_file_perms; 682 683# Receive and use open app data files passed over binder IPC. 684allow system_server app_data_file_type:file { getattr read write append map }; 685 686# Access to /data/media for measuring disk usage. 687allow system_server media_rw_data_file:dir { search getattr open read }; 688 689# Receive and use open /data/media files passed over binder IPC. 690# Also used for measuring disk usage. 691allow system_server media_rw_data_file:file { getattr read write append }; 692 693# System server needs to setfscreate to packages_list_file when writing 694# /data/system/packages.list 695allow system_server system_server:process setfscreate; 696 697# Relabel apk files. 698allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 699allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 700# Allow PackageManager to: 701# 1. rename file from /data/app-staging folder to /data/app 702# 2. relabel files (linked to /data/rollback) under /data/app-staging 703# during staged apk/apex install. 704allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 705 706# Relabel wallpaper. 707allow system_server system_data_file:file relabelfrom; 708allow system_server wallpaper_file:file relabelto; 709allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 710 711# Backup of wallpaper imagery uses temporary hard links to avoid data churn 712allow system_server { system_data_file wallpaper_file }:file link; 713 714# ShortcutManager icons 715allow system_server system_data_file:dir relabelfrom; 716allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 717allow system_server shortcut_manager_icons:file create_file_perms; 718 719# Manage ringtones. 720allow system_server ringtone_file:dir { create_dir_perms relabelto }; 721allow system_server ringtone_file:file create_file_perms; 722 723# Relabel icon file. 724allow system_server icon_file:file relabelto; 725allow system_server icon_file:file { rw_file_perms unlink }; 726 727# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 728allow system_server system_data_file:dir relabelfrom; 729 730# server_configurable_flags_data_file is used for storing server configurable flags which 731# have been reset during current booting. system_server needs to read the data to perform related 732# disaster recovery actions. 733allow system_server server_configurable_flags_data_file:dir r_dir_perms; 734allow system_server server_configurable_flags_data_file:file r_file_perms; 735 736# Property Service write 737set_prop(system_server, system_prop) 738set_prop(system_server, bootanim_system_prop) 739set_prop(system_server, bluetooth_prop) 740set_prop(system_server, exported_system_prop) 741set_prop(system_server, exported3_system_prop) 742set_prop(system_server, safemode_prop) 743set_prop(system_server, theme_prop) 744set_prop(system_server, dhcp_prop) 745set_prop(system_server, net_connectivity_prop) 746set_prop(system_server, net_radio_prop) 747set_prop(system_server, net_dns_prop) 748set_prop(system_server, usb_control_prop) 749set_prop(system_server, usb_prop) 750set_prop(system_server, debug_prop) 751set_prop(system_server, powerctl_prop) 752set_prop(system_server, fingerprint_prop) 753set_prop(system_server, device_logging_prop) 754set_prop(system_server, dumpstate_options_prop) 755set_prop(system_server, overlay_prop) 756set_prop(system_server, exported_overlay_prop) 757set_prop(system_server, pm_prop) 758set_prop(system_server, exported_pm_prop) 759set_prop(system_server, socket_hook_prop) 760set_prop(system_server, audio_prop) 761set_prop(system_server, boot_status_prop) 762set_prop(system_server, surfaceflinger_color_prop) 763set_prop(system_server, provisioned_prop) 764set_prop(system_server, retaildemo_prop) 765set_prop(system_server, dmesgd_start_prop) 766set_prop(system_server, locale_prop) 767set_prop(system_server, timezone_metadata_prop) 768set_prop(system_server, timezone_prop) 769set_prop(system_server, crashrecovery_prop) 770userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 771userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)') 772 773# ctl interface 774set_prop(system_server, ctl_default_prop) 775set_prop(system_server, ctl_bugreport_prop) 776set_prop(system_server, ctl_gsid_prop) 777 778# cppreopt property 779set_prop(system_server, cppreopt_prop) 780 781# server configurable flags properties 782set_prop(system_server, device_config_core_experiments_team_internal_prop) 783set_prop(system_server, device_config_edgetpu_native_prop) 784set_prop(system_server, device_config_input_native_boot_prop) 785set_prop(system_server, device_config_netd_native_prop) 786set_prop(system_server, device_config_nnapi_native_prop) 787set_prop(system_server, device_config_activity_manager_native_boot_prop) 788set_prop(system_server, device_config_runtime_native_boot_prop) 789set_prop(system_server, device_config_runtime_native_prop) 790set_prop(system_server, device_config_lmkd_native_prop) 791set_prop(system_server, device_config_media_native_prop) 792set_prop(system_server, device_config_camera_native_prop) 793set_prop(system_server, device_config_mglru_native_prop) 794set_prop(system_server, device_config_profcollect_native_boot_prop) 795set_prop(system_server, device_config_statsd_native_prop) 