1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server remote_provisioning_service_server; 9typeattribute system_server scheduler_service_server; 10typeattribute system_server sensor_service_server; 11typeattribute system_server stats_service_server; 12typeattribute system_server bpfdomain; 13 14# Define a type for tmpfs-backed ashmem regions. 15tmpfs_domain(system_server) 16 17userfaultfd_use(system_server) 18 19# Create a socket for connections from crash_dump. 20type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 21 22# Create a socket for connections from zygotes. 23type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 24 25allow system_server zygote_tmpfs:file { map read }; 26allow system_server appdomain_tmpfs:file { getattr map read write }; 27 28# For Incremental Service to check if incfs is available 29allow system_server proc_filesystems:file r_file_perms; 30 31# To create files, get permission to fill blocks, and configure Incremental File System 32allow system_server incremental_control_file:file { ioctl r_file_perms }; 33allowxperm system_server incremental_control_file:file ioctl { 34 INCFS_IOCTL_CREATE_FILE 35 INCFS_IOCTL_CREATE_MAPPED_FILE 36 INCFS_IOCTL_PERMIT_FILL 37 INCFS_IOCTL_GET_READ_TIMEOUTS 38 INCFS_IOCTL_SET_READ_TIMEOUTS 39 INCFS_IOCTL_GET_LAST_READ_ERROR 40}; 41 42# To get signature of an APK installed on Incremental File System, and fill in data 43# blocks and get the filesystem state 44allowxperm system_server apk_data_file:file ioctl { 45 INCFS_IOCTL_READ_SIGNATURE 46 INCFS_IOCTL_FILL_BLOCKS 47 INCFS_IOCTL_GET_FILLED_BLOCKS 48 INCFS_IOCTL_GET_BLOCK_COUNT 49 F2FS_IOC_GET_FEATURES 50 F2FS_IOC_GET_COMPRESS_BLOCKS 51 F2FS_IOC_COMPRESS_FILE 52 F2FS_IOC_DECOMPRESS_FILE 53 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 54 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 55 FS_IOC_SETFLAGS 56 FS_IOC_GETFLAGS 57}; 58 59allowxperm system_server apk_tmp_file:file ioctl { 60 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 61 FS_IOC_GETFLAGS 62}; 63 64# For Incremental Service to check incfs metrics 65allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 66 67# For f2fs-compression support 68allow system_server sysfs_fs_f2fs:dir r_dir_perms; 69allow system_server sysfs_fs_f2fs:file r_file_perms; 70 71# For SdkSandboxManagerService 72allow system_server sdk_sandbox_system_data_file:dir create_dir_perms; 73 74# For art. 75allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 76allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 77 78# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`. 79# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a 80# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks 81# system_server. It fails to be loaded when the jar is used as a shared library, which is expected. 82dontaudit system_server apex_art_data_file:file execute; 83 84# For release odex/vdex compress blocks 85allowxperm system_server dalvikcache_data_file:file ioctl { 86 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 87 FS_IOC_GETFLAGS 88}; 89 90# When running system server under --invoke-with, we'll try to load the boot image under the 91# system server domain, following links to the system partition. 92with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 93 94# /data/resource-cache 95allow system_server resourcecache_data_file:file r_file_perms; 96allow system_server resourcecache_data_file:dir r_dir_perms; 97 98# ptrace to processes in the same domain for debugging crashes. 99allow system_server self:process ptrace; 100 101# Child of the zygote. 102allow system_server zygote:fd use; 103allow system_server zygote:process sigchld; 104 105# May kill zygote (or its child processes) on crashes. 106allow system_server { 107 app_zygote 108 crash_dump 109 crosvm 110 virtualizationmanager 111 webview_zygote 112 zygote 113}:process { getpgid sigkill signull }; 114 115# Read /system/bin/app_process. 116allow system_server zygote_exec:file r_file_perms; 117 118# Needed to close the zygote socket, which involves getopt / getattr 119allow system_server zygote:unix_stream_socket { getopt getattr }; 120 121# system server gets network and bluetooth permissions. 122net_domain(system_server) 123# in addition to ioctls allowlisted for all domains, also allow system_server 124# to use privileged ioctls commands. Needed to set up VPNs. 125allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 126bluetooth_domain(system_server) 127 128# Allow setup of tcp keepalive offload. This gives system_server the permission to 129# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 130# be granted individually, except for a small set of safe values allowlisted in 131# public/domain.te. 132allow system_server appdomain:tcp_socket ioctl; 133 134# These are the capabilities assigned by the zygote to the 135# system server. 136allow system_server self:global_capability_class_set { 137 ipc_lock 138 kill 139 net_admin 140 net_bind_service 141 net_broadcast 142 net_raw 143 sys_boot 144 sys_nice 145 sys_ptrace 146 sys_time 147 sys_tty_config 148}; 149 150# Allow alarmtimers to be set 151allow system_server self:global_capability2_class_set wake_alarm; 152 153# Create and share netlink_netfilter_sockets for tetheroffload. 154allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 155 156# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 157allow system_server self:netlink_tcpdiag_socket 158 { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 159 160# Use netlink uevent sockets. 161allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 162 163allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl; 164 165# Use generic netlink sockets. 166allow system_server self:netlink_socket create_socket_perms_no_ioctl; 167allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 168 169# libvintf reads the kernel config to verify vendor interface compatibility. 170allow system_server config_gz:file { read open }; 171 172# Use generic "sockets" where the address family is not known 173# to the kernel. The ioctl permission is specifically omitted here, but may 174# be added to device specific policy along with the ioctl commands to be 175# allowlisted. 176allow system_server self:socket create_socket_perms_no_ioctl; 177 178# Set and get routes directly via netlink. 179allow system_server self:netlink_route_socket nlmsg_write; 180 181# Use XFRM (IPsec) netlink sockets 182allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 183 184# Kill apps. 185allow system_server appdomain:process { getpgid sigkill signal }; 186# signull allowed for kill(pid, 0) existence test. 187allow system_server appdomain:process { signull }; 188 189# Set scheduling info for apps. 190allow system_server appdomain:process { getsched setsched }; 191allow system_server audioserver:process { getsched setsched }; 192allow system_server hal_audio:process { getsched setsched }; 193allow system_server hal_bluetooth:process { getsched setsched }; 194allow system_server hal_codec2_server:process { getsched setsched }; 195allow system_server hal_omx_server:process { getsched setsched }; 196allow system_server mediaswcodec:process { getsched setsched }; 197allow system_server cameraserver:process { getsched setsched }; 198allow system_server hal_camera:process { getsched setsched }; 199allow system_server mediaserver:process { getsched setsched }; 200allow system_server bootanim:process { getsched setsched }; 201# Set scheduling info for VMs (b/375058190) 202allow system_server { virtualizationmanager crosvm }:process { getsched setsched }; 203 204# Set scheduling info for psi monitor thread. 205# TODO: delete this line b/131761776 206allow system_server kernel:process { getsched setsched }; 207 208# Allow system_server to write to /proc/<pid>/* 209allow system_server domain:file w_file_perms; 210 211# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 212# within system_server to keep track of memory and CPU usage for 213# all processes on the device. In addition, /proc/pid files access is needed 214# for dumping stack traces of native processes. 215r_dir_file(system_server, domain) 216 217# Write /proc/uid_cputime/remove_uid_range. 218allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 219 220# Write /proc/uid_procstat/set. 221allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 222 223# Write to /proc/sysrq-trigger. 224allow system_server proc_sysrq:file rw_file_perms; 225 226# Delete /data/misc/stats-service/ directories. 227allow system_server stats_config_data_file:dir { open read remove_name search write }; 228allow system_server stats_config_data_file:file unlink; 229 230# Read metric file & upload to statsd 231allow system_server odsign_data_file:dir search; 232allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name }; 233allow system_server odsign_metrics_file:file { r_file_perms unlink }; 234 235# Read /sys/kernel/debug/wakeup_sources. 