1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server remote_provisioning_service_server; 9typeattribute system_server scheduler_service_server; 10typeattribute system_server sensor_service_server; 11typeattribute system_server stats_service_server; 12typeattribute system_server bpfdomain; 13 14# Define a type for tmpfs-backed ashmem regions. 15tmpfs_domain(system_server) 16 17userfaultfd_use(system_server) 18 19# Create a socket for connections from crash_dump. 20type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 21 22# Create a socket for connections from zygotes. 23type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 24 25allow system_server zygote_tmpfs:file { map read }; 26allow system_server appdomain_tmpfs:file { getattr map read write }; 27 28# For Incremental Service to check if incfs is available 29allow system_server proc_filesystems:file r_file_perms; 30 31# To create files, get permission to fill blocks, and configure Incremental File System 32allow system_server incremental_control_file:file { ioctl r_file_perms }; 33allowxperm system_server incremental_control_file:file ioctl { 34 INCFS_IOCTL_CREATE_FILE 35 INCFS_IOCTL_CREATE_MAPPED_FILE 36 INCFS_IOCTL_PERMIT_FILL 37 INCFS_IOCTL_GET_READ_TIMEOUTS 38 INCFS_IOCTL_SET_READ_TIMEOUTS 39 INCFS_IOCTL_GET_LAST_READ_ERROR 40}; 41 42# To get signature of an APK installed on Incremental File System, and fill in data 43# blocks and get the filesystem state 44allowxperm system_server apk_data_file:file ioctl { 45 INCFS_IOCTL_READ_SIGNATURE 46 INCFS_IOCTL_FILL_BLOCKS 47 INCFS_IOCTL_GET_FILLED_BLOCKS 48 INCFS_IOCTL_GET_BLOCK_COUNT 49 F2FS_IOC_GET_FEATURES 50 F2FS_IOC_GET_COMPRESS_BLOCKS 51 F2FS_IOC_COMPRESS_FILE 52 F2FS_IOC_DECOMPRESS_FILE 53 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 54 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 55 FS_IOC_SETFLAGS 56 FS_IOC_GETFLAGS 57}; 58 59allowxperm system_server apk_tmp_file:file ioctl { 60 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 61 FS_IOC_GETFLAGS 62}; 63 64# For Incremental Service to check incfs metrics 65allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 66 67# For f2fs-compression support 68allow system_server sysfs_fs_f2fs:dir r_dir_perms; 69allow system_server sysfs_fs_f2fs:file r_file_perms; 70 71# For SdkSandboxManagerService 72allow system_server sdk_sandbox_system_data_file:dir create_dir_perms; 73 74# For art. 75allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 76allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 77 78# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`. 79# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a 80# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks 81# system_server. It fails to be loaded when the jar is used as a shared library, which is expected. 82dontaudit system_server apex_art_data_file:file execute; 83 84# For release odex/vdex compress blocks 85allowxperm system_server dalvikcache_data_file:file ioctl { 86 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 87 FS_IOC_GETFLAGS 88}; 89 90# When running system server under --invoke-with, we'll try to load the boot image under the 91# system server domain, following links to the system partition. 92with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 93 94# /data/resource-cache 95allow system_server resourcecache_data_file:file r_file_perms; 96allow system_server resourcecache_data_file:dir r_dir_perms; 97 98# ptrace to processes in the same domain for debugging crashes. 99allow system_server self:process ptrace; 100 101# Child of the zygote. 102allow system_server zygote:fd use; 103allow system_server zygote:process sigchld; 104 105# May kill zygote (or its child processes) on crashes. 106allow system_server { 107 app_zygote 108 crash_dump 109 crosvm 110 virtualizationmanager 111 webview_zygote 112 zygote 113}:process { getpgid sigkill signull }; 114 115# Read /system/bin/app_process. 116allow system_server zygote_exec:file r_file_perms; 117 118# Needed to close the zygote socket, which involves getopt / getattr 119allow system_server zygote:unix_stream_socket { getopt getattr }; 120 121# system server gets network and bluetooth permissions. 