796set_prop(system_server, device_config_statsd_native_boot_prop) 797set_prop(system_server, device_config_storage_native_boot_prop) 798set_prop(system_server, device_config_swcodec_native_prop) 799set_prop(system_server, device_config_sys_traced_prop) 800set_prop(system_server, device_config_window_manager_native_boot_prop) 801set_prop(system_server, device_config_configuration_prop) 802set_prop(system_server, device_config_connectivity_prop) 803set_prop(system_server, device_config_surface_flinger_native_boot_prop) 804set_prop(system_server, device_config_aconfig_flags_prop) 805set_prop(system_server, device_config_vendor_system_native_prop) 806set_prop(system_server, device_config_vendor_system_native_boot_prop) 807set_prop(system_server, device_config_virtualization_framework_native_prop) 808set_prop(system_server, device_config_memory_safety_native_boot_prop) 809set_prop(system_server, device_config_memory_safety_native_prop) 810set_prop(system_server, device_config_remote_key_provisioning_native_prop) 811set_prop(system_server, device_config_tethering_u_or_later_native_prop) 812set_prop(system_server, smart_idle_maint_enabled_prop) 813set_prop(system_server, arm64_memtag_prop) 814 815# staged flag properties 816set_prop(system_server, next_boot_prop) 817 818# Allow query ART device config properties 819get_prop(system_server, device_config_runtime_native_boot_prop) 820get_prop(system_server, device_config_runtime_native_prop) 821 822# BootReceiver to read ro.boot.bootreason 823get_prop(system_server, bootloader_boot_reason_prop) 824# PowerManager to read sys.boot.reason 825get_prop(system_server, system_boot_reason_prop) 826 827# Collect metrics on boot time created by init 828get_prop(system_server, boottime_prop) 829 830# Read device's serial number from system properties 831get_prop(system_server, serialno_prop) 832 833# Read/write the property which keeps track of whether this is the first start of system_server 834set_prop(system_server, firstboot_prop) 835 836# Audio service in system server can read audio config properties, 837# such as camera shutter enforcement 838get_prop(system_server, audio_config_prop) 839 840# StorageManager service reads media config while checking if transcoding is supported. 841get_prop(system_server, media_config_prop) 842 843# system server reads this property to keep track of whether server configurable flags have been 844# reset during current boot. 845get_prop(system_server, device_config_reset_performed_prop) 846 847# Read/write the property that enables Test Harness Mode 848set_prop(system_server, test_harness_prop) 849 850# Read gsid.image_running. 851get_prop(system_server, gsid_prop) 852 853# Read the property that mocks an OTA 854get_prop(system_server, mock_ota_prop) 855 856# Read the property as feature flag for protecting apks with fs-verity. 857get_prop(system_server, apk_verity_prop) 858 859# Read wifi.interface 860get_prop(system_server, wifi_prop) 861 862# Read the vendor property that indicates if Incremental features is enabled 863get_prop(system_server, incremental_prop) 864 865# Read ro.zram. properties 866get_prop(system_server, zram_config_prop) 867 868# Read/write persist.sys.zram_enabled 869set_prop(system_server, zram_control_prop) 870 871# Read/write persist.sys.dalvik.vm.lib.2 872set_prop(system_server, dalvik_runtime_prop) 873 874# Read ro.control_privapp_permissions and ro.cp_system_other_odex 875get_prop(system_server, packagemanager_config_prop) 876 877# Read the net.464xlat.cellular.enabled property (written by init). 878get_prop(system_server, net_464xlat_fromvendor_prop) 879 880# Read hypervisor capabilities ro.boot.hypervisor.* 881get_prop(system_server, hypervisor_prop) 882 883# Read persist.wm.debug. properties 884get_prop(system_server, persist_wm_debug_prop) 885 886# Read persist.sysui.notification.builder_extras_override property 887get_prop(system_server, persist_sysui_builder_extras_prop) 888# Read persist.sysui.notification.ranking_update_ashmem property 889get_prop(system_server, persist_sysui_ranking_update_prop) 890 891# Read ro.tuner.lazyhal 892get_prop(system_server, tuner_config_prop) 893# Write tuner.server.enable 894set_prop(system_server, tuner_server_ctl_prop) 895 896# Allow the heap dump ART plugin to the count of sessions waiting for OOME 897get_prop(system_server, traced_oome_heap_session_count_prop) 898 899# Allow the sensor service (running in the system service) to read sensor 900# configuration properties 901get_prop(system_server, sensors_config_prop) 902 903# Create a socket for connections from debuggerd. 904allow system_server system_ndebug_socket:sock_file create_file_perms; 905 906# Create a socket for connections from zygotes. 907allow system_server system_unsolzygote_socket:sock_file create_file_perms; 908 909# Manage cache files. 910allow system_server cache_file:lnk_file r_file_perms; 911allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 912allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 913allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 914 915allow system_server system_file:dir r_dir_perms; 916allow system_server system_file:lnk_file r_file_perms; 917 918# ART locks profile files. 