236no_debugfs_restriction(` 237 allow system_server debugfs_wakeup_sources:file r_file_perms; 238') 239 240# Read /sys/kernel/ion/*. 241allow system_server sysfs_ion:file r_file_perms; 242 243# Read /sys/kernel/dma_heap/*. 244allow system_server sysfs_dma_heap:file r_file_perms; 245 246# Read /sys/kernel/mm/cma/*. 247starting_at_board_api(202504, ` 248allow system_server sysfs_cma:file r_file_perms; 249') 250 251# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 252allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 253allow system_server sysfs_dmabuf_stats:file r_file_perms; 254 255# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 256# for dumpsys meminfo 257allow system_server dmabuf_heap_device:dir r_dir_perms; 258 259# Allow reading /proc/vmstat for the oom kill count 260allow system_server proc_vmstat:file r_file_perms; 261 262# The DhcpClient and WifiWatchdog use packet_sockets 263allow system_server self:packet_socket create_socket_perms_no_ioctl; 264 265# 3rd party VPN clients require a tun_socket to be created 266allow system_server self:tun_socket create_socket_perms_no_ioctl; 267 268# Talk to init and various daemons via sockets. 269unix_socket_connect(system_server, lmkd, lmkd) 270unix_socket_connect(system_server, zygote, zygote) 271unix_socket_connect(system_server, uncrypt, uncrypt) 272 273# Allow system_server to write to statsd. 274unix_socket_send(system_server, statsdw, statsd) 275 276# Communicate over a socket created by surfaceflinger. 277allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 278 279allow system_server gpuservice:unix_stream_socket { read write setopt }; 280 281# Communicate over a socket created by webview_zygote. 282allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 283 284# Communicate over a socket created by app_zygote. 285allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 286 287# Perform Binder IPC. 288binder_use(system_server) 289binder_call(system_server, appdomain) 290binder_call(system_server, artd) 291binder_call(system_server, binderservicedomain) 292binder_call(system_server, composd) 293binder_call(system_server, dexopt_chroot_setup) 294binder_call(system_server, dumpstate) 295binder_call(system_server, fingerprintd) 296binder_call(system_server, gatekeeperd) 297binder_call(system_server, gpuservice) 298binder_call(system_server, idmap) 299binder_call(system_server, installd) 300binder_call(system_server, incidentd) 301binder_call(system_server, mmd) 302binder_call(system_server, netd) 303binder_call(system_server, ot_daemon) 304userdebug_or_eng(`binder_call(system_server, profcollectd)') 305binder_call(system_server, statsd) 306binder_call(system_server, storaged) 307binder_call(system_server, update_engine) 308binder_call(system_server, virtual_camera) 309binder_call(system_server, vold) 310binder_call(system_server, logd) 311binder_call(system_server, wificond) 312binder_call(system_server, uprobestats) 313binder_call(system_server, wifi_mainline_supplicant) 314binder_service(system_server) 315 316# Use HALs 317hal_client_domain(system_server, hal_allocator) 318hal_client_domain(system_server, hal_audio) 319hal_client_domain(system_server, hal_authgraph) 320hal_client_domain(system_server, hal_authsecret) 321hal_client_domain(system_server, hal_bluetooth) 322hal_client_domain(system_server, hal_broadcastradio) 323hal_client_domain(system_server, hal_codec2) 324hal_client_domain(system_server, hal_configstore) 325hal_client_domain(system_server, hal_contexthub) 326hal_client_domain(system_server, hal_face) 327hal_client_domain(system_server, hal_fingerprint) 328hal_client_domain(system_server, hal_gnss) 329hal_client_domain(system_server, hal_graphics_allocator) 330hal_client_domain(system_server, hal_health) 331hal_client_domain(system_server, hal_input_classifier) 332hal_client_domain(system_server, hal_input_processor) 333hal_client_domain(system_server, hal_ir) 334hal_client_domain(system_server, hal_keymint) 335hal_client_domain(system_server, hal_light) 336hal_client_domain(system_server, hal_mediaquality) 337hal_client_domain(system_server, hal_memtrack) 338hal_client_domain(system_server, hal_neuralnetworks) 339hal_client_domain(system_server, hal_oemlock) 340hal_client_domain(system_server, hal_omx) 341hal_client_domain(system_server, hal_power) 342hal_client_domain(system_server, hal_power_stats) 343hal_client_domain(system_server, hal_rebootescrow) 344hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf) 345hal_client_domain(system_server, hal_sensors) 346hal_client_domain(system_server, hal_secretkeeper) 347hal_client_domain(system_server, hal_tetheroffload) 348hal_client_domain(system_server, hal_thermal) 349hal_client_domain(system_server, hal_threadnetwork) 350hal_client_domain(system_server, hal_tv_cec) 351hal_client_domain(system_server, hal_tv_hdmi_cec) 352hal_client_domain(system_server, hal_tv_hdmi_connection) 353hal_client_domain(system_server, hal_tv_hdmi_earc) 354hal_client_domain(system_server, hal_tv_input) 355hal_client_domain(system_server, hal_usb) 356hal_client_domain(system_server, hal_usb_gadget) 357hal_client_domain(system_server, hal_uwb) 358hal_client_domain(system_server, hal_vibrator) 359hal_client_domain(system_server, hal_vr) 360hal_client_domain(system_server, hal_weaver) 361hal_client_domain(system_server, hal_wifi) 362hal_client_domain(system_server, hal_wifi_hostapd) 363hal_client_domain(system_server, hal_wifi_supplicant) 364# The bootctl is a pass through HAL mode under recovery mode. So we skip the 365# permission for recovery in order not to give system server the access to 366# the low level block devices. 367not_recovery(`hal_client_domain(system_server, hal_bootctl)') 368 369# Talk with graphics composer fences 370allow system_server hal_graphics_composer:fd use; 371 372# Use RenderScript always-passthrough HAL 373allow system_server hal_renderscript_hwservice:hwservice_manager find; 374allow system_server same_process_hal_file:file { execute read open getattr map }; 375 376# Talk to tombstoned to get ANR traces. 377unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 378 379# List HAL interfaces to get ANR traces. 380allow system_server hwservicemanager:hwservice_manager list; 381allow system_server servicemanager:service_manager list; 382 383# Send signals to trigger ANR traces. 384allow system_server { 385 # This is derived from the list that system server defines as interesting native processes 386 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 387 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 388 artd 389 audioserver 390 cameraserver 391 drmserver 392 gpuservice 393 inputflinger 394 keystore 395 mediadrmserver 396 mediaextractor 397 mediametrics 398 mediaserver 399 mediaswcodec 400 mediatranscoding 401 mediatuner 402 mmd 403 netd 404 sdcardd 405 servicemanager 406 statsd 407 surfaceflinger 408 vold 409 410 # This list comes from HAL_INTERFACES_OF_INTEREST in 411 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 412 hal_audio_server 413 hal_bluetooth_server 414 hal_camera_server 415 hal_codec2_server 416 hal_drm_server 417 hal_face_server 418 hal_fingerprint_server 419 hal_gnss_server 420 hal_graphics_allocator_server 421 hal_graphics_composer_server 422 hal_health_server 423 hal_input_processor_server 424 hal_light_server 425 hal_neuralnetworks_server 426 hal_omx_server 427 hal_power_server 428 hal_power_stats_server 429 hal_sensors_server 430 hal_vibrator_server 431 hal_vr_server 432 hal_wifi_hostapd_server 433 hal_wifi_server 434 hal_wifi_supplicant_server 435 system_suspend_server 436}:process { signal }; 437 438# Use sockets received over binder from various services. 439allow system_server audioserver:tcp_socket rw_socket_perms; 440allow system_server audioserver:udp_socket rw_socket_perms; 441allow system_server mediaserver:tcp_socket rw_socket_perms; 442allow system_server mediaserver:udp_socket rw_socket_perms; 443 444# Use sockets received over binder from various services. 445allow system_server mediadrmserver:tcp_socket rw_socket_perms; 446allow system_server mediadrmserver:udp_socket rw_socket_perms; 447 448# Write trace data to the Perfetto traced daemon. This requires connecting to 449# its producer socket and obtaining a (per-process) tmpfs fd. 450perfetto_producer(system_server) 451 452# Get file context 453allow system_server file_contexts_file:file r_file_perms; 454# access for mac_permissions 455allow system_server mac_perms_file: file r_file_perms; 456# Check SELinux permissions. 