Lines Matching full:system_server

2 # System Server aka system_server spawned by zygote.
6 typeattribute system_server coredomain;
7 typeattribute system_server mlstrustedsubject;
8 typeattribute system_server remote_provisioning_service_server;
9 typeattribute system_server scheduler_service_server;
10 typeattribute system_server sensor_service_server;
11 typeattribute system_server stats_service_server;
12 typeattribute system_server bpfdomain;
15 tmpfs_domain(system_server)
17 userfaultfd_use(system_server)
20 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
23 type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesock…
25 allow system_server zygote_tmpfs:file { map read };
26 allow system_server appdomain_tmpfs:file { getattr map read write };
29 allow system_server proc_filesystems:file r_file_perms;
32 allow system_server incremental_control_file:file { ioctl r_file_perms };
33 allowxperm system_server incremental_control_file:file ioctl {
44 allowxperm system_server apk_data_file:file ioctl {
59 allowxperm system_server apk_tmp_file:file ioctl {
65 allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
68 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
69 allow system_server sysfs_fs_f2fs:file r_file_perms;
72 allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
75 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
76 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
81 # system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
82 dontaudit system_server apex_art_data_file:file execute;
85 allowxperm system_server dalvikcache_data_file:file ioctl {
92 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
95 allow system_server resourcecache_data_file:file r_file_perms;
96 allow system_server resourcecache_data_file:dir r_dir_perms;
99 allow system_server self:process ptrace;
102 allow system_server zygote:fd use;
103 allow system_server zygote:process sigchld;
106 allow system_server {
116 allow system_server zygote_exec:file r_file_perms;
119 allow system_server zygote:unix_stream_socket { getopt getattr };
122 net_domain(system_server)
123 # in addition to ioctls allowlisted for all domains, also allow system_server
125 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
126 bluetooth_domain(system_server)
128 # Allow setup of tcp keepalive offload. This gives system_server the permission to
132 allow system_server appdomain:tcp_socket ioctl;
136 allow system_server self:global_capability_class_set {
151 allow system_server self:global_capability2_class_set wake_alarm;
154 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
157 allow system_server self:netlink_tcpdiag_socket
161 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
163 allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
166 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
167 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
170 allow system_server config_gz:file { read open };
176 allow system_server self:socket create_socket_perms_no_ioctl;
179 allow system_server self:netlink_route_socket nlmsg_write;
182 allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read …
185 allow system_server appdomain:process { getpgid sigkill signal };
187 allow system_server appdomain:process { signull };
190 allow system_server appdomain:process { getsched setsched };
191 allow system_server audioserver:process { getsched setsched };
192 allow system_server hal_audio:process { getsched setsched };
193 allow system_server hal_bluetooth:process { getsched setsched };
194 allow system_server hal_codec2_server:process { getsched setsched };
195 allow system_server hal_omx_server:process { getsched setsched };
196 allow system_server mediaswcodec:process { getsched setsched };
197 allow system_server cameraserver:process { getsched setsched };
198 allow system_server hal_camera:process { getsched setsched };
199 allow system_server mediaserver:process { getsched setsched };
200 allow system_server bootanim:process { getsched setsched };
202 allow system_server { virtualizationmanager crosvm }:process { getsched setsched };
206 allow system_server kernel:process { getsched setsched };
208 # Allow system_server to write to /proc/<pid>/*
209 allow system_server domain:file w_file_perms;
212 # within system_server to keep track of memory and CPU usage for
215 r_dir_file(system_server, domain)
218 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
221 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
224 allow system_server proc_sysrq:file rw_file_perms;
227 allow system_server stats_config_data_file:dir { open read remove_name search write };
228 allow system_server stats_config_data_file:file unlink;
231 allow system_server odsign_data_file:dir search;
232 allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
233 allow system_server odsign_metrics_file:file { r_file_perms unlink };
237   allow system_server debugfs_wakeup_sources:file r_file_perms;
241 allow system_server sysfs_ion:file r_file_perms;
244 allow system_server sysfs_dma_heap:file r_file_perms;
248 allow system_server sysfs_cma:file r_file_perms;
252 allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
253 allow system_server sysfs_dmabuf_stats:file r_file_perms;
257 allow system_server dmabuf_heap_device:dir r_dir_perms;
260 allow system_server proc_vmstat:file r_file_perms;
263 allow system_server self:packet_socket create_socket_perms_no_ioctl;
266 allow system_server self:tun_socket create_socket_perms_no_ioctl;
269 unix_socket_connect(system_server, lmkd, lmkd)
270 unix_socket_connect(system_server, zygote, zygote)
271 unix_socket_connect(system_server, uncrypt, uncrypt)
273 # Allow system_server to write to statsd.