919allow system_server system_file:file lock; 920 921# LocationManager(e.g, GPS) needs to read and write 922# to uart driver and ctrl proc entry 923allow system_server gps_control:file rw_file_perms; 924 925# Allow system_server to use app-created sockets and pipes. 926allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 927allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 928 929# BackupManagerService needs to manipulate backup data files 930allow system_server cache_backup_file:dir rw_dir_perms; 931allow system_server cache_backup_file:file create_file_perms; 932# LocalTransport works inside /cache/backup 933allow system_server cache_private_backup_file:dir create_dir_perms; 934allow system_server cache_private_backup_file:file create_file_perms; 935 936# Allow system to talk to usb device 937allow system_server usb_device:chr_file rw_file_perms; 938allow system_server usb_device:dir r_dir_perms; 939 940# Read and delete files under /dev/fscklogs. 941r_dir_file(system_server, fscklogs) 942allow system_server fscklogs:dir { write remove_name add_name }; 943allow system_server fscklogs:file rename; 944 945# logd access, system_server inherit logd write socket 946# (urge is to deprecate this long term) 947allow system_server zygote:unix_dgram_socket write; 948 949# Read from log daemon. 950read_logd(system_server) 951read_runtime_log_tags(system_server) 952 953# Be consistent with DAC permissions. Allow system_server to write to 954# /sys/module/lowmemorykiller/parameters/adj 955# /sys/module/lowmemorykiller/parameters/minfree 956allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 957 958# Read /sys/fs/pstore/console-ramoops 959# Don't worry about overly broad permissions for now, as there's 960# only one file in /sys/fs/pstore 961allow system_server pstorefs:dir r_dir_perms; 962allow system_server pstorefs:file r_file_perms; 963 964# /sys access 965allow system_server sysfs_zram:dir search; 966allow system_server sysfs_zram:file rw_file_perms; 967 968# Read /sys/fs/selinux/policy 969allow system_server kernel:security read_policy; 970 971add_service(system_server, system_server_service); 972allow system_server artd_service:service_manager find; 973allow system_server artd_pre_reboot_service:service_manager find; 974allow system_server audioserver_service:service_manager find; 975allow system_server authorization_service:service_manager find; 976allow system_server batteryproperties_service:service_manager find; 977allow system_server cameraserver_service:service_manager find; 978allow system_server compos_service:service_manager find; 979allow system_server dataloader_manager_service:service_manager find; 980allow system_server dexopt_chroot_setup_service:service_manager find; 981allow system_server dnsresolver_service:service_manager find; 982allow system_server drmserver_service:service_manager find; 983allow system_server dumpstate_service:service_manager find; 984allow system_server fingerprintd_service:service_manager find; 985allow system_server gatekeeper_service:service_manager find; 986allow system_server gpu_service:service_manager find; 987allow system_server gsi_service:service_manager find; 988allow system_server idmap_service:service_manager find; 989allow system_server incident_service:service_manager find; 990allow system_server incremental_service:service_manager find; 991allow system_server installd_service:service_manager find; 992allow system_server keystore_maintenance_service:service_manager find; 993allow system_server keystore_metrics_service:service_manager find; 994allow system_server keystore_service:service_manager find; 995allow system_server mdns_service:service_manager find; 996allow system_server mediaserver_service:service_manager find; 997allow system_server mediametrics_service:service_manager find; 998allow system_server mediaextractor_service:service_manager find; 999allow system_server mediadrmserver_service:service_manager find; 1000allow system_server mediatuner_service:service_manager find; 1001allow system_server netd_service:service_manager find; 1002allow system_server nfc_service:service_manager find; 1003allow system_server ot_daemon_service:service_manager find; 1004allow system_server radio_service:service_manager find; 1005allow system_server stats_service:service_manager find; 1006allow system_server storaged_service:service_manager find; 1007allow system_server surfaceflinger_service:service_manager find; 1008allow system_server update_engine_service:service_manager find; 1009allow system_server virtual_camera_service:service_manager find; 1010is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 1011 allow system_server virtualization_maintenance_service:service_manager find; 1012') 1013allow system_server vold_service:service_manager find; 1014allow system_server wifinl80211_service:service_manager find; 1015allow system_server logd_service:service_manager find; 1016userdebug_or_eng(` 1017 allow system_server profcollectd_service:service_manager find; 1018') 1019 1020add_service(system_server, batteryproperties_service) 1021 1022allow system_server keystore:keystore2 { 1023 add_auth 1024 change_password 1025 