457selinux_check_access(system_server) 458 459allow system_server sysfs_type:dir r_dir_perms; 460 461r_dir_file(system_server, sysfs_android_usb) 462allow system_server sysfs_android_usb:file w_file_perms; 463 464r_dir_file(system_server, sysfs_extcon) 465 466r_dir_file(system_server, sysfs_ipv4) 467allow system_server sysfs_ipv4:file w_file_perms; 468 469r_dir_file(system_server, sysfs_rtc) 470r_dir_file(system_server, sysfs_switch) 471 472allow system_server sysfs_nfc_power_writable:file rw_file_perms; 473allow system_server sysfs_power:dir search; 474allow system_server sysfs_power:file rw_file_perms; 475allow system_server sysfs_thermal:dir search; 476allow system_server sysfs_thermal:file r_file_perms; 477allow system_server sysfs_uhid:dir r_dir_perms; 478allow system_server sysfs_uhid:file rw_file_perms; 479 480# TODO: Remove when HALs are forced into separate processes 481allow system_server sysfs_vibrator:file { write append }; 482 483# TODO: added to match above sysfs rule. Remove me? 484allow system_server sysfs_usb:file w_file_perms; 485 486# Access devices. 487allow system_server device:dir r_dir_perms; 488allow system_server mdns_socket:sock_file rw_file_perms; 489allow system_server gpu_device:chr_file rw_file_perms; 490allow system_server gpu_device:dir r_dir_perms; 491allow system_server sysfs_gpu:file r_file_perms; 492allow system_server input_device:dir r_dir_perms; 493allow system_server input_device:chr_file rw_file_perms; 494allow system_server tty_device:chr_file rw_file_perms; 495allow system_server usbaccessory_device:chr_file rw_file_perms; 496allow system_server video_device:dir r_dir_perms; 497allow system_server video_device:chr_file rw_file_perms; 498allow system_server adbd_socket:sock_file rw_file_perms; 499allow system_server rtc_device:chr_file rw_file_perms; 500allow system_server audio_device:dir r_dir_perms; 501allow system_server uhid_device:chr_file rw_file_perms; 502allow system_server hidraw_device:dir r_dir_perms; 503allow system_server hidraw_device:chr_file rw_file_perms; 504 505# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 506allow system_server audio_device:chr_file rw_file_perms; 507 508# tun device used for 3rd party vpn apps and test network manager 509allow system_server tun_device:chr_file rw_file_perms; 510allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER }; 511 512# Manage data/ota_package 513allow system_server ota_package_file:dir rw_dir_perms; 514allow system_server ota_package_file:file create_file_perms; 515 516# Manage system data files. 517allow system_server system_data_file:dir create_dir_perms; 518allow system_server system_data_file:notdevfile_class_set create_file_perms; 519allow system_server packages_list_file:file create_file_perms; 520allow system_server game_mode_intervention_list_file:file create_file_perms; 521allow system_server keychain_data_file:dir create_dir_perms; 522allow system_server keychain_data_file:file create_file_perms; 523allow system_server keychain_data_file:lnk_file create_file_perms; 524 525# Read the user parent directories like /data/user. Don't allow write access, 526# as vold is responsible for creating and deleting the subdirectories. 527allow system_server system_userdir_file:dir r_dir_perms; 528 529# Manage /data/app. 530allow system_server apk_data_file:dir create_dir_perms; 531allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 532allow system_server apk_tmp_file:dir create_dir_perms; 533allow system_server apk_tmp_file:file create_file_perms; 534 535# Manage /data/app-metadata 536allow system_server apk_metadata_file:dir create_dir_perms; 537allow system_server apk_metadata_file:file create_file_perms; 538 539# Access input configuration files in the /vendor directory 540r_dir_file(system_server, vendor_keylayout_file) 541r_dir_file(system_server, vendor_keychars_file) 542r_dir_file(system_server, vendor_idc_file) 543get_prop(system_server, input_device_config_prop) 544 545# Access /vendor/{app,framework,overlay} 546r_dir_file(system_server, vendor_app_file) 547r_dir_file(system_server, vendor_framework_file) 548r_dir_file(system_server, vendor_overlay_file) 549 550# Manage /data/app-private. 551allow system_server apk_private_data_file:dir create_dir_perms; 552allow system_server apk_private_data_file:file create_file_perms; 553allow system_server apk_private_tmp_file:dir create_dir_perms; 554allow system_server apk_private_tmp_file:file create_file_perms; 555 556# Manage files within asec containers. 557allow system_server asec_apk_file:dir create_dir_perms; 558allow system_server asec_apk_file:file create_file_perms; 559allow system_server asec_public_file:file create_file_perms; 560 561# Manage /data/anr. 562# 563# TODO: Some of these permissions can be withdrawn once we've switched to the 564# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 565# the system_server should never need to create a new anr_data_file:file or write 566# to one, but it will still need to read and append to existing files. 567allow system_server anr_data_file:dir create_dir_perms; 568allow system_server anr_data_file:file create_file_perms; 569 570# New stack dumping scheme : request an output FD from tombstoned via a unix 571# domain socket. 572# 573# Allow system_server to connect and write to the tombstoned java trace socket in 574# order to dump its traces. Also allow the system server to write its traces to 575# dumpstate during bugreport capture and incidentd during incident collection. 576unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 577allow system_server tombstoned:fd use; 578allow system_server dumpstate:fifo_file append; 579allow system_server incidentd:fifo_file append; 580# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 581userdebug_or_eng(` 582 allow system_server su:fifo_file append; 583') 584 585# Allow system_server to read pipes from incidentd (used to deliver incident reports 586# to dropbox) 587allow system_server incidentd:fifo_file read; 588 589# Read /data/misc/incidents - only read. The fd will be sent over binder, 590# with no DAC access to it, for dropbox to read. 591allow system_server incident_data_file:file read; 592 593# Manage /data/misc/prereboot. 594allow system_server prereboot_data_file:dir rw_dir_perms; 595allow system_server prereboot_data_file:file create_file_perms; 596 597# Allow tracing proxy service to read traces. Only the fd is sent over 598# binder. 599allow system_server perfetto_traces_data_file:file { read getattr }; 600allow system_server perfetto:fd use; 601 602# Allow system_server to exec the perfetto cmdline client and pass it a trace config 603domain_auto_trans(system_server, perfetto_exec, perfetto); 604allow system_server perfetto:fifo_file { read write }; 605 606# Allow system server to manage perfetto traces for ProfilingService. 607allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms; 608allow system_server perfetto_traces_profiling_data_file:file create_file_perms; 609allow system_server perfetto_traces_data_file:dir search; 610 611# Allow system server to exec the trace redactor cmdline client and kill the process for 612# ProfilingService. 613domain_auto_trans(system_server, trace_redactor_exec, trace_redactor); 614allow system_server trace_redactor:process signal; 615 616# Allow system server to kill perfetto processes for ProfilingService. 617allow system_server perfetto:process signal; 618 619# Manage /data/backup. 620allow system_server backup_data_file:dir create_dir_perms; 621allow system_server backup_data_file:file create_file_perms; 622 623# Write to /data/system/dropbox 624allow system_server dropbox_data_file:dir create_dir_perms; 625allow system_server dropbox_data_file:file create_file_perms; 626 627# Write to /data/system/heapdump 628allow system_server heapdump_data_file:dir rw_dir_perms; 629allow system_server heapdump_data_file:file create_file_perms; 630 631# Manage /data/misc/adb. 632allow system_server adb_keys_file:dir create_dir_perms; 633allow system_server adb_keys_file:file create_file_perms; 634 635# Manage /data/misc/appcompat. 636allow system_server appcompat_data_file:dir rw_dir_perms; 637allow system_server appcompat_data_file:file create_file_perms; 638 639# Manage /data/misc/connectivityblobdb. 640# Specifically, for vpn and wifi to create, read and write to an sqlite database. 641allow system_server connectivityblob_data_file:dir create_dir_perms; 642allow system_server connectivityblob_data_file:file create_file_perms; 643 644# Manage /data/misc/emergencynumberdb 645allow system_server emergency_data_file:dir create_dir_perms; 646allow system_server emergency_data_file:file create_file_perms; 647 648# Manage /data/misc/network_watchlist 649allow system_server network_watchlist_data_file:dir create_dir_perms; 650allow system_server network_watchlist_data_file:file create_file_perms; 651 652# Manage /data/misc/sms. 653# TODO: Split into a separate type? 654allow system_server radio_data_file:dir create_dir_perms; 655allow system_server radio_data_file:file create_file_perms; 656 657# Manage /data/misc/systemkeys. 658allow system_server systemkeys_data_file:dir create_dir_perms; 659allow system_server systemkeys_data_file:file create_file_perms; 660 661# Manage /data/misc/textclassifier. 