122net_domain(system_server) 123# in addition to ioctls allowlisted for all domains, also allow system_server 124# to use privileged ioctls commands. Needed to set up VPNs. 125allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 126bluetooth_domain(system_server) 127 128# Allow setup of tcp keepalive offload. This gives system_server the permission to 129# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 130# be granted individually, except for a small set of safe values allowlisted in 131# public/domain.te. 132allow system_server appdomain:tcp_socket ioctl; 133 134# These are the capabilities assigned by the zygote to the 135# system server. 136allow system_server self:global_capability_class_set { 137 ipc_lock 138 kill 139 net_admin 140 net_bind_service 141 net_broadcast 142 net_raw 143 sys_boot 144 sys_nice 145 sys_ptrace 146 sys_time 147 sys_tty_config 148}; 149 150# Allow alarmtimers to be set 151allow system_server self:global_capability2_class_set wake_alarm; 152 153# Create and share netlink_netfilter_sockets for tetheroffload. 154allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 155 156# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 157allow system_server self:netlink_tcpdiag_socket 158 { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 159 160# Use netlink uevent sockets. 161allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 162 163allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl; 164 165# Use generic netlink sockets. 166allow system_server self:netlink_socket create_socket_perms_no_ioctl; 167allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 168 169# libvintf reads the kernel config to verify vendor interface compatibility. 170allow system_server config_gz:file { read open }; 171 172# Use generic "sockets" where the address family is not known 173# to the kernel. The ioctl permission is specifically omitted here, but may 174# be added to device specific policy along with the ioctl commands to be 175# allowlisted. 176allow system_server self:socket create_socket_perms_no_ioctl; 177 178# Set and get routes directly via netlink. 179allow system_server self:netlink_route_socket nlmsg_write; 180 181# Use XFRM (IPsec) netlink sockets 182allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 183 184# Kill apps. 185allow system_server appdomain:process { getpgid sigkill signal }; 186# signull allowed for kill(pid, 0) existence test. 187allow system_server appdomain:process { signull }; 188 189# Set scheduling info for apps. 190allow system_server appdomain:process { getsched setsched }; 191allow system_server audioserver:process { getsched setsched }; 192allow system_server hal_audio:process { getsched setsched }; 193allow system_server hal_bluetooth:process { getsched setsched }; 194allow system_server hal_codec2_server:process { getsched setsched }; 195allow system_server hal_omx_server:process { getsched setsched }; 196allow system_server mediaswcodec:process { getsched setsched }; 197allow system_server cameraserver:process { getsched setsched }; 198allow system_server hal_camera:process { getsched setsched }; 199allow system_server mediaserver:process { getsched setsched }; 200allow system_server bootanim:process { getsched setsched }; 201# Set scheduling info for VMs (b/375058190) 202allow system_server { virtualizationmanager crosvm }:process { getsched setsched }; 203 204# Set scheduling info for psi monitor thread. 205# TODO: delete this line b/131761776 206allow system_server kernel:process { getsched setsched }; 207 208# Allow system_server to write to /proc/<pid>/* 209allow system_server domain:file w_file_perms; 210 211# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 212# within system_server to keep track of memory and CPU usage for 213# all processes on the device. In addition, /proc/pid files access is needed 214# for dumping stack traces of native processes. 215r_dir_file(system_server, domain) 216 217# Write /proc/uid_cputime/remove_uid_range. 218allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 219 220# Write /proc/uid_procstat/set. 221allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 222 223# Write to /proc/sysrq-trigger. 