change_user 1026 clear_ns 1027 clear_uid 1028 delete_all_keys 1029 get_last_auth_time 1030 lock 1031 pull_metrics 1032 reset 1033 unlock 1034}; 1035 1036allow system_server keystore:keystore2_key { 1037 delete 1038 use_dev_id 1039 grant 1040 get_info 1041 rebind 1042 update 1043 use 1044}; 1045 1046# Allow Wifi module to manage Wi-Fi keys. 1047allow system_server wifi_key:keystore2_key { 1048 delete 1049 get_info 1050 rebind 1051 update 1052 use 1053}; 1054 1055# Allow lock_settings service to manage RoR keys. 1056allow system_server resume_on_reboot_key:keystore2_key { 1057 delete 1058 get_info 1059 rebind 1060 update 1061 use 1062}; 1063 1064# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 1065allow system_server locksettings_key:keystore2_key { 1066 delete 1067 get_info 1068 rebind 1069 update 1070 use 1071}; 1072 1073 1074# Allow system server to search and write to the persistent factory reset 1075# protection partition. This block device does not get wiped in a factory reset. 1076allow system_server block_device:dir search; 1077allow system_server frp_block_device:blk_file rw_file_perms; 1078allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 1079 1080# Create new process groups and clean up old cgroups 1081allow system_server cgroup:dir create_dir_perms; 1082allow system_server cgroup:file setattr; 1083allow system_server cgroup_v2:dir create_dir_perms; 1084allow system_server cgroup_v2:file { r_file_perms setattr }; 1085 1086# /oem access 1087r_dir_file(system_server, oemfs) 1088 1089# Allow resolving per-user storage symlinks 1090allow system_server { mnt_user_file storage_file }:dir { getattr search }; 1091allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 1092 1093# Allow statfs() on storage devices, which happens fast enough that 1094# we shouldn't be killed during unsafe removal 1095allow system_server { sdcard_type fuse }:dir { getattr search }; 1096 1097# Traverse into expanded storage 1098allow system_server mnt_expand_file:dir r_dir_perms; 1099 1100# Allow system process to relabel the fingerprint directory after mkdir 1101# and delete the directory and files when no longer needed 1102allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 1103allow system_server fingerprintd_data_file:file { getattr unlink }; 1104 1105userdebug_or_eng(` 1106 # Allow system server to create and write method traces in /data/misc/trace. 1107 allow system_server method_trace_data_file:dir w_dir_perms; 1108 allow system_server method_trace_data_file:file { create w_file_perms }; 1109 1110 # Allow system server to read dmesg 1111 allow system_server kernel:system syslog_read; 1112 1113 # Allow writing and removing window traces in /data/misc/wmtrace. 1114 allow system_server wm_trace_data_file:dir rw_dir_perms; 1115 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1116 1117 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 1118 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 1119 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1120') 1121 1122# For AppFuse. 1123allow system_server vold:fd use; 1124allow system_server fuse_device:chr_file { read write ioctl getattr }; 1125allow system_server app_fuse_file:file { read write getattr }; 1126 1127# For configuring sdcardfs 1128allow system_server configfs:dir { create_dir_perms }; 1129allow system_server configfs:file { getattr open create unlink write }; 1130 1131# Connect to adbd and use a socket transferred from it. 1132# Used for e.g. jdwp. 1133allow system_server adbd:unix_stream_socket connectto; 1134allow system_server adbd:fd use; 1135allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1136 1137# Read service.adb.tls.port, persist.adb.wifi. properties 1138get_prop(system_server, adbd_prop) 1139 1140# Set persist.adb.tls_server.enable property 1141set_prop(system_server, system_adbd_prop) 1142 1143# Allow invoking tools like "timeout" 1144allow system_server toolbox_exec:file rx_file_perms; 1145 1146# Allow system process to setup fs-verity 1147allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY; 1148 1149# Allow system process to measure fs-verity for apps, including those being installed 1150allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY; 1151allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS; 1152 1153# Postinstall 1154# 1155# For OTA dexopt, allow calls coming from postinstall. 1156binder_call(system_server, postinstall) 1157 1158allow system_server postinstall:fifo_file write; 1159allow system_server update_engine:fd use; 1160allow system_server update_engine:fifo_file write; 1161 1162# Access to /data/preloads 1163allow system_server preloads_data_file:file { r_file_perms unlink }; 1164allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1165allow system_server preloads_media_file:file { r_file_perms unlink }; 1166allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1167 1168r_dir_file(system_server, cgroup) 1169r_dir_file(system_server, cgroup_v2) 1170allow system_server ion_device:chr_file r_file_perms; 1171 1172# Access to /dev/dma_heap/system 1173allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1174# Access to /dev/dma_heap/system-secure 1175allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1176 