662allow system_server textclassifier_data_file:dir create_dir_perms; 663allow system_server textclassifier_data_file:file create_file_perms; 664 665# Manage /data/tombstones. 666allow system_server tombstone_data_file:dir rw_dir_perms; 667allow system_server tombstone_data_file:file create_file_perms; 668 669# Manage /data/misc/vpn. 670allow system_server vpn_data_file:dir create_dir_perms; 671allow system_server vpn_data_file:file create_file_perms; 672 673# Manage /data/misc/wifi. 674allow system_server wifi_data_file:dir create_dir_perms; 675allow system_server wifi_data_file:file create_file_perms; 676 677# Manage /data/app-staging. 678allow system_server staging_data_file:dir create_dir_perms; 679allow system_server staging_data_file:file create_file_perms; 680 681# Manage /data/rollback. 682allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 683 684# Walk /data/data subdirectories. 685allow system_server app_data_file_type:dir { getattr read search }; 686 687# Also permit for unlabeled /data/data subdirectories and 688# for unlabeled asec containers on upgrades from 4.2. 689allow system_server unlabeled:dir r_dir_perms; 690# Read pkg.apk file before it has been relabeled by vold. 691allow system_server unlabeled:file r_file_perms; 692 693# Populate com.android.providers.settings/databases/settings.db. 694allow system_server system_app_data_file:dir create_dir_perms; 695allow system_server system_app_data_file:file create_file_perms; 696 697# Receive and use open app data files passed over binder IPC. 698allow system_server app_data_file_type:file { getattr read write append map }; 699 700# Access to /data/media for measuring disk usage. 701allow system_server media_rw_data_file:dir { search getattr open read }; 702 703# Receive and use open /data/media files passed over binder IPC. 704# Also used for measuring disk usage. 705allow system_server media_rw_data_file:file { getattr read write append }; 706 707# System server needs to setfscreate to packages_list_file when writing 708# /data/system/packages.list 709allow system_server system_server:process setfscreate; 710 711# Relabel apk files. 712allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 713allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 714# Allow PackageManager to: 715# 1. rename file from /data/app-staging folder to /data/app 716# 2. relabel files (linked to /data/rollback) under /data/app-staging 717# during staged apk/apex install. 718allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 719 720# Relabel wallpaper. 721allow system_server system_data_file:file relabelfrom; 722allow system_server wallpaper_file:file relabelto; 723allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 724 725# Backup of wallpaper imagery uses temporary hard links to avoid data churn 726allow system_server { system_data_file wallpaper_file }:file link; 727 728# ShortcutManager icons 729allow system_server system_data_file:dir relabelfrom; 730allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 731allow system_server shortcut_manager_icons:file create_file_perms; 732 733# Manage ringtones. 734allow system_server ringtone_file:dir { create_dir_perms relabelto }; 735allow system_server ringtone_file:file create_file_perms; 736 737# Relabel icon file. 738allow system_server icon_file:file relabelto; 739allow system_server icon_file:file { rw_file_perms unlink }; 740 741# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 742allow system_server system_data_file:dir relabelfrom; 743 744# server_configurable_flags_data_file is used for storing server configurable flags which 745# have been reset during current booting. system_server needs to read the data to perform related 746# disaster recovery actions. 747allow system_server server_configurable_flags_data_file:dir r_dir_perms; 748allow system_server server_configurable_flags_data_file:file r_file_perms; 749 750# Property Service write 751set_prop(system_server, system_prop) 752set_prop(system_server, bootanim_system_prop) 753set_prop(system_server, bluetooth_prop) 754set_prop(system_server, exported_system_prop) 755set_prop(system_server, exported3_system_prop) 756set_prop(system_server, safemode_prop) 757set_prop(system_server, theme_prop) 758set_prop(system_server, dhcp_prop) 759set_prop(system_server, net_connectivity_prop) 760set_prop(system_server, net_radio_prop) 761set_prop(system_server, net_dns_prop) 762set_prop(system_server, usb_control_prop) 763set_prop(system_server, usb_prop) 764set_prop(system_server, debug_prop) 765set_prop(system_server, powerctl_prop) 766set_prop(system_server, fingerprint_prop) 767set_prop(system_server, device_logging_prop) 768set_prop(system_server, dumpstate_options_prop) 769set_prop(system_server, overlay_prop) 770set_prop(system_server, exported_overlay_prop) 771set_prop(system_server, pm_prop) 772set_prop(system_server, exported_pm_prop) 773set_prop(system_server, socket_hook_prop) 774set_prop(system_server, audio_prop) 775set_prop(system_server, boot_status_prop) 776set_prop(system_server, surfaceflinger_color_prop) 777set_prop(system_server, provisioned_prop) 778set_prop(system_server, retaildemo_prop) 779set_prop(system_server, dmesgd_start_prop) 780set_prop(system_server, locale_prop) 781set_prop(system_server, timezone_metadata_prop) 782set_prop(system_server, timezone_prop) 783set_prop(system_server, crashrecovery_prop) 784userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 785userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)') 786 787# ctl interface 788set_prop(system_server, ctl_default_prop) 789set_prop(system_server, ctl_bugreport_prop) 790set_prop(system_server, ctl_gsid_prop) 791set_prop(system_server, ctl_artd_pre_reboot_prop) 792 793# cppreopt property 794set_prop(system_server, cppreopt_prop) 795 796# server configurable flags properties 797set_prop(system_server, device_config_core_experiments_team_internal_prop) 798set_prop(system_server, device_config_edgetpu_native_prop) 799set_prop(system_server, device_config_input_native_boot_prop) 800set_prop(system_server, device_config_netd_native_prop) 801set_prop(system_server, device_config_nnapi_native_prop) 802set_prop(system_server, device_config_activity_manager_native_boot_prop) 803set_prop(system_server, device_config_runtime_native_boot_prop) 804set_prop(system_server, device_config_runtime_native_prop) 805set_prop(system_server, device_config_lmkd_native_prop) 806set_prop(system_server, device_config_media_native_prop) 807set_prop(system_server, device_config_camera_native_prop) 808set_prop(system_server, device_config_mglru_native_prop) 809set_prop(system_server, device_config_profcollect_native_boot_prop) 810set_prop(system_server, device_config_statsd_native_prop) 811set_prop(system_server, device_config_statsd_native_boot_prop) 812set_prop(system_server, device_config_storage_native_boot_prop) 813set_prop(system_server, device_config_swcodec_native_prop) 814set_prop(system_server, device_config_sys_traced_prop) 815set_prop(system_server, device_config_window_manager_native_boot_prop) 816set_prop(system_server, device_config_configuration_prop) 817set_prop(system_server, device_config_connectivity_prop) 818set_prop(system_server, device_config_surface_flinger_native_boot_prop) 819set_prop(system_server, device_config_aconfig_flags_prop) 820set_prop(system_server, device_config_vendor_system_native_prop) 821set_prop(system_server, device_config_vendor_system_native_boot_prop) 822set_prop(system_server, device_config_virtualization_framework_native_prop) 823set_prop(system_server, device_config_memory_safety_native_boot_prop) 824set_prop(system_server, device_config_memory_safety_native_prop) 825set_prop(system_server, device_config_remote_key_provisioning_native_prop) 826set_prop(system_server, device_config_tethering_u_or_later_native_prop) 827set_prop(system_server, device_config_mmd_native_prop) 828set_prop(system_server, smart_idle_maint_enabled_prop) 829set_prop(system_server, arm64_memtag_prop) 830 831# staged flag properties 832set_prop(system_server, next_boot_prop) 833 834# Allow system server to read pm.16kb.app_compat.disabled 835get_prop(system_server, pm_16kb_app_compat_prop) 836 837# Allow query ART device config properties 838get_prop(system_server, device_config_runtime_native_boot_prop) 839get_prop(system_server, device_config_runtime_native_prop) 840 841# BootReceiver to read ro.boot.bootreason 842get_prop(system_server, bootloader_boot_reason_prop) 843# PowerManager to read sys.boot.reason 844get_prop(system_server, system_boot_reason_prop) 845 846# Collect metrics on boot time created by init 847get_prop(system_server, boottime_prop) 848 849# Read device's serial number from system properties 850get_prop(system_server, serialno_prop) 851 852# Read whether uvc gadget is enabled 853get_prop(system_server, usb_uvc_enabled_prop) 854 855# Read/write the property which keeps track of whether this is the first start of system_server 856set_prop(system_server, firstboot_prop) 857 858# Audio service in system server can read audio config properties, 859# such as camera shutter enforcement 860get_prop(system_server, audio_config_prop) 861 862# StorageManager service reads media config while checking if transcoding is supported. 