224allow system_server proc_sysrq:file rw_file_perms; 225 226# Delete /data/misc/stats-service/ directories. 227allow system_server stats_config_data_file:dir { open read remove_name search write }; 228allow system_server stats_config_data_file:file unlink; 229 230# Read metric file & upload to statsd 231allow system_server odsign_data_file:dir search; 232allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name }; 233allow system_server odsign_metrics_file:file { r_file_perms unlink }; 234 235# Read /sys/kernel/debug/wakeup_sources. 236no_debugfs_restriction(` 237 allow system_server debugfs_wakeup_sources:file r_file_perms; 238') 239 240# Read /sys/kernel/ion/*. 241allow system_server sysfs_ion:file r_file_perms; 242 243# Read /sys/kernel/dma_heap/*. 244allow system_server sysfs_dma_heap:file r_file_perms; 245 246# Read /sys/kernel/mm/cma/*. 247starting_at_board_api(202504, ` 248allow system_server sysfs_cma:file r_file_perms; 249') 250 251# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 252allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 253allow system_server sysfs_dmabuf_stats:file r_file_perms; 254 255# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 256# for dumpsys meminfo 257allow system_server dmabuf_heap_device:dir r_dir_perms; 258 259# Allow reading /proc/vmstat for the oom kill count 260allow system_server proc_vmstat:file r_file_perms; 261 262# The DhcpClient and WifiWatchdog use packet_sockets 263allow system_server self:packet_socket create_socket_perms_no_ioctl; 264 265# 3rd party VPN clients require a tun_socket to be created 266allow system_server self:tun_socket create_socket_perms_no_ioctl; 267 268# Talk to init and various daemons via sockets. 269unix_socket_connect(system_server, lmkd, lmkd) 270unix_socket_connect(system_server, zygote, zygote) 271unix_socket_connect(system_server, uncrypt, uncrypt) 272 273# Allow system_server to write to statsd. 274unix_socket_send(system_server, statsdw, statsd) 275 276# Communicate over a socket created by surfaceflinger. 277allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 278 279allow system_server gpuservice:unix_stream_socket { read write setopt }; 280 281# Communicate over a socket created by webview_zygote. 282allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 283 284# Communicate over a socket created by app_zygote. 285allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 286 287# Communicate with a virtual machine (b/396144272) 288allow system_server virtualizationmanager:fd use; 289allow system_server virtualizationmanager:vsock_socket { getopt read write }; 290 291# Perform Binder IPC. 292binder_use(system_server) 293binder_call(system_server, appdomain) 294binder_call(system_server, artd) 295binder_call(system_server, binderservicedomain) 296binder_call(system_server, composd) 297binder_call(system_server, dexopt_chroot_setup) 298binder_call(system_server, dumpstate) 299binder_call(system_server, fingerprintd) 300binder_call(system_server, gatekeeperd) 301binder_call(system_server, gpuservice) 302binder_call(system_server, idmap) 303binder_call(system_server, installd) 304binder_call(system_server, incidentd) 305binder_call(system_server, mmd) 306binder_call(system_server, netd) 307binder_call(system_server, ot_daemon) 308userdebug_or_eng(`binder_call(system_server, profcollectd)') 309binder_call(system_server, statsd) 310binder_call(system_server, storaged) 311binder_call(system_server, update_engine) 312binder_call(system_server, virtual_camera) 313binder_call(system_server, vold) 314binder_call(system_server, logd) 315binder_call(system_server, wificond) 316binder_call(system_server, uprobestats) 317binder_call(system_server, wifi_mainline_supplicant) 318binder_service(system_server) 319 320# Use HALs 321hal_client_domain(system_server, hal_allocator) 322hal_client_domain(system_server, hal_audio) 323hal_client_domain(system_server, hal_authgraph) 324hal_client_domain(system_server, hal_authsecret) 325hal_client_domain(system_server, hal_bluetooth) 326hal_client_domain(system_server, hal_broadcastradio) 327hal_client_domain(system_server, hal_codec2) 328hal_client_domain(system_server, hal_configstore) 