1177r_dir_file(system_server, proc_asound) 1178r_dir_file(system_server, proc_net_type) 1179r_dir_file(system_server, proc_qtaguid_stat) 1180allow system_server { 1181 proc_cmdline 1182 proc_loadavg 1183 proc_locks 1184 proc_meminfo 1185 proc_pagetypeinfo 1186 proc_pipe_conf 1187 proc_stat 1188 proc_uid_cputime_showstat 1189 proc_uid_io_stats 1190 proc_uid_time_in_state 1191 proc_uid_concurrent_active_time 1192 proc_uid_concurrent_policy_time 1193 proc_version 1194 proc_vmallocinfo 1195}:file r_file_perms; 1196 1197allow system_server proc_uid_time_in_state:dir r_dir_perms; 1198allow system_server proc_uid_cpupower:file r_file_perms; 1199 1200r_dir_file(system_server, rootfs) 1201 1202# Allow WifiService to start, stop, and read wifi-specific trace events. 1203allow system_server debugfs_tracing_instances:dir search; 1204allow system_server debugfs_wifi_tracing:dir search; 1205allow system_server debugfs_wifi_tracing:file rw_file_perms; 1206 1207# Allow BootReceiver to watch trace error_report events. 1208allow system_server debugfs_bootreceiver_tracing:dir search; 1209allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1210 1211# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1212allow system_server debugfs_tracing:file r_file_perms; 1213 1214# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1215# asanwrapper. 1216with_asan(` 1217 allow system_server shell_exec:file rx_file_perms; 1218 allow system_server asanwrapper_exec:file rx_file_perms; 1219 allow system_server zygote_exec:file rx_file_perms; 1220') 1221 1222# allow system_server to read the eBPF maps that stores the traffic stats information and update 1223# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1224# time in state accounting 1225allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 1226allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; 1227allow system_server bpfloader:bpf prog_run; 1228allow system_server self:bpf map_create; 1229allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write }; 1230# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 1231allow system_server self:key_socket create; 1232# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 1233# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... 1234dontaudit system_server self:key_socket getopt; 1235 1236# Allow system_server to start clatd in its own domain and kill it. 1237domain_auto_trans(system_server, clatd_exec, clatd) 1238allow system_server clatd:process { sigkill signal }; 1239 1240# ART Profiles. 1241# Allow system_server to open profile snapshots for read. 1242# System server never reads the actual content. It passes the descriptor to 1243# to privileged apps which acquire the permissions to inspect the profiles. 1244allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1245allow system_server user_profile_data_file:file { getattr open read }; 1246 1247# System server may dump profile data for debuggable apps in the /data/misc/profman. 1248# As such it needs to be able create files but it should never read from them. 1249# It also needs to stat the directory to check if it has the right permissions. 1250allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1251allow system_server profman_dump_data_file:dir rw_dir_perms; 1252 1253# On userdebug build we may profile system server. Allow it to write and create its own profile. 1254userdebug_or_eng(` 1255 allow system_server user_profile_data_file:dir w_dir_perms; 1256 allow system_server user_profile_data_file:file create_file_perms; 1257') 1258# Allow system server to load JVMTI agents under control of a property. 1259get_prop(system_server,system_jvmti_agent_prop) 1260 1261# UsbDeviceManager uses /dev/usb-ffs 1262allow system_server functionfs:dir search; 1263allow system_server functionfs:file rw_file_perms; 1264 1265# system_server contains time / time zone detection logic so reads the associated properties. 1266get_prop(system_server, time_prop) 1267 1268# system_server reads this property to know it should expect the lmkd sends notification to it 1269# on low memory kills. 1270get_prop(system_server, system_lmk_prop) 1271 1272get_prop(system_server, wifi_config_prop) 1273 1274# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1275allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1276 1277# Watchdog prints debugging log to /dev/kmsg_debug. 1278userdebug_or_eng(` 1279 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1280') 1281# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1282get_prop(system_server, framework_watchdog_config_prop) 1283 1284 1285# Font files are written by system server 1286allow system_server font_data_file:file create_file_perms; 1287allow system_server font_data_file:dir create_dir_perms; 1288# Allow system process to setup and measure fs-verity for font files 1289allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; 1290 1291# Read qemu.hw.mainkeys property 1292get_prop(system_server, qemu_hw_prop) 1293 1294# Allow system server to read profcollectd reports for upload. 