863get_prop(system_server, media_config_prop) 864 865# system server reads this property to keep track of whether server configurable flags have been 866# reset during current boot. 867get_prop(system_server, device_config_reset_performed_prop) 868 869# Read/write the property that enables Test Harness Mode 870set_prop(system_server, test_harness_prop) 871 872# Read gsid.image_running. 873get_prop(system_server, gsid_prop) 874 875# Read the property that mocks an OTA 876get_prop(system_server, mock_ota_prop) 877 878# Read the property as feature flag for protecting apks with fs-verity. 879get_prop(system_server, apk_verity_prop) 880 881# Read wifi.interface 882get_prop(system_server, wifi_prop) 883 884# Read the vendor property that indicates if Incremental features is enabled 885get_prop(system_server, incremental_prop) 886 887# Read ro.zram. properties 888get_prop(system_server, zram_config_prop) 889 890# Read/write persist.sys.zram_enabled 891set_prop(system_server, zram_control_prop) 892 893# Read/write persist.sys.dalvik.vm.lib.2 894set_prop(system_server, dalvik_runtime_prop) 895 896# Read ro.control_privapp_permissions and ro.cp_system_other_odex 897get_prop(system_server, packagemanager_config_prop) 898 899# Read the net.464xlat.cellular.enabled property (written by init). 900get_prop(system_server, net_464xlat_fromvendor_prop) 901 902# Read hypervisor capabilities ro.boot.hypervisor.* 903get_prop(system_server, hypervisor_prop) 904 905# Read persist.wm.debug. properties 906get_prop(system_server, persist_wm_debug_prop) 907set_prop(system_server, persist_wm_debug_prop) 908 909# Read persist.sysui.notification.builder_extras_override property 910get_prop(system_server, persist_sysui_builder_extras_prop) 911# Read persist.sysui.notification.ranking_update_ashmem property 912get_prop(system_server, persist_sysui_ranking_update_prop) 913 914# Read ro.tuner.lazyhal 915get_prop(system_server, tuner_config_prop) 916# Write tuner.server.enable 917set_prop(system_server, tuner_server_ctl_prop) 918 919# Allow the heap dump ART plugin to the count of sessions waiting for OOME 920get_prop(system_server, traced_oome_heap_session_count_prop) 921 922# Allow the sensor service (running in the system service) to read sensor 923# configuration properties 924get_prop(system_server, sensors_config_prop) 925 926# Allow system server to determine if system services are enabled 927get_prop(system_server, system_service_enable_prop) 928 929# Allow system server to read shared mmd properties 930get_prop(system_server, mmd_shared_prop) 931 932# Create a socket for connections from debuggerd. 933allow system_server system_ndebug_socket:sock_file create_file_perms; 934 935# Create a socket for connections from zygotes. 936allow system_server system_unsolzygote_socket:sock_file create_file_perms; 937 938# Manage cache files. 939allow system_server cache_file:lnk_file r_file_perms; 940allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 941allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 942allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 943 944allow system_server system_file:dir r_dir_perms; 945allow system_server system_file:lnk_file r_file_perms; 946 947# ART locks profile files. 948allow system_server system_file:file lock; 949 950# LocationManager(e.g, GPS) needs to read and write 951# to uart driver and ctrl proc entry 952allow system_server gps_control:file rw_file_perms; 953 954# Allow system_server to use app-created sockets and pipes. 955allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 956allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 957 958# BackupManagerService needs to manipulate backup data files 959allow system_server cache_backup_file:dir rw_dir_perms; 960allow system_server cache_backup_file:file create_file_perms; 961# LocalTransport works inside /cache/backup 962allow system_server cache_private_backup_file:dir create_dir_perms; 963allow system_server cache_private_backup_file:file create_file_perms; 964 965# Allow system to talk to usb device 966allow system_server usb_device:chr_file rw_file_perms; 967allow system_server usb_device:dir r_dir_perms; 968 969# Read and delete files under /dev/fscklogs. 970r_dir_file(system_server, fscklogs) 971allow system_server fscklogs:dir { write remove_name add_name }; 972allow system_server fscklogs:file rename; 973 974# logd access, system_server inherit logd write socket 975# (urge is to deprecate this long term) 976allow system_server zygote:unix_dgram_socket write; 977 978# Read from log daemon. 979read_logd(system_server) 980read_runtime_log_tags(system_server) 981 982# Be consistent with DAC permissions. Allow system_server to write to 983# /sys/module/lowmemorykiller/parameters/adj 984# /sys/module/lowmemorykiller/parameters/minfree 985allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 986 987# Read /sys/fs/pstore/console-ramoops 988# Don't worry about overly broad permissions for now, as there's 989# only one file in /sys/fs/pstore 990allow system_server pstorefs:dir r_dir_perms; 991allow system_server pstorefs:file r_file_perms; 992 993# /sys access 994allow system_server sysfs_zram:dir search; 995allow system_server sysfs_zram:file rw_file_perms; 996 997# Read /sys/fs/selinux/policy 998allow system_server kernel:security read_policy; 999 1000add_service(system_server, system_server_service); 1001allow system_server artd_service:service_manager find; 1002allow system_server artd_pre_reboot_service:service_manager find; 1003allow system_server audioserver_service:service_manager find; 1004allow system_server authorization_service:service_manager find; 1005allow system_server batteryproperties_service:service_manager find; 1006allow system_server cameraserver_service:service_manager find; 1007allow system_server compos_service:service_manager find; 1008allow system_server dataloader_manager_service:service_manager find; 1009allow system_server dexopt_chroot_setup_service:service_manager find; 1010allow system_server dnsresolver_service:service_manager find; 1011allow system_server drmserver_service:service_manager find; 1012allow system_server dumpstate_service:service_manager find; 1013allow system_server fingerprintd_service:service_manager find; 1014allow system_server gatekeeper_service:service_manager find; 1015allow system_server gpu_service:service_manager find; 1016allow system_server gsi_service:service_manager find; 1017allow system_server idmap_service:service_manager find; 1018allow system_server incident_service:service_manager find; 1019allow system_server incremental_service:service_manager find; 1020allow system_server installd_service:service_manager find; 1021allow system_server keystore_maintenance_service:service_manager find; 1022allow system_server keystore_metrics_service:service_manager find; 1023allow system_server keystore_service:service_manager find; 1024allow system_server mdns_service:service_manager find; 1025allow system_server mediaserver_service:service_manager find; 1026allow system_server mediametrics_service:service_manager find; 1027allow system_server mediaextractor_service:service_manager find; 1028allow system_server mediadrmserver_service:service_manager find; 1029allow system_server mediatuner_service:service_manager find; 1030allow system_server mmd_service:service_manager find; 1031allow system_server netd_service:service_manager find; 1032allow system_server nfc_service:service_manager find; 1033allow system_server ot_daemon_service:service_manager find; 1034allow system_server radio_service:service_manager find; 1035allow system_server stats_service:service_manager find; 1036allow system_server storaged_service:service_manager find; 1037allow system_server surfaceflinger_service:service_manager find; 1038allow system_server update_engine_service:service_manager find; 1039allow system_server virtual_camera_service:service_manager find; 1040is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 1041 allow system_server virtualization_maintenance_service:service_manager find; 1042') 1043allow system_server vold_service:service_manager find; 1044allow system_server wifinl80211_service:service_manager find; 1045allow system_server logd_service:service_manager find; 1046userdebug_or_eng(` 1047 allow system_server profcollectd_service:service_manager find; 1048') 1049allow system_server wifi_mainline_supplicant_service:service_manager find; 1050 1051add_service(system_server, batteryproperties_service) 1052 1053allow system_server keystore:keystore2 { 1054 add_auth 1055 change_password 1056 change_user 1057 clear_ns 1058 clear_uid 1059 delete_all_keys 1060 get_last_auth_time 1061 lock 1062 pull_metrics 1063 reset 1064 unlock 1065}; 1066 1067allow system_server keystore:keystore2_key { 1068 delete 1069 use_dev_id 1070 grant 1071 get_info 1072 rebind 1073 update 1074 use 1075}; 1076 1077# Allow Wifi module to manage Wi-Fi keys. 1078allow system_server wifi_key:keystore2_key { 1079 delete 1080 get_info 1081 rebind 1082 update 1083 use 1084}; 1085 1086# Allow lock_settings service to manage RoR keys. 1087allow system_server resume_on_reboot_key:keystore2_key { 1088 delete 1089 get_info 1090 rebind 1091 update 1092 use 1093}; 1094 1095# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 1096allow system_server locksettings_key:keystore2_key { 1097 delete 1098 get_info 1099 rebind 1100 update 1101 use 1102}; 1103 1104 1105# Allow system server to search and write to the persistent factory reset 1106# protection partition. This block device does not get wiped in a factory reset. 