274 unix_socket_send(system_server, statsdw, statsd)
277 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
279 allow system_server gpuservice:unix_stream_socket { read write setopt };
282 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
285 allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
288 allow system_server virtualizationmanager:fd use;
289 allow system_server virtualizationmanager:vsock_socket { getopt read write };
292 binder_use(system_server)
293 binder_call(system_server, appdomain)
294 binder_call(system_server, artd)
295 binder_call(system_server, binderservicedomain)
296 binder_call(system_server, composd)
297 binder_call(system_server, dexopt_chroot_setup)
298 binder_call(system_server, dumpstate)
299 binder_call(system_server, fingerprintd)
300 binder_call(system_server, gatekeeperd)
301 binder_call(system_server, gpuservice)
302 binder_call(system_server, idmap)
303 binder_call(system_server, installd)
304 binder_call(system_server, incidentd)
305 binder_call(system_server, mmd)
306 binder_call(system_server, netd)
307 binder_call(system_server, ot_daemon)
308 userdebug_or_eng(`binder_call(system_server, profcollectd)')
309 binder_call(system_server, statsd)
310 binder_call(system_server, storaged)
311 binder_call(system_server, update_engine)
312 binder_call(system_server, virtual_camera)
313 binder_call(system_server, vold)
314 binder_call(system_server, logd)
315 binder_call(system_server, wificond)
316 binder_call(system_server, uprobestats)
317 binder_call(system_server, wifi_mainline_supplicant)
318 binder_service(system_server)
321 hal_client_domain(system_server, hal_allocator)
322 hal_client_domain(system_server, hal_audio)
323 hal_client_domain(system_server, hal_authgraph)
324 hal_client_domain(system_server, hal_authsecret)
325 hal_client_domain(system_server, hal_bluetooth)
326 hal_client_domain(system_server, hal_broadcastradio)
327 hal_client_domain(system_server, hal_codec2)
328 hal_client_domain(system_server, hal_configstore)
329 hal_client_domain(system_server, hal_contexthub)
330 hal_client_domain(system_server, hal_face)
331 hal_client_domain(system_server, hal_fingerprint)
332 hal_client_domain(system_server, hal_gnss)
333 hal_client_domain(system_server, hal_graphics_allocator)
334 hal_client_domain(system_server, hal_health)
335 hal_client_domain(system_server, hal_input_classifier)
336 hal_client_domain(system_server, hal_input_processor)
337 hal_client_domain(system_server, hal_ir)
338 hal_client_domain(system_server, hal_keymint)
339 hal_client_domain(system_server, hal_light)
340 hal_client_domain(system_server, hal_mediaquality)
341 hal_client_domain(system_server, hal_memtrack)
342 hal_client_domain(system_server, hal_neuralnetworks)
343 hal_client_domain(system_server, hal_oemlock)
344 hal_client_domain(system_server, hal_omx)
345 hal_client_domain(system_server, hal_power)
346 hal_client_domain(system_server, hal_power_stats)
347 hal_client_domain(system_server, hal_rebootescrow)
348 hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
349 hal_client_domain(system_server, hal_sensors)
350 hal_client_domain(system_server, hal_secretkeeper)
351 hal_client_domain(system_server, hal_tetheroffload)
352 hal_client_domain(system_server, hal_thermal)
353 hal_client_domain(system_server, hal_threadnetwork)
354 hal_client_domain(system_server, hal_tv_cec)
355 hal_client_domain(system_server, hal_tv_hdmi_cec)
356 hal_client_domain(system_server, hal_tv_hdmi_connection)
357 hal_client_domain(system_server, hal_tv_hdmi_earc)
358 hal_client_domain(system_server, hal_tv_input)
359 hal_client_domain(system_server, hal_usb)
360 hal_client_domain(system_server, hal_usb_gadget)
361 hal_client_domain(system_server, hal_uwb)
362 hal_client_domain(system_server, hal_vibrator)
363 hal_client_domain(system_server, hal_vr)
364 hal_client_domain(system_server, hal_weaver)
365 hal_client_domain(system_server, hal_wifi)
366 hal_client_domain(system_server, hal_wifi_hostapd)
367 hal_client_domain(system_server, hal_wifi_supplicant)
371 not_recovery(`hal_client_domain(system_server, hal_bootctl)')
374 allow system_server hal_graphics_composer:fd use;
377 allow system_server hal_renderscript_hwservice:hwservice_manager find;
378 allow system_server same_process_hal_file:file { execute read open getattr map };
381 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
384 allow system_server hwservicemanager:hwservice_manager list;
385 allow system_server servicemanager:service_manager list;
388 allow system_server {
443 allow system_server audioserver:tcp_socket rw_socket_perms;
444 allow system_server audioserver:udp_socket rw_socket_perms;
445 allow system_server mediaserver:tcp_socket rw_socket_perms;
446 allow system_server mediaserver:udp_socket rw_socket_perms;
449 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
450 allow system_server mediadrmserver:udp_socket rw_socket_perms;
454 perfetto_producer(system_server)
457 allow system_server file_contexts_file:file r_file_perms;
459 allow system_server mac_perms_file: file r_file_perms;
461 selinux_check_access(system_server)
463 allow system_server sysfs_type:dir r_dir_perms;
465 r_dir_file(system_server, sysfs_android_usb)
466 allow system_server sysfs_android_usb:file w_file_perms;