1295userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1296 1297# Power controls for debugging/diagnostics 1298get_prop(system_server, power_debug_prop) 1299set_prop(system_server, power_debug_prop) 1300 1301### 1302### Neverallow rules 1303### 1304### system_server should NEVER do any of this 1305 1306# Do not allow opening files from external storage as unsafe ejection 1307# could cause the kernel to kill the system_server. 1308neverallow system_server { sdcard_type fuse }:dir { open read write }; 1309neverallow system_server { sdcard_type fuse }:file rw_file_perms; 1310 1311# system server should never be operating on zygote spawned app data 1312# files directly. Rather, they should always be passed via a 1313# file descriptor. 1314# Exclude those types that system_server needs to open directly. 1315neverallow system_server { 1316 app_data_file_type 1317 -system_app_data_file 1318 -radio_data_file 1319}:file { open create unlink link }; 1320 1321# Forking and execing is inherently dangerous and racy. See, for 1322# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1323# Prevent the addition of new file execs to stop the problem from 1324# getting worse. b/28035297 1325neverallow system_server { 1326 file_type 1327 -toolbox_exec 1328 -logcat_exec 1329 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1330}:file execute_no_trans; 1331 1332# Ensure that system_server doesn't perform any domain transitions other than 1333# transitioning to the crash_dump domain when a crash occurs or fork clatd. 1334# add perfetto and trace_redactor which are exec'd from system server for ProfilingService. 1335neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition; 1336neverallow system_server *:process dyntransition; 1337 1338# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir. 1339neverallow system_server perfetto_traces_data_file:dir ~search; 1340 1341# Only allow crash_dump to connect to system_ndebug_socket. 1342neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1343 1344# Only allow zygotes to connect to system_unsolzygote_socket. 1345neverallow { 1346 domain 1347 -init 1348 -system_server 1349 -zygote 1350 -app_zygote 1351 -webview_zygote 1352} system_unsolzygote_socket:sock_file { open write }; 1353 1354# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1355neverallow { 1356 domain 1357 -init 1358 -system_server 1359 -flags_health_check 1360} { 1361 device_config_core_experiments_team_internal_prop 1362 device_config_activity_manager_native_boot_prop 1363 device_config_connectivity_prop 1364 device_config_input_native_boot_prop 1365 device_config_lmkd_native_prop 1366 device_config_netd_native_prop 1367 device_config_nnapi_native_prop 1368 device_config_edgetpu_native_prop 1369 device_config_runtime_native_boot_prop 1370 device_config_runtime_native_prop 1371 device_config_media_native_prop 1372 device_config_mglru_native_prop 1373 device_config_remote_key_provisioning_native_prop 1374 device_config_storage_native_boot_prop 1375 device_config_surface_flinger_native_boot_prop 1376 device_config_sys_traced_prop 1377 device_config_swcodec_native_prop 1378 device_config_aconfig_flags_prop 1379 device_config_window_manager_native_boot_prop 1380 device_config_tethering_u_or_later_native_prop 1381 next_boot_prop 1382}:property_service set; 1383 1384# Only allow system_server and init to set tuner_server_ctl_prop 1385neverallow { 1386 domain 1387 -system_server 1388 -init 1389} tuner_server_ctl_prop:property_service set; 1390 1391# system_server should never be executing dex2oat. This is either 1392# a bug (for example, bug 16317188), or represents an attempt by 1393# system server to dynamically load a dex file, something we do not 1394# want to allow. 1395neverallow system_server dex2oat_exec:file no_x_file_perms; 1396 1397# system_server should never execute or load executable shared libraries 1398# in /data. Executable files in /data are a persistence vector. 1399# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1400neverallow system_server data_file_type:file no_x_file_perms; 1401 1402# The only block device system_server should be writing to is 1403# the frp_block_device. This helps avoid a system_server to root 1404# escalation by writing to raw block devices. 1405# The system_server may need to read from vd_device if it uses 1406# block apexes. 1407neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; 1408neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; 1409 1410# system_server should never use JIT functionality 1411# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1412# in the section titled "A Short ROP Chain" for why. 1413# However, in emulator builds without OpenGL passthrough, we use software 1414# rendering via SwiftShader, which requires JIT support. These builds are 1415# never shipped to users. 