1107allow system_server block_device:dir search; 1108allow system_server frp_block_device:blk_file rw_file_perms; 1109allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 1110 1111# Create new process groups and clean up old cgroups 1112allow system_server cgroup:dir create_dir_perms; 1113allow system_server cgroup:file setattr; 1114allow system_server cgroup_v2:dir create_dir_perms; 1115allow system_server cgroup_v2:file { r_file_perms setattr }; 1116 1117# /oem access 1118r_dir_file(system_server, oemfs) 1119 1120# Allow resolving per-user storage symlinks 1121allow system_server { mnt_user_file storage_file }:dir { getattr search }; 1122allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 1123 1124# Allow statfs() on storage devices, which happens fast enough that 1125# we shouldn't be killed during unsafe removal 1126allow system_server { sdcard_type fuse }:dir { getattr search }; 1127 1128# Traverse into expanded storage 1129allow system_server mnt_expand_file:dir r_dir_perms; 1130 1131# Allow system process to relabel the fingerprint directory after mkdir 1132# and delete the directory and files when no longer needed 1133allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 1134allow system_server fingerprintd_data_file:file { getattr unlink }; 1135 1136userdebug_or_eng(` 1137 # Allow system server to create and write method traces in /data/misc/trace. 1138 allow system_server method_trace_data_file:dir w_dir_perms; 1139 allow system_server method_trace_data_file:file { create w_file_perms }; 1140 1141 # Allow system server to read dmesg 1142 allow system_server kernel:system syslog_read; 1143 1144 # Allow writing and removing window traces in /data/misc/wmtrace. 1145 allow system_server wm_trace_data_file:dir rw_dir_perms; 1146 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1147 1148 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 1149 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 1150 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1151') 1152 1153# For AppFuse. 1154allow system_server vold:fd use; 1155allow system_server fuse_device:chr_file { read write ioctl getattr }; 1156allow system_server app_fuse_file:file { read write getattr }; 1157 1158# For configuring sdcardfs 1159allow system_server configfs:dir { create_dir_perms }; 1160allow system_server configfs:file { getattr open create unlink write }; 1161 1162# Connect to adbd and use a socket transferred from it. 1163# Used for e.g. jdwp. 1164allow system_server adbd_common:unix_stream_socket connectto; 1165allow system_server adbd_common:fd use; 1166allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1167 1168# Read service.adb.tls.port, persist.adb.wifi. properties 1169get_prop(system_server, adbd_prop) 1170 1171# Set persist.adb.tls_server.enable property 1172set_prop(system_server, system_adbd_prop) 1173 1174# Set service.adbd.tradeinmode from ITradeInService. 1175set_prop(system_server, adbd_tradeinmode_prop) 1176 1177# Allow invoking tools like "timeout" 1178allow system_server toolbox_exec:file rx_file_perms; 1179 1180# Allow invoking pbtombstone 1181allow system_server pbtombstone_exec:file rx_file_perms; 1182 1183# Allow system process to setup fs-verity 1184allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY; 1185 1186# Allow system process to measure fs-verity for apps, including those being installed 1187allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY; 1188allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS; 1189 1190# Postinstall 1191# 1192# For OTA dexopt, allow calls coming from postinstall. 1193binder_call(system_server, postinstall) 1194 1195allow system_server postinstall:fifo_file write; 1196allow system_server update_engine:fd use; 1197allow system_server update_engine:fifo_file write; 1198 1199# Access to /data/preloads 1200allow system_server preloads_data_file:file { r_file_perms unlink }; 1201allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1202allow system_server preloads_media_file:file { r_file_perms unlink }; 1203allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1204 1205r_dir_file(system_server, cgroup) 1206r_dir_file(system_server, cgroup_v2) 1207allow system_server ion_device:chr_file r_file_perms; 1208 1209# Access to /dev/dma_heap/system 1210allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1211# Access to /dev/dma_heap/system-secure 1212allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1213 1214r_dir_file(system_server, proc_asound) 1215r_dir_file(system_server, proc_net_type) 1216r_dir_file(system_server, proc_qtaguid_stat) 1217allow system_server { 1218 proc_cmdline 1219 proc_loadavg 1220 proc_locks 1221 proc_meminfo 1222 proc_pagetypeinfo 1223 proc_pipe_conf 1224 proc_stat 1225 proc_uid_cputime_showstat 1226 proc_uid_io_stats 1227 proc_uid_time_in_state 1228 proc_uid_concurrent_active_time 1229 proc_uid_concurrent_policy_time 1230 proc_version 1231 proc_vmallocinfo 1232}:file r_file_perms; 1233 1234allow system_server proc_uid_time_in_state:dir r_dir_perms; 1235allow system_server proc_uid_cpupower:file r_file_perms; 1236 1237r_dir_file(system_server, rootfs) 1238 1239# Allow WifiService to start, stop, and read wifi-specific trace events. 1240allow system_server debugfs_tracing_instances:dir search; 1241allow system_server debugfs_wifi_tracing:dir search; 1242allow system_server debugfs_wifi_tracing:file rw_file_perms; 1243 1244# Allow BootReceiver to watch trace error_report events. 1245allow system_server debugfs_bootreceiver_tracing:dir search; 1246allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1247 1248# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1249allow system_server debugfs_tracing:file r_file_perms; 1250 1251# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1252# asanwrapper. 1253with_asan(` 1254 allow system_server shell_exec:file rx_file_perms; 1255 allow system_server asanwrapper_exec:file rx_file_perms; 1256 allow system_server zygote_exec:file rx_file_perms; 1257') 1258 1259# allow system_server to read the eBPF maps that stores the traffic stats information and update 1260# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1261# time in state accounting 1262allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 1263allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; 1264allow system_server bpfloader:bpf prog_run; 1265allow system_server self:bpf map_create; 1266allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write }; 1267# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 1268allow system_server self:key_socket create; 1269# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 1270# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... 1271dontaudit system_server self:key_socket getopt; 1272 1273# Needed to interact with memevents-eBPF and receive notifications for memory events 1274allow system_server fs_bpf_memevents:dir search; 1275allow system_server fs_bpf_memevents:file { read write }; 1276 1277# Allow system_server to start clatd in its own domain and kill it. 1278domain_auto_trans(system_server, clatd_exec, clatd) 1279allow system_server clatd:process { sigkill signal }; 1280 1281# ART Profiles. 1282# Allow system_server to open profile snapshots for read. 1283# System server never reads the actual content. It passes the descriptor to 1284# to privileged apps which acquire the permissions to inspect the profiles. 1285allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1286allow system_server user_profile_data_file:file { getattr open read }; 1287 1288# System server may dump profile data for debuggable apps in the /data/misc/profman. 1289# As such it needs to be able create files but it should never read from them. 1290# It also needs to stat the directory to check if it has the right permissions. 