468 r_dir_file(system_server, sysfs_extcon)
470 r_dir_file(system_server, sysfs_ipv4)
471 allow system_server sysfs_ipv4:file w_file_perms;
473 r_dir_file(system_server, sysfs_rtc)
474 r_dir_file(system_server, sysfs_switch)
476 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
477 allow system_server sysfs_power:dir search;
478 allow system_server sysfs_power:file rw_file_perms;
479 allow system_server sysfs_thermal:dir search;
480 allow system_server sysfs_thermal:file r_file_perms;
481 allow system_server sysfs_uhid:dir r_dir_perms;
482 allow system_server sysfs_uhid:file rw_file_perms;
485 allow system_server sysfs_vibrator:file { write append };
488 allow system_server sysfs_usb:file w_file_perms;
491 allow system_server device:dir r_dir_perms;
492 allow system_server mdns_socket:sock_file rw_file_perms;
493 allow system_server gpu_device:chr_file rw_file_perms;
494 allow system_server gpu_device:dir r_dir_perms;
495 allow system_server sysfs_gpu:file r_file_perms;
496 allow system_server input_device:dir r_dir_perms;
497 allow system_server input_device:chr_file rw_file_perms;
498 allow system_server tty_device:chr_file rw_file_perms;
499 allow system_server usbaccessory_device:chr_file rw_file_perms;
500 allow system_server video_device:dir r_dir_perms;
501 allow system_server video_device:chr_file rw_file_perms;
502 allow system_server adbd_socket:sock_file rw_file_perms;
503 allow system_server rtc_device:chr_file rw_file_perms;
504 allow system_server audio_device:dir r_dir_perms;
505 allow system_server uhid_device:chr_file rw_file_perms;
506 allow system_server hidraw_device:dir r_dir_perms;
507 allow system_server hidraw_device:chr_file rw_file_perms;
510 allow system_server audio_device:chr_file rw_file_perms;
513 allow system_server tun_device:chr_file rw_file_perms;
514 allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
517 allow system_server ota_package_file:dir rw_dir_perms;
518 allow system_server ota_package_file:file create_file_perms;
521 allow system_server system_data_file:dir create_dir_perms;
522 allow system_server system_data_file:notdevfile_class_set create_file_perms;
523 allow system_server packages_list_file:file create_file_perms;
524 allow system_server game_mode_intervention_list_file:file create_file_perms;
525 allow system_server keychain_data_file:dir create_dir_perms;
526 allow system_server keychain_data_file:file create_file_perms;
527 allow system_server keychain_data_file:lnk_file create_file_perms;
531 allow system_server system_userdir_file:dir r_dir_perms;
534 allow system_server apk_data_file:dir create_dir_perms;
535 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
536 allow system_server apk_tmp_file:dir create_dir_perms;
537 allow system_server apk_tmp_file:file create_file_perms;
540 allow system_server apk_metadata_file:dir create_dir_perms;
541 allow system_server apk_metadata_file:file create_file_perms;
544 r_dir_file(system_server, vendor_keylayout_file)
545 r_dir_file(system_server, vendor_keychars_file)
546 r_dir_file(system_server, vendor_idc_file)
547 get_prop(system_server, input_device_config_prop)
550 r_dir_file(system_server, vendor_app_file)
551 r_dir_file(system_server, vendor_framework_file)
552 r_dir_file(system_server, vendor_overlay_file)
555 allow system_server apk_private_data_file:dir create_dir_perms;
556 allow system_server apk_private_data_file:file create_file_perms;
557 allow system_server apk_private_tmp_file:dir create_dir_perms;
558 allow system_server apk_private_tmp_file:file create_file_perms;
561 allow system_server asec_apk_file:dir create_dir_perms;
562 allow system_server asec_apk_file:file create_file_perms;
563 allow system_server asec_public_file:file create_file_perms;
569 # the system_server should never need to create a new anr_data_file:file or write
571 allow system_server anr_data_file:dir create_dir_perms;
572 allow system_server anr_data_file:file create_file_perms;
577 # Allow system_server to connect and write to the tombstoned java trace socket in
580 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
581 allow system_server tombstoned:fd use;
582 allow system_server dumpstate:fifo_file append;
583 allow system_server incidentd:fifo_file append;
584 # Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
586   allow system_server su:fifo_file append;
589 # Allow system_server to read pipes from incidentd (used to deliver incident reports
591 allow system_server incidentd:fifo_file read;
595 allow system_server incident_data_file:file read;
598 allow system_server prereboot_data_file:dir rw_dir_perms;
599 allow system_server prereboot_data_file:file create_file_perms;
603 allow system_server perfetto_traces_data_file:file { read getattr };
604 allow system_server perfetto:fd use;
606 # Allow system_server to exec the perfetto cmdline client and pass it a trace config
607 domain_auto_trans(system_server, perfetto_exec, perfetto);
608 allow system_server perfetto:fifo_file { read write };
611 allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
612 allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
613 allow system_server perfetto_traces_data_file:dir search;
617 domain_auto_trans(system_server, trace_redactor_exec, trace_redactor);