329hal_client_domain(system_server, hal_contexthub) 330hal_client_domain(system_server, hal_face) 331hal_client_domain(system_server, hal_fingerprint) 332hal_client_domain(system_server, hal_gnss) 333hal_client_domain(system_server, hal_graphics_allocator) 334hal_client_domain(system_server, hal_health) 335hal_client_domain(system_server, hal_input_classifier) 336hal_client_domain(system_server, hal_input_processor) 337hal_client_domain(system_server, hal_ir) 338hal_client_domain(system_server, hal_keymint) 339hal_client_domain(system_server, hal_light) 340hal_client_domain(system_server, hal_mediaquality) 341hal_client_domain(system_server, hal_memtrack) 342hal_client_domain(system_server, hal_neuralnetworks) 343hal_client_domain(system_server, hal_oemlock) 344hal_client_domain(system_server, hal_omx) 345hal_client_domain(system_server, hal_power) 346hal_client_domain(system_server, hal_power_stats) 347hal_client_domain(system_server, hal_rebootescrow) 348hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf) 349hal_client_domain(system_server, hal_sensors) 350hal_client_domain(system_server, hal_secretkeeper) 351hal_client_domain(system_server, hal_tetheroffload) 352hal_client_domain(system_server, hal_thermal) 353hal_client_domain(system_server, hal_threadnetwork) 354hal_client_domain(system_server, hal_tv_cec) 355hal_client_domain(system_server, hal_tv_hdmi_cec) 356hal_client_domain(system_server, hal_tv_hdmi_connection) 357hal_client_domain(system_server, hal_tv_hdmi_earc) 358hal_client_domain(system_server, hal_tv_input) 359hal_client_domain(system_server, hal_usb) 360hal_client_domain(system_server, hal_usb_gadget) 361hal_client_domain(system_server, hal_uwb) 362hal_client_domain(system_server, hal_vibrator) 363hal_client_domain(system_server, hal_vr) 364hal_client_domain(system_server, hal_weaver) 365hal_client_domain(system_server, hal_wifi) 366hal_client_domain(system_server, hal_wifi_hostapd) 367hal_client_domain(system_server, hal_wifi_supplicant) 368# The bootctl is a pass through HAL mode under recovery mode. So we skip the 369# permission for recovery in order not to give system server the access to 370# the low level block devices. 371not_recovery(`hal_client_domain(system_server, hal_bootctl)') 372 373# Talk with graphics composer fences 374allow system_server hal_graphics_composer:fd use; 375 376# Use RenderScript always-passthrough HAL 377allow system_server hal_renderscript_hwservice:hwservice_manager find; 378allow system_server same_process_hal_file:file { execute read open getattr map }; 379 380# Talk to tombstoned to get ANR traces. 381unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 382 383# List HAL interfaces to get ANR traces. 384allow system_server hwservicemanager:hwservice_manager list; 385allow system_server servicemanager:service_manager list; 386 387# Send signals to trigger ANR traces. 388allow system_server { 389 # This is derived from the list that system server defines as interesting native processes 390 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 391 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 392 artd 393 audioserver 394 cameraserver 395 drmserver 396 gpuservice 397 inputflinger 398 keystore 399 mediadrmserver 400 mediaextractor 401 mediametrics 402 mediaserver 403 mediaswcodec 404 mediatranscoding 405 mediatuner 406 mmd 407 netd 408 sdcardd 409 servicemanager 410 statsd 411 surfaceflinger 412 vold 413 414 # This list comes from HAL_INTERFACES_OF_INTEREST in 415 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 416 hal_audio_server 417 hal_bluetooth_server 418 hal_camera_server 419 hal_codec2_server 420 hal_drm_server 421 hal_face_server 422 hal_fingerprint_server 423 hal_gnss_server 424 hal_graphics_allocator_server 425 hal_graphics_composer_server 426 hal_health_server 427 hal_input_processor_server 428 hal_light_server 429 hal_neuralnetworks_server 430 hal_omx_server 431 hal_power_server 432 hal_power_stats_server 433 hal_sensors_server 434 hal_vibrator_server 435 hal_vr_server 436 hal_wifi_hostapd_server 437 hal_wifi_server 438 hal_wifi_supplicant_server 439 system_suspend_server 440}:process { signal }; 441 442# Use sockets received over binder from various services. 