1291allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1292allow system_server profman_dump_data_file:dir rw_dir_perms; 1293 1294# On userdebug build we may profile system server. Allow it to write and create its own profile. 1295userdebug_or_eng(` 1296 allow system_server user_profile_data_file:dir w_dir_perms; 1297 allow system_server user_profile_data_file:file create_file_perms; 1298') 1299# Allow system server to load JVMTI agents under control of a property. 1300get_prop(system_server,system_jvmti_agent_prop) 1301 1302# UsbDeviceManager uses /dev/usb-ffs 1303allow system_server functionfs:dir search; 1304allow system_server functionfs:file rw_file_perms; 1305# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks. 1306starting_at_board_api(202504, ` 1307allow system_server sysfs_type:dir search; 1308r_dir_file(system_server, sysfs_udc) 1309') 1310 1311# system_server contains time / time zone detection logic so reads the associated properties. 1312get_prop(system_server, time_prop) 1313 1314# system_server reads this property to know it should expect the lmkd sends notification to it 1315# on low memory kills. 1316get_prop(system_server, system_lmk_prop) 1317 1318get_prop(system_server, wifi_config_prop) 1319 1320# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1321allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1322 1323# Watchdog prints debugging log to /dev/kmsg_debug. 1324userdebug_or_eng(` 1325 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1326') 1327# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1328get_prop(system_server, framework_watchdog_config_prop) 1329 1330 1331# Font files are written by system server 1332allow system_server font_data_file:file create_file_perms; 1333allow system_server font_data_file:dir create_dir_perms; 1334# Allow system process to setup and measure fs-verity for font files 1335allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; 1336 1337# Read qemu.hw.mainkeys property 1338get_prop(system_server, qemu_hw_prop) 1339 1340# Allow system server to read profcollectd reports for upload. 1341userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1342 1343# Power controls for debugging/diagnostics 1344get_prop(system_server, power_debug_prop) 1345set_prop(system_server, power_debug_prop) 1346 1347### 1348### Neverallow rules 1349### 1350### system_server should NEVER do any of this 1351 1352# Do not allow opening files from external storage as unsafe ejection 1353# could cause the kernel to kill the system_server. 1354neverallow system_server { sdcard_type fuse }:dir { open read write }; 1355neverallow system_server { sdcard_type fuse }:file rw_file_perms; 1356 1357# system server should never be operating on zygote spawned app data 1358# files directly. Rather, they should always be passed via a 1359# file descriptor. 1360# Exclude those types that system_server needs to open directly. 1361neverallow system_server { 1362 app_data_file_type 1363 -system_app_data_file 1364 -radio_data_file 1365}:file { open create unlink link }; 1366 1367# Forking and execing is inherently dangerous and racy. See, for 1368# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1369# Prevent the addition of new file execs to stop the problem from 1370# getting worse. b/28035297 1371neverallow system_server { 1372 file_type 1373 -toolbox_exec 1374 -logcat_exec 1375 -pbtombstone_exec 1376 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1377}:file execute_no_trans; 1378 1379# Ensure that system_server doesn't perform any domain transitions other than 1380# transitioning to the crash_dump domain when a crash occurs or fork clatd. 1381# add perfetto and trace_redactor which are exec'd from system server for ProfilingService. 1382neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition; 1383neverallow system_server *:process dyntransition; 1384 1385# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir. 1386neverallow system_server perfetto_traces_data_file:dir ~search; 1387 1388# Only allow crash_dump to connect to system_ndebug_socket. 1389neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1390 1391# Only allow zygotes to connect to system_unsolzygote_socket. 1392neverallow { 1393 domain 1394 -init 1395 -system_server 1396 -zygote 1397 -app_zygote 1398 -webview_zygote 1399} system_unsolzygote_socket:sock_file { open write }; 1400 1401# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1402neverallow { 1403 domain 1404 -init 1405 -system_server 1406 -flags_health_check 1407} { 1408 device_config_core_experiments_team_internal_prop 1409 device_config_activity_manager_native_boot_prop 1410 device_config_connectivity_prop 1411 device_config_input_native_boot_prop 1412 device_config_lmkd_native_prop 1413 device_config_netd_native_prop 1414 device_config_nnapi_native_prop 1415 device_config_edgetpu_native_prop 1416 device_config_runtime_native_boot_prop 1417 device_config_runtime_native_prop 1418 device_config_media_native_prop 1419 device_config_mglru_native_prop 1420 device_config_remote_key_provisioning_native_prop 1421 device_config_storage_native_boot_prop 1422 device_config_surface_flinger_native_boot_prop 1423 device_config_sys_traced_prop 1424 device_config_swcodec_native_prop 1425 device_config_aconfig_flags_prop 1426 device_config_window_manager_native_boot_prop 1427 device_config_tethering_u_or_later_native_prop 1428 device_config_mmd_native_prop 1429 next_boot_prop 1430}:property_service set; 1431 1432# Only allow system_server and init to set tuner_server_ctl_prop 1433neverallow { 1434 domain 1435 -system_server 1436 -init 1437} tuner_server_ctl_prop:property_service set; 1438 1439# system_server should never be executing dex2oat. This is either 1440# a bug (for example, bug 16317188), or represents an attempt by 1441# system server to dynamically load a dex file, something we do not 1442# want to allow. 1443neverallow system_server dex2oat_exec:file no_x_file_perms; 1444 1445# system_server should never execute or load executable shared libraries 1446# in /data. Executable files in /data are a persistence vector. 1447# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1448neverallow system_server data_file_type:file no_x_file_perms; 1449 1450# The only block device system_server should be writing to is 1451# the frp_block_device. This helps avoid a system_server to root 1452# escalation by writing to raw block devices. 1453# The system_server may need to read from vd_device if it uses 1454# block apexes. 1455neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; 1456neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; 1457 1458# system_server should never use JIT functionality 1459# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1460# in the section titled "A Short ROP Chain" for why. 1461# However, in emulator builds without OpenGL passthrough, we use software 1462# rendering via SwiftShader, which requires JIT support. These builds are 1463# never shipped to users. 1464ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1465 `allow system_server self:process execmem;', 1466 `neverallow system_server self:process execmem;') 1467neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1468 1469# TODO: deal with tmpfs_domain pub/priv split properly 1470neverallow system_server system_server_tmpfs:file execute; 1471 1472# Resources handed off by system_server_startup 1473allow system_server system_server_startup:fd use; 1474allow system_server system_server_startup_tmpfs:file { read write map }; 1475allow system_server system_server_startup:unix_dgram_socket write; 1476 1477# Allow system server to communicate to apexd 1478allow system_server apex_service:service_manager find; 1479allow system_server apexd:binder call; 1480 1481# Allow system server to scan /apex for flattened APEXes 1482allow system_server apex_mnt_dir:dir r_dir_perms; 1483 1484# Allow system server to read /apex/apex-info-list.xml 1485allow system_server apex_info_file:file r_file_perms; 1486 1487# Allow system_server to communicate with tradeinmode. 1488binder_call(system_server, tradeinmode) 1489 1490# Allow system server to communicate to system-suspend's control interface 1491allow system_server system_suspend_control_internal_service:service_manager find; 1492allow system_server system_suspend_control_service:service_manager find; 1493binder_call(system_server, system_suspend) 1494binder_call(system_suspend, system_server) 1495 1496# Allow system server to communicate to system-suspend's wakelock interface 1497wakelock_use(system_server) 1498 1499# Allow the system server to read files under /data/apex. The system_server 1500# needs these privileges to compare file signatures while processing installs. 1501# 1502# Only apexd is allowed to create new entries or write to any file under /data/apex. 1503allow system_server apex_data_file:dir { getattr search }; 1504allow system_server apex_data_file:file r_file_perms; 1505 1506# Allow the system server to read files under /vendor/apex. This is where 1507# vendor APEX packages might be installed and system_server needs to parse 1508# these packages to inspect the signatures and other metadata. 