618 allow system_server trace_redactor:process signal;
621 allow system_server perfetto:process signal;
624 allow system_server backup_data_file:dir create_dir_perms;
625 allow system_server backup_data_file:file create_file_perms;
628 allow system_server dropbox_data_file:dir create_dir_perms;
629 allow system_server dropbox_data_file:file create_file_perms;
632 allow system_server heapdump_data_file:dir rw_dir_perms;
633 allow system_server heapdump_data_file:file create_file_perms;
636 allow system_server adb_keys_file:dir create_dir_perms;
637 allow system_server adb_keys_file:file create_file_perms;
640 allow system_server appcompat_data_file:dir rw_dir_perms;
641 allow system_server appcompat_data_file:file create_file_perms;
645 allow system_server connectivityblob_data_file:dir create_dir_perms;
646 allow system_server connectivityblob_data_file:file create_file_perms;
649 allow system_server emergency_data_file:dir create_dir_perms;
650 allow system_server emergency_data_file:file create_file_perms;
653 allow system_server network_watchlist_data_file:dir create_dir_perms;
654 allow system_server network_watchlist_data_file:file create_file_perms;
658 allow system_server radio_data_file:dir create_dir_perms;
659 allow system_server radio_data_file:file create_file_perms;
662 allow system_server systemkeys_data_file:dir create_dir_perms;
663 allow system_server systemkeys_data_file:file create_file_perms;
666 allow system_server textclassifier_data_file:dir create_dir_perms;
667 allow system_server textclassifier_data_file:file create_file_perms;
670 allow system_server tombstone_data_file:dir rw_dir_perms;
671 allow system_server tombstone_data_file:file create_file_perms;
674 allow system_server vpn_data_file:dir create_dir_perms;
675 allow system_server vpn_data_file:file create_file_perms;
678 allow system_server wifi_data_file:dir create_dir_perms;
679 allow system_server wifi_data_file:file create_file_perms;
682 allow system_server staging_data_file:dir create_dir_perms;
683 allow system_server staging_data_file:file create_file_perms;
686 allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
689 allow system_server app_data_file_type:dir { getattr read search };
693 allow system_server unlabeled:dir r_dir_perms;
695 allow system_server unlabeled:file r_file_perms;
698 allow system_server system_app_data_file:dir create_dir_perms;
699 allow system_server system_app_data_file:file create_file_perms;
702 allow system_server app_data_file_type:file { getattr read write append map };
705 allow system_server media_rw_data_file:dir { search getattr open read };
708 allow system_server wifi_mainline_supplicant_exec:file getattr;
712 allow system_server media_rw_data_file:file { getattr read write append };
716 allow system_server system_server:process setfscreate;
719 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
720 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
725 allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
728 allow system_server system_data_file:file relabelfrom;
729 allow system_server wallpaper_file:file relabelto;
730 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
733 allow system_server { system_data_file wallpaper_file }:file link;
736 allow system_server system_data_file:dir relabelfrom;
737 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
738 allow system_server shortcut_manager_icons:file create_file_perms;
741 allow system_server ringtone_file:dir { create_dir_perms relabelto };
742 allow system_server ringtone_file:file create_file_perms;
745 allow system_server icon_file:file relabelto;
746 allow system_server icon_file:file { rw_file_perms unlink };
749 allow system_server system_data_file:dir relabelfrom;
752 # have been reset during current booting. system_server needs to read the data to perform related
754 allow system_server server_configurable_flags_data_file:dir r_dir_perms;
755 allow system_server server_configurable_flags_data_file:file r_file_perms;
758 set_prop(system_server, system_prop)
759 set_prop(system_server, bootanim_system_prop)
760 set_prop(system_server, bluetooth_prop)
761 set_prop(system_server, exported_system_prop)
762 set_prop(system_server, exported3_system_prop)
763 set_prop(system_server, safemode_prop)
764 set_prop(system_server, theme_prop)
765 set_prop(system_server, dhcp_prop)
766 set_prop(system_server, net_connectivity_prop)
767 set_prop(system_server, net_radio_prop)
768 set_prop(system_server, net_dns_prop)
769 set_prop(system_server, usb_control_prop)
770 set_prop(system_server, usb_prop)
771 set_prop(system_server, debug_prop)
772 set_prop(system_server, powerctl_prop)
773 set_prop(system_server, fingerprint_prop)
774 set_prop(system_server, device_logging_prop)
775 set_prop(system_server, dumpstate_options_prop)
776 set_prop(system_server, overlay_prop)
777 set_prop(system_server, exported_overlay_prop)
778 set_prop(system_server, pm_prop)
779 set_prop(system_server, exported_pm_prop)
780 set_prop(system_server, socket_hook_prop)
781 set_prop(system_server, audio_prop)
782 set_prop(system_server, boot_status_prop)
783 set_prop(system_server, surfaceflinger_color_prop)
784 set_prop(system_server, provisioned_prop)
785 set_prop(system_server, retaildemo_prop)