1416ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1417 `allow system_server self:process execmem;', 1418 `neverallow system_server self:process execmem;') 1419neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1420 1421# TODO: deal with tmpfs_domain pub/priv split properly 1422neverallow system_server system_server_tmpfs:file execute; 1423 1424# Resources handed off by system_server_startup 1425allow system_server system_server_startup:fd use; 1426allow system_server system_server_startup_tmpfs:file { read write map }; 1427allow system_server system_server_startup:unix_dgram_socket write; 1428 1429# Allow system server to communicate to apexd 1430allow system_server apex_service:service_manager find; 1431allow system_server apexd:binder call; 1432 1433# Allow system server to scan /apex for flattened APEXes 1434allow system_server apex_mnt_dir:dir r_dir_perms; 1435 1436# Allow system server to read /apex/apex-info-list.xml 1437allow system_server apex_info_file:file r_file_perms; 1438 1439# Allow system server to communicate to system-suspend's control interface 1440allow system_server system_suspend_control_internal_service:service_manager find; 1441allow system_server system_suspend_control_service:service_manager find; 1442binder_call(system_server, system_suspend) 1443binder_call(system_suspend, system_server) 1444 1445# Allow system server to communicate to system-suspend's wakelock interface 1446wakelock_use(system_server) 1447 1448# Allow the system server to read files under /data/apex. The system_server 1449# needs these privileges to compare file signatures while processing installs. 1450# 1451# Only apexd is allowed to create new entries or write to any file under /data/apex. 1452allow system_server apex_data_file:dir { getattr search }; 1453allow system_server apex_data_file:file r_file_perms; 1454 1455# Allow the system server to read files under /vendor/apex. This is where 1456# vendor APEX packages might be installed and system_server needs to parse 1457# these packages to inspect the signatures and other metadata. 1458allow system_server vendor_apex_file:dir { getattr search }; 1459allow system_server vendor_apex_file:file r_file_perms; 1460 1461# Allow the system server to manage relevant apex module data files. 1462allow system_server apex_module_data_file:dir { getattr search }; 1463# These are modules where the code runs in system_server, so we need full access. 1464allow system_server apex_system_server_data_file:dir create_dir_perms; 1465allow system_server apex_system_server_data_file:file create_file_perms; 1466allow system_server apex_tethering_data_file:dir create_dir_perms; 1467allow system_server apex_tethering_data_file:file create_file_perms; 1468allow system_server apex_uwb_data_file:dir create_dir_perms; 1469allow system_server apex_uwb_data_file:file create_file_perms; 1470# Legacy labels that we still need to support (b/217581286) 1471allow system_server { 1472 apex_appsearch_data_file 1473 apex_permission_data_file 1474 apex_scheduling_data_file 1475 apex_wifi_data_file 1476}:dir create_dir_perms; 1477allow system_server { 1478 apex_appsearch_data_file 1479 apex_permission_data_file 1480 apex_scheduling_data_file 1481 apex_wifi_data_file 1482}:file create_file_perms; 1483 1484# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1485# communicate which slots are available for use. 1486allow system_server metadata_file:dir search; 1487allow system_server password_slot_metadata_file:dir rw_dir_perms; 1488allow system_server password_slot_metadata_file:file create_file_perms; 1489 1490allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1491allow system_server userspace_reboot_metadata_file:file create_file_perms; 1492 1493# Allow system server rw access to files in /metadata/staged-install folder 1494allow system_server staged_install_file:dir rw_dir_perms; 1495allow system_server staged_install_file:file create_file_perms; 1496 1497allow system_server watchdog_metadata_file:dir rw_dir_perms; 1498allow system_server watchdog_metadata_file:file create_file_perms; 1499 1500allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms; 1501allow system_server aconfig_storage_flags_metadata_file:file create_file_perms; 1502allow system_server aconfig_storage_metadata_file:dir search; 1503 1504allow system_server aconfigd_socket:sock_file {read write}; 1505allow system_server aconfigd:unix_stream_socket connectto; 1506 1507allow system_server aconfig_test_mission_files:dir create_dir_perms; 1508allow system_server aconfig_test_mission_files:file create_file_perms; 1509 1510allow system_server repair_mode_metadata_file:dir rw_dir_perms; 1511allow system_server repair_mode_metadata_file:file create_file_perms; 1512 1513allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1514allow system_server gsi_persistent_data_file:file create_file_perms; 1515 1516# Allow system server read and remove files under /data/misc/odrefresh 1517allow system_server odrefresh_data_file:dir rw_dir_perms; 1518allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1519 1520# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1521allow system_server surfaceflinger_exec:file r_file_perms; 1522 1523# Allow init to set sysprop used to compute stats about userspace reboot. 1524set_prop(system_server, userspace_reboot_log_prop) 1525 1526# JVMTI agent settings are only readable from the system server. 1527neverallow { 1528 domain 1529 -system_server 1530 -dumpstate 1531 -init 1532 -vendor_init 1533} { 1534 system_jvmti_agent_prop 1535}:file no_rw_file_perms; 1536 1537# Read/Write /proc/pressure/memory 1538allow system_server proc_pressure_mem:file rw_file_perms; 1539# Read /proc/pressure/cpu and /proc/pressure/io 1540allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms; 1541 1542# dexoptanalyzer is currently used only for secondary dex files which 1543# system_server should never access. 