1509allow system_server vendor_apex_file:dir { getattr search }; 1510allow system_server vendor_apex_file:file r_file_perms; 1511 1512# Allow the system server to manage relevant apex module data files. 1513allow system_server apex_module_data_file:dir { getattr search }; 1514# These are modules where the code runs in system_server, so we need full access. 1515allow system_server apex_system_server_data_file:dir create_dir_perms; 1516allow system_server apex_system_server_data_file:file create_file_perms; 1517allow system_server apex_tethering_data_file:dir create_dir_perms; 1518allow system_server apex_tethering_data_file:file create_file_perms; 1519allow system_server apex_uwb_data_file:dir create_dir_perms; 1520allow system_server apex_uwb_data_file:file create_file_perms; 1521# Legacy labels that we still need to support (b/217581286) 1522allow system_server { 1523 apex_appsearch_data_file 1524 apex_permission_data_file 1525 apex_scheduling_data_file 1526 apex_wifi_data_file 1527}:dir create_dir_perms; 1528allow system_server { 1529 apex_appsearch_data_file 1530 apex_permission_data_file 1531 apex_scheduling_data_file 1532 apex_wifi_data_file 1533}:file create_file_perms; 1534 1535# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1536# communicate which slots are available for use. 1537allow system_server metadata_file:dir search; 1538allow system_server password_slot_metadata_file:dir rw_dir_perms; 1539allow system_server password_slot_metadata_file:file create_file_perms; 1540 1541# Allow TradeInMode service rw access to /metadata/tradeinmode. 1542allow system_server tradeinmode_metadata_file:dir rw_dir_perms; 1543allow system_server tradeinmode_metadata_file:file create_file_perms; 1544 1545allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1546allow system_server userspace_reboot_metadata_file:file create_file_perms; 1547 1548# Allow system server rw access to files in /metadata/staged-install folder 1549allow system_server staged_install_file:dir rw_dir_perms; 1550allow system_server staged_install_file:file create_file_perms; 1551 1552allow system_server watchdog_metadata_file:dir rw_dir_perms; 1553allow system_server watchdog_metadata_file:file create_file_perms; 1554 1555# allow system_server write to aconfigd socket 1556unix_socket_connect(system_server, aconfigd, aconfigd); 1557 1558# allow system_server write to aconfigd_mainline socket 1559unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline); 1560 1561allow system_server repair_mode_metadata_file:dir rw_dir_perms; 1562allow system_server repair_mode_metadata_file:file create_file_perms; 1563 1564allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1565allow system_server gsi_persistent_data_file:file create_file_perms; 1566 1567# Allow system server read and remove files under /data/misc/odrefresh 1568allow system_server odrefresh_data_file:dir rw_dir_perms; 1569allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1570 1571# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1572allow system_server surfaceflinger_exec:file r_file_perms; 1573 1574# Allow init to set sysprop used to compute stats about userspace reboot. 1575set_prop(system_server, userspace_reboot_log_prop) 1576 1577# JVMTI agent settings are only readable from the system server. 1578neverallow { 1579 domain 1580 -system_server 1581 -dumpstate 1582 -init 1583 -vendor_init 1584} { 1585 system_jvmti_agent_prop 1586}:file no_rw_file_perms; 1587 1588# Read/Write /proc/pressure/memory 1589allow system_server proc_pressure_mem:file rw_file_perms; 1590# Read /proc/pressure/cpu and /proc/pressure/io 1591allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms; 1592 1593# No ptracing others 1594neverallow system_server { domain -system_server }:process ptrace; 1595 1596# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1597# file read access. However, that is now unnecessary (b/34951864) 1598neverallow system_server system_server:global_capability_class_set sys_resource; 1599 1600# Only system_server/init should access /metadata/password_slots. 1601neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1602neverallow { 1603 domain 1604 -init 1605 -system_server 1606} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1607neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1608 1609# Allow systemserver to read/write the invalidation property 1610set_prop(system_server, binder_cache_system_server_prop) 1611neverallow { domain -system_server -init } 1612 binder_cache_system_server_prop:property_service set; 1613 1614# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1615# system_server cannot use this access to read perf event data like process stacks. 1616allow system_server self:perf_event { open write cpu kernel }; 1617neverallow system_server self:perf_event ~{ open write cpu kernel }; 1618 1619# Allow writing files under /data/system/shutdown-checkpoints/ 1620allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms; 1621allow system_server shutdown_checkpoints_system_data_file:file create_file_perms; 1622 1623# Do not allow any domain other than init or system server to set the property 1624neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1625 1626neverallow { domain -init -system_server } boot_status_prop:property_service set; 1627 1628neverallow { 1629 domain 1630 -init 1631 -vendor_init 1632 -dumpstate 1633 -system_server 1634} wifi_config_prop:file no_rw_file_perms; 1635 1636# Only allow system server to write uhid sysfs files 1637neverallow { 1638 domain 1639 -init 1640 -system_server 1641 -ueventd 1642 -vendor_init 1643} sysfs_uhid:file no_w_file_perms; 1644 1645# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1646# can be accessed by system_server only (b/143717177) 1647# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1648# interface 1649neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1650 1651# Only system server can write the font files. 1652neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1653neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1654 1655# Allow reading /system/etc/font_fallback.xml 1656allow system_server system_font_fallback_file:file r_file_perms; 1657 1658# Allow system server to set dynamic ART properties. 1659set_prop(system_server, dalvik_dynamic_config_prop) 1660 1661# Allow system server to read binderfs 1662allow system_server binderfs_logs:dir r_dir_perms; 1663allow system_server binderfs_logs_stats:file r_file_perms; 1664 1665# For ANRs 1666userdebug_or_eng(` 1667 allow system_server binderfs_logs_transactions:file r_file_perms; 1668') 1669 1670# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled 1671set_prop(system_server, game_manager_config_prop) 1672 1673# Allow system server to write HintManagerService properties 1674set_prop(system_server, hint_manager_config_prop) 1675neverallow { 1676 domain 1677 -init 1678 -vendor_init 1679 -system_server 1680 userdebug_or_eng(`-shell') 1681} hint_manager_config_prop:property_service set; 1682 1683# ThreadNetworkService reads Thread Network properties 1684get_prop(system_server, threadnetwork_config_prop) 1685 1686# Do not allow any domain other than init and system server to set the property 1687neverallow { 1688 domain 1689 -init 1690 -vendor_init 1691 -dumpstate 1692 -system_server 1693} threadnetwork_config_prop:file no_rw_file_perms; 1694 1695# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar 1696# in Pre-reboot Dexopt. 1697allow system_server pre_reboot_dexopt_file:dir { getattr search }; 1698 1699# Allow system_server to reopen its own memfd. 1700# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path 1701# /proc/self/fd/<fd> with a classloader. 1702allow system_server system_server_tmpfs:file open; 1703 1704# Allow system_server to read from postinstall scripts through STDIN, to check if the 1705# otapreopt_script is still alive. 1706allow system_server postinstall:fifo_file read; 1707 1708# Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing 1709# files in chroot when we teardown chroot. 1710allow system_server { 1711 artd 1712 derive_classpath 1713 dex2oat 1714 odrefresh 1715 profman 1716}:process sigkill; 1717 1718# Do not allow any domain other than init or system server to get or set the property 1719neverallow { domain -init -system_server } crashrecovery_prop:property_service set; 1720neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms; 1721 1722# Do not allow anything other than system_server and init to touch /metadata/tradeinmode. 1723neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms; 1724 1725neverallow { 1726 domain 1727 -init 1728 -vendor_init 1729 -system_server 1730 -shell 1731} power_debug_prop:property_service set; 1732