786 set_prop(system_server, dmesgd_start_prop)
787 set_prop(system_server, locale_prop)
788 set_prop(system_server, timezone_metadata_prop)
789 set_prop(system_server, timezone_prop)
790 set_prop(system_server, crashrecovery_prop)
791 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
792 userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
795 set_prop(system_server, ctl_default_prop)
796 set_prop(system_server, ctl_bugreport_prop)
797 set_prop(system_server, ctl_gsid_prop)
798 set_prop(system_server, ctl_artd_pre_reboot_prop)
801 set_prop(system_server, cppreopt_prop)
804 set_prop(system_server, device_config_core_experiments_team_internal_prop)
805 set_prop(system_server, device_config_edgetpu_native_prop)
806 set_prop(system_server, device_config_input_native_boot_prop)
807 set_prop(system_server, device_config_netd_native_prop)
808 set_prop(system_server, device_config_nnapi_native_prop)
809 set_prop(system_server, device_config_activity_manager_native_boot_prop)
810 set_prop(system_server, device_config_runtime_native_boot_prop)
811 set_prop(system_server, device_config_runtime_native_prop)
812 set_prop(system_server, device_config_lmkd_native_prop)
813 set_prop(system_server, device_config_media_native_prop)
814 set_prop(system_server, device_config_camera_native_prop)
815 set_prop(system_server, device_config_mglru_native_prop)
816 set_prop(system_server, device_config_profcollect_native_boot_prop)
817 set_prop(system_server, device_config_statsd_native_prop)
818 set_prop(system_server, device_config_statsd_native_boot_prop)
819 set_prop(system_server, device_config_storage_native_boot_prop)
820 set_prop(system_server, device_config_swcodec_native_prop)
821 set_prop(system_server, device_config_sys_traced_prop)
822 set_prop(system_server, device_config_window_manager_native_boot_prop)
823 set_prop(system_server, device_config_configuration_prop)
824 set_prop(system_server, device_config_connectivity_prop)
825 set_prop(system_server, device_config_surface_flinger_native_boot_prop)
826 set_prop(system_server, device_config_aconfig_flags_prop)
827 set_prop(system_server, device_config_vendor_system_native_prop)
828 set_prop(system_server, device_config_vendor_system_native_boot_prop)
829 set_prop(system_server, device_config_virtualization_framework_native_prop)
830 set_prop(system_server, device_config_memory_safety_native_boot_prop)
831 set_prop(system_server, device_config_memory_safety_native_prop)
832 set_prop(system_server, device_config_remote_key_provisioning_native_prop)
833 set_prop(system_server, device_config_tethering_u_or_later_native_prop)
834 set_prop(system_server, device_config_mmd_native_prop)
835 set_prop(system_server, smart_idle_maint_enabled_prop)
836 set_prop(system_server, arm64_memtag_prop)
839 set_prop(system_server, next_boot_prop)
842 get_prop(system_server, pm_16kb_app_compat_prop)
845 get_prop(system_server, device_config_runtime_native_boot_prop)
846 get_prop(system_server, device_config_runtime_native_prop)
849 get_prop(system_server, bootloader_boot_reason_prop)
851 get_prop(system_server, system_boot_reason_prop)
854 get_prop(system_server, boottime_prop)
857 get_prop(system_server, serialno_prop)
860 get_prop(system_server, usb_uvc_enabled_prop)
862 # Read/write the property which keeps track of whether this is the first start of system_server
863 set_prop(system_server, firstboot_prop)
867 get_prop(system_server, audio_config_prop)
870 get_prop(system_server, media_config_prop)
874 get_prop(system_server, device_config_reset_performed_prop)
877 set_prop(system_server, test_harness_prop)
880 get_prop(system_server, gsid_prop)
883 get_prop(system_server, mock_ota_prop)
886 get_prop(system_server, wifi_prop)
889 get_prop(system_server, incremental_prop)
892 get_prop(system_server, zram_config_prop)
895 set_prop(system_server, zram_control_prop)
898 set_prop(system_server, dalvik_runtime_prop)
901 get_prop(system_server, packagemanager_config_prop)
904 get_prop(system_server, net_464xlat_fromvendor_prop)
907 get_prop(system_server, hypervisor_prop)
910 get_prop(system_server, persist_wm_debug_prop)
911 set_prop(system_server, persist_wm_debug_prop)
914 get_prop(system_server, persist_sysui_builder_extras_prop)
916 get_prop(system_server, persist_sysui_ranking_update_prop)
919 get_prop(system_server, tuner_config_prop)
921 set_prop(system_server, tuner_server_ctl_prop)
924 get_prop(system_server, traced_oome_heap_session_count_prop)
928 get_prop(system_server, sensors_config_prop)
931 get_prop(system_server, system_service_enable_prop)
934 get_prop(system_server, mmd_shared_prop)
937 allow system_server system_ndebug_socket:sock_file create_file_perms;
940 allow system_server system_unsolzygote_socket:sock_file create_file_perms;
943 allow system_server cache_file:lnk_file r_file_perms;
944 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
945 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
946 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
948 allow system_server system_file:dir r_dir_perms;
949 allow system_server system_file:lnk_file r_file_perms;
952 allow system_server system_file:file lock;
956 allow system_server gps_control:file rw_file_perms;
958 # Allow system_server to use app-created sockets and pipes.