1544neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1545 1546# No ptracing others 1547neverallow system_server { domain -system_server }:process ptrace; 1548 1549# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1550# file read access. However, that is now unnecessary (b/34951864) 1551neverallow system_server system_server:global_capability_class_set sys_resource; 1552 1553# Only system_server/init should access /metadata/password_slots. 1554neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1555neverallow { 1556 domain 1557 -init 1558 -system_server 1559} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1560neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1561 1562# Only system_server/init should access /metadata/userspacereboot. 1563neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; 1564neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms; 1565 1566# Only system server should access /metadata/aconfig 1567neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *; 1568neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms; 1569 1570# Allow systemserver to read/write the invalidation property 1571set_prop(system_server, binder_cache_system_server_prop) 1572neverallow { domain -system_server -init } 1573 binder_cache_system_server_prop:property_service set; 1574 1575# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1576# system_server cannot use this access to read perf event data like process stacks. 1577allow system_server self:perf_event { open write cpu kernel }; 1578neverallow system_server self:perf_event ~{ open write cpu kernel }; 1579 1580# Allow writing files under /data/system/shutdown-checkpoints/ 1581allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms; 1582allow system_server shutdown_checkpoints_system_data_file:file create_file_perms; 1583 1584# Do not allow any domain other than init or system server to set the property 1585neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1586 1587neverallow { domain -init -system_server } boot_status_prop:property_service set; 1588 1589neverallow { 1590 domain 1591 -init 1592 -vendor_init 1593 -dumpstate 1594 -system_server 1595} wifi_config_prop:file no_rw_file_perms; 1596 1597# Only allow system server to write uhid sysfs files 1598neverallow { 1599 domain 1600 -init 1601 -system_server 1602 -ueventd 1603 -vendor_init 1604} sysfs_uhid:file no_w_file_perms; 1605 1606# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1607# can be accessed by system_server only (b/143717177) 1608# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1609# interface 1610neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1611 1612# Only system server can write the font files. 1613neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1614neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1615 1616# Allow reading /system/etc/font_fallback.xml 1617allow system_server system_font_fallback_file:file r_file_perms; 1618 1619# Allow system server to set dynamic ART properties. 1620set_prop(system_server, dalvik_dynamic_config_prop) 1621 1622# Allow system server to read binderfs 1623allow system_server binderfs_logs:dir r_dir_perms; 1624allow system_server binderfs_logs_stats:file r_file_perms; 1625 1626# For ANRs 1627userdebug_or_eng(` 1628 allow system_server binderfs_logs_transactions:file r_file_perms; 1629') 1630 1631# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled 1632set_prop(system_server, game_manager_config_prop) 1633 1634# ThreadNetworkService reads Thread Network properties 1635get_prop(system_server, threadnetwork_config_prop) 1636 1637# Do not allow any domain other than init and system server to set the property 1638neverallow { 1639 domain 1640 -init 1641 -vendor_init 1642 -dumpstate 1643 -system_server 1644} threadnetwork_config_prop:file no_rw_file_perms; 1645 1646# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar 1647# in Pre-reboot Dexopt. 1648allow system_server pre_reboot_dexopt_file:dir { getattr search }; 1649 1650# Allow system_server to reopen its own memfd. 1651# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path 1652# /proc/self/fd/<fd> with a classloader. 1653allow system_server system_server_tmpfs:file open; 1654 1655# Allow system_server to read from postinstall scripts through STDIN, to check if the 1656# otapreopt_script is still alive. 1657allow system_server postinstall:fifo_file read; 1658 1659# Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing 1660# files in chroot when we teardown chroot. 1661allow system_server { 1662 artd 1663 derive_classpath 1664 dex2oat 1665 odrefresh 1666 profman 1667}:process sigkill; 1668 1669# Do not allow any domain other than init or system server to get or set the property 1670neverallow { domain -init -system_server } crashrecovery_prop:property_service set; 1671neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms; 1672 1673neverallow { 1674 domain 1675 -init 1676 -vendor_init 1677 -system_server 1678 -shell 1679} power_debug_prop:property_service set; 1680