959 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown…
960 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
963 allow system_server cache_backup_file:dir rw_dir_perms;
964 allow system_server cache_backup_file:file create_file_perms;
966 allow system_server cache_private_backup_file:dir create_dir_perms;
967 allow system_server cache_private_backup_file:file create_file_perms;
970 allow system_server usb_device:chr_file rw_file_perms;
971 allow system_server usb_device:dir r_dir_perms;
974 r_dir_file(system_server, fscklogs)
975 allow system_server fscklogs:dir { write remove_name add_name };
976 allow system_server fscklogs:file rename;
978 # logd access, system_server inherit logd write socket
980 allow system_server zygote:unix_dgram_socket write;
983 read_logd(system_server)
984 read_runtime_log_tags(system_server)
986 # Be consistent with DAC permissions. Allow system_server to write to
989 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
994 allow system_server pstorefs:dir r_dir_perms;
995 allow system_server pstorefs:file r_file_perms;
998 allow system_server sysfs_zram:dir search;
999 allow system_server sysfs_zram:file rw_file_perms;
1002 allow system_server kernel:security read_policy;
1004 add_service(system_server, system_server_service);
1005 allow system_server artd_service:service_manager find;
1006 allow system_server artd_pre_reboot_service:service_manager find;
1007 allow system_server audioserver_service:service_manager find;
1008 allow system_server authorization_service:service_manager find;
1009 allow system_server batteryproperties_service:service_manager find;
1010 allow system_server cameraserver_service:service_manager find;
1011 allow system_server compos_service:service_manager find;
1012 allow system_server dataloader_manager_service:service_manager find;
1013 allow system_server dexopt_chroot_setup_service:service_manager find;
1014 allow system_server dnsresolver_service:service_manager find;
1015 allow system_server drmserver_service:service_manager find;
1016 allow system_server dumpstate_service:service_manager find;
1017 allow system_server fingerprintd_service:service_manager find;
1018 allow system_server gatekeeper_service:service_manager find;
1019 allow system_server gpu_service:service_manager find;
1020 allow system_server gsi_service:service_manager find;
1021 allow system_server idmap_service:service_manager find;
1022 allow system_server incident_service:service_manager find;
1023 allow system_server incremental_service:service_manager find;
1024 allow system_server installd_service:service_manager find;
1025 allow system_server keystore_maintenance_service:service_manager find;
1026 allow system_server keystore_metrics_service:service_manager find;
1027 allow system_server keystore_service:service_manager find;
1028 allow system_server mdns_service:service_manager find;
1029 allow system_server mediaserver_service:service_manager find;
1030 allow system_server mediametrics_service:service_manager find;
1031 allow system_server mediaextractor_service:service_manager find;
1032 allow system_server mediadrmserver_service:service_manager find;
1033 allow system_server mediatuner_service:service_manager find;
1034 allow system_server mmd_service:service_manager find;
1035 allow system_server netd_service:service_manager find;
1036 allow system_server nfc_service:service_manager find;
1037 allow system_server ot_daemon_service:service_manager find;
1038 allow system_server radio_service:service_manager find;
1039 allow system_server stats_service:service_manager find;
1040 allow system_server storaged_service:service_manager find;
1041 allow system_server surfaceflinger_service:service_manager find;
1042 allow system_server update_engine_service:service_manager find;
1043 allow system_server virtual_camera_service:service_manager find;
1045     allow system_server virtualization_maintenance_service:service_manager find;
1047 allow system_server vold_service:service_manager find;
1048 allow system_server wifinl80211_service:service_manager find;
1049 allow system_server logd_service:service_manager find;
1051   allow system_server profcollectd_service:service_manager find;
1053 allow system_server wifi_mainline_supplicant_service:service_manager find;
1055 add_service(system_server, batteryproperties_service)
1057 allow system_server keystore:keystore2 {
1071 allow system_server keystore:keystore2_key {
1082 allow system_server wifi_key:keystore2_key {
1091 allow system_server resume_on_reboot_key:keystore2_key {
1100 allow system_server locksettings_key:keystore2_key {
1111 allow system_server block_device:dir search;
1112 allow system_server frp_block_device:blk_file rw_file_perms;
1113 allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
1116 allow system_server cgroup:dir create_dir_perms;
1117 allow system_server cgroup:file setattr;
1118 allow system_server cgroup_v2:dir create_dir_perms;
1119 allow system_server cgroup_v2:file { r_file_perms setattr };
1122 r_dir_file(system_server, oemfs)
1125 allow system_server { mnt_user_file storage_file }:dir { getattr search };
1126 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
1130 allow system_server { sdcard_type fuse }:dir { getattr search };
1133 allow system_server mnt_expand_file:dir r_dir_perms;
1137 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
1138 allow system_server fingerprintd_data_file:file { getattr unlink };
1142   allow system_server method_trace_data_file:dir w_dir_perms;
1143   allow system_server method_trace_data_file:file { create w_file_perms };
1146   allow system_server kernel:system syslog_read;
1149   allow system_server wm_trace_data_file:dir rw_dir_perms;
1150   allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
1153   allow system_server accessibility_trace_data_file:dir rw_dir_perms;
1154 …allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perm…
1158 allow system_server vold:fd use;
1159 allow system_server fuse_device:chr_file { read write ioctl getattr };
1160 allow system_server app_fuse_file:file { read write getattr };
1163 allow system_server configfs:dir { create_dir_perms };
1164 allow system_server configfs:file { getattr open create unlink write };
1168 allow system_server adbd_common:unix_stream_socket connectto;
1169 allow system_server adbd_common:fd use;
1170 allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
1173 get_prop(system_server, adbd_prop)
1176 set_prop(system_server, system_adbd_prop)
1179 set_prop(system_server, adbd_tradeinmode_prop)
1182 allow system_server toolbox_exec:file rx_file_perms;
1185 allow system_server pbtombstone_exec:file rx_file_perms;
1188 allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file…
1191 allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
1192 allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
1197 binder_call(system_server, postinstall)
1199 allow system_server postinstall:fifo_file write;
1200 allow system_server update_engine:fd use;
1201 allow system_server update_engine:fifo_file write;
1204 allow system_server preloads_data_file:file { r_file_perms unlink };
1205 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
1206 allow system_server preloads_media_file:file { r_file_perms unlink };
1207 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
1209 r_dir_file(system_server, cgroup)
1210 r_dir_file(system_server, cgroup_v2)
1211 allow system_server ion_device:chr_file r_file_perms;
1214 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
1216 allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
1218 r_dir_file(system_server, proc_asound)
1219 r_dir_file(system_server, proc_net_type)
1220 r_dir_file(system_server, proc_qtaguid_stat)
1221 allow system_server {
1238 allow system_server proc_uid_time_in_state:dir r_dir_perms;
1239 allow system_server proc_uid_cpupower:file r_file_perms;
1241 r_dir_file(system_server, rootfs)
1244 allow system_server debugfs_tracing_instances:dir search;
1245 allow system_server debugfs_wifi_tracing:dir search;
1246 allow system_server debugfs_wifi_tracing:file rw_file_perms;
1249 allow system_server debugfs_bootreceiver_tracing:dir search;
1250 allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
1252 # Allow system_server to read tracepoint ids in order to attach BPF programs to them.
1253 allow system_server debugfs_tracing:file r_file_perms;
1255 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
1258   allow system_server shell_exec:file rx_file_perms;
1259   allow system_server asanwrapper_exec:file rx_file_perms;
1260   allow system_server zygote_exec:file rx_file_perms;
1263 # allow system_server to read the eBPF maps that stores the traffic stats information and update
1266 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
1267 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { get…
1268 allow system_server bpfloader:bpf prog_run;
1269 allow system_server self:bpf map_create;
1270 allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
1272 allow system_server self:key_socket create;
1275 dontaudit system_server self:key_socket getopt;
1278 allow system_server fs_bpf_memevents:dir search;
1279 allow system_server fs_bpf_memevents:file { read write };
1281 # Allow system_server to start clatd in its own domain and kill it.
1282 domain_auto_trans(system_server, clatd_exec, clatd)
1283 allow system_server clatd:process { sigkill signal };
1286 # Allow system_server to open profile snapshots for read.
1289 allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
1290 allow system_server user_profile_data_file:file { getattr open read };
1295 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
1296 allow system_server profman_dump_data_file:dir rw_dir_perms;
1300   allow system_server user_profile_data_file:dir rw_dir_perms;
1301   allow system_server user_profile_data_file:file create_file_perms;
1304 get_prop(system_server,system_jvmti_agent_prop)
1307 allow system_server functionfs:dir search;
1308 allow system_server functionfs:file rw_file_perms;
1311 allow system_server sysfs_type:dir search;
1312 r_dir_file(system_server, sysfs_udc)
1315 # system_server contains time / time zone detection logic so reads the associated properties.
1316 get_prop(system_server, time_prop)
1318 # system_server reads this property to know it should expect the lmkd sends notification to it
1320 get_prop(system_server, system_lmk_prop)
1322 get_prop(system_server, wifi_config_prop)
1325 allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
1329   allow system_server kmsg_debug_device:chr_file { open append getattr };
1332 get_prop(system_server, framework_watchdog_config_prop)
1336 allow system_server font_data_file:file create_file_perms;
1337 allow system_server font_data_file:dir create_dir_perms;
1339 allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
1342 get_prop(system_server, qemu_hw_prop)
1345 userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
1348 get_prop(system_server, power_debug_prop)
1349 set_prop(system_server, power_debug_prop)
1354 ### system_server should NEVER do any of this
1357 # could cause the kernel to kill the system_server.
1358 neverallow system_server { sdcard_type fuse }:dir { open read write };
1359 neverallow system_server { sdcard_type fuse }:file rw_file_perms;
1364 # Exclude those types that system_server needs to open directly.
1365 neverallow system_server {
1375 neverallow system_server {
1383 # Ensure that system_server doesn't perform any domain transitions other than
1386 neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition;
1387 neverallow system_server *:process dyntransition;
1389 # Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
1390 neverallow system_server perfetto_traces_data_file:dir ~search;
1393 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write …
1399   -system_server
1405 # Only allow init, system_server, flags_health_check to set properties for server configurable flags
1409   -system_server
1436 # Only allow system_server and init to set tuner_server_ctl_prop
1439   -system_server
1443 # system_server should never be executing dex2oat. This is either
1447 neverallow system_server dex2oat_exec:file no_x_file_perms;
1449 # system_server should never execute or load executable shared libraries
1452 neverallow system_server data_file_type:file no_x_file_perms;
1454 # The only block device system_server should be writing to is
1455 # the frp_block_device. This helps avoid a system_server to root
1457 # The system_server may need to read from vd_device if it uses
1459 neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
1460 neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
1462 # system_server should never use JIT functionality
1469   `allow system_server self:process execmem;',
1470   on_physical_device(`neverallow system_server self:process execmem;'))
1471 neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
1474 neverallow system_server system_server_tmpfs:file execute;
1477 allow system_server system_server_startup:fd use;
1478 allow system_server system_server_startup_tmpfs:file { read write map };
1479 allow system_server system_server_startup:unix_dgram_socket write;
1482 allow system_server apex_service:service_manager find;
1483 allow system_server apexd:binder call;
1486 allow system_server apex_mnt_dir:dir r_dir_perms;
1489 allow system_server apex_info_file:file r_file_perms;
1491 # Allow system_server to communicate with tradeinmode.
1492 binder_call(system_server, tradeinmode)
1495 allow system_server system_suspend_control_internal_service:service_manager find;
1496 allow system_server system_suspend_control_service:service_manager find;
1497 binder_call(system_server, system_suspend)
1498 binder_call(system_suspend, system_server)
1501 wakelock_use(system_server)
1503 # Allow the system server to read files under /data/apex. The system_server
1507 allow system_server apex_data_file:dir { getattr search };
1508 allow system_server apex_data_file:file r_file_perms;
1511 # vendor APEX packages might be installed and system_server needs to parse
1513 allow system_server vendor_apex_file:dir { getattr search };
1514 allow system_server vendor_apex_file:file r_file_perms;
1517 allow system_server apex_module_data_file:dir { getattr search };
1518 # These are modules where the code runs in system_server, so we need full access.
1519 allow system_server apex_system_server_data_file:dir create_dir_perms;
1520 allow system_server apex_system_server_data_file:file create_file_perms;
1521 allow system_server apex_tethering_data_file:dir create_dir_perms;
1522 allow system_server apex_tethering_data_file:file create_file_perms;
1523 allow system_server apex_uwb_data_file:dir create_dir_perms;
1524 allow system_server apex_uwb_data_file:file create_file_perms;
1526 allow system_server {
1532 allow system_server {
1541 allow system_server metadata_file:dir search;
1542 allow system_server password_slot_metadata_file:dir rw_dir_perms;
1543 allow system_server password_slot_metadata_file:file create_file_perms;
1546 allow system_server tradeinmode_metadata_file:dir rw_dir_perms;
1547 allow system_server tradeinmode_metadata_file:file create_file_perms;
1549 allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
1550 allow system_server userspace_reboot_metadata_file:file create_file_perms;
1553 allow system_server staged_install_file:dir rw_dir_perms;
1554 allow system_server staged_install_file:file create_file_perms;
1556 allow system_server watchdog_metadata_file:dir rw_dir_perms;
1557 allow system_server watchdog_metadata_file:file create_file_perms;
1559 # allow system_server write to aconfigd socket
1560 unix_socket_connect(system_server, aconfigd, aconfigd);
1562 # allow system_server write to aconfigd_mainline socket
1563 unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
1565 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
1566 allow system_server repair_mode_metadata_file:file create_file_perms;
1568 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
1569 allow system_server gsi_persistent_data_file:file create_file_perms;
1572 allow system_server odrefresh_data_file:dir rw_dir_perms;
1573 allow system_server odrefresh_data_file:file { r_file_perms unlink };
1576 allow system_server surfaceflinger_exec:file r_file_perms;
1579 set_prop(system_server, userspace_reboot_log_prop)
1584   -system_server
1593 allow system_server proc_pressure_mem:file rw_file_perms;
1595 allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
1598 neverallow system_server { domain -system_server }:process ptrace;
1602 neverallow system_server system_server:global_capability_class_set sys_resource;
1604 # Only system_server/init should access /metadata/password_slots.
1605 neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
1609   -system_server
1611 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
1614 set_prop(system_server, binder_cache_system_server_prop)
1615 neverallow { domain -system_server -init }
1619 # system_server cannot use this access to read perf event data like process stacks.
1620 allow system_server self:perf_event { open write cpu kernel };
1621 neverallow system_server self:perf_event ~{ open write cpu kernel };
1624 allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
1625 allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
1628 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
1630 neverallow { domain -init -system_server } boot_status_prop:property_service set;
1637   -system_server
1644     -system_server
1650 # can be accessed by system_server only (b/143717177)
1651 # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
1653 neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_F…
1656 neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
1657 neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
1660 allow system_server system_font_fallback_file:file r_file_perms;
1663 set_prop(system_server, dalvik_dynamic_config_prop)
1666 allow system_server binderfs_logs:dir r_dir_perms;
1667 allow system_server binderfs_logs_stats:file r_file_perms;
1671     allow system_server binderfs_logs_transactions:file r_file_perms;
1675 set_prop(system_server, game_manager_config_prop)
1678 set_prop(system_server, hint_manager_config_prop)
1683   -system_server
1688 get_prop(system_server, threadnetwork_config_prop)
1696   -system_server
1701 allow system_server pre_reboot_dexopt_file:dir { getattr search };
1703 # Allow system_server to reopen its own memfd.
1704 # system_server needs to copy the new service-art.jar to a memfd and reopen it with the path
1706 allow system_server system_server_tmpfs:file open;
1708 # Allow system_server to read from postinstall scripts through STDIN, to check if the
1710 allow system_server postinstall:fifo_file read;
1712 # Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing
1714 allow system_server {
1723 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
1724 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
1726 # Do not allow anything other than system_server and init to touch /metadata/tradeinmode.
1727 neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms;
1733   -system_server