443allow system_server audioserver:tcp_socket rw_socket_perms; 444allow system_server audioserver:udp_socket rw_socket_perms; 445allow system_server mediaserver:tcp_socket rw_socket_perms; 446allow system_server mediaserver:udp_socket rw_socket_perms; 447 448# Use sockets received over binder from various services. 449allow system_server mediadrmserver:tcp_socket rw_socket_perms; 450allow system_server mediadrmserver:udp_socket rw_socket_perms; 451 452# Write trace data to the Perfetto traced daemon. This requires connecting to 453# its producer socket and obtaining a (per-process) tmpfs fd. 454perfetto_producer(system_server) 455 456# Get file context 457allow system_server file_contexts_file:file r_file_perms; 458# access for mac_permissions 459allow system_server mac_perms_file: file r_file_perms; 460# Check SELinux permissions. 461selinux_check_access(system_server) 462 463allow system_server sysfs_type:dir r_dir_perms; 464 465r_dir_file(system_server, sysfs_android_usb) 466allow system_server sysfs_android_usb:file w_file_perms; 467 468r_dir_file(system_server, sysfs_extcon) 469 470r_dir_file(system_server, sysfs_ipv4) 471allow system_server sysfs_ipv4:file w_file_perms; 472 473r_dir_file(system_server, sysfs_rtc) 474r_dir_file(system_server, sysfs_switch) 475 476allow system_server sysfs_nfc_power_writable:file rw_file_perms; 477allow system_server sysfs_power:dir search; 478allow system_server sysfs_power:file rw_file_perms; 479allow system_server sysfs_thermal:dir search; 480allow system_server sysfs_thermal:file r_file_perms; 481allow system_server sysfs_uhid:dir r_dir_perms; 482allow system_server sysfs_uhid:file rw_file_perms; 483 484# TODO: Remove when HALs are forced into separate processes 485allow system_server sysfs_vibrator:file { write append }; 486 487# TODO: added to match above sysfs rule. Remove me? 488allow system_server sysfs_usb:file w_file_perms; 489 490# Access devices. 491allow system_server device:dir r_dir_perms; 492allow system_server mdns_socket:sock_file rw_file_perms; 493allow system_server gpu_device:chr_file rw_file_perms; 494allow system_server gpu_device:dir r_dir_perms; 495allow system_server sysfs_gpu:file r_file_perms; 496allow system_server input_device:dir r_dir_perms; 497allow system_server input_device:chr_file rw_file_perms; 498allow system_server tty_device:chr_file rw_file_perms; 499allow system_server usbaccessory_device:chr_file rw_file_perms; 500allow system_server video_device:dir r_dir_perms; 501allow system_server video_device:chr_file rw_file_perms; 502allow system_server adbd_socket:sock_file rw_file_perms; 503allow system_server rtc_device:chr_file rw_file_perms; 504allow system_server audio_device:dir r_dir_perms; 505allow system_server uhid_device:chr_file rw_file_perms; 506allow system_server hidraw_device:dir r_dir_perms; 507allow system_server hidraw_device:chr_file rw_file_perms; 508 509# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 510allow system_server audio_device:chr_file rw_file_perms; 511 512# tun device used for 3rd party vpn apps and test network manager 513allow system_server tun_device:chr_file rw_file_perms; 514allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER }; 515 516# Manage data/ota_package 517allow system_server ota_package_file:dir rw_dir_perms; 518allow system_server ota_package_file:file create_file_perms; 519 520# Manage system data files. 521allow system_server system_data_file:dir create_dir_perms; 522allow system_server system_data_file:notdevfile_class_set create_file_perms; 523allow system_server packages_list_file:file create_file_perms; 524allow system_server game_mode_intervention_list_file:file create_file_perms; 525allow system_server keychain_data_file:dir create_dir_perms; 526allow system_server keychain_data_file:file create_file_perms; 527allow system_server keychain_data_file:lnk_file create_file_perms; 528 529# Read the user parent directories like /data/user. Don't allow write access, 530# as vold is responsible for creating and deleting the subdirectories. 531allow system_server system_userdir_file:dir r_dir_perms; 532 533# Manage /data/app. 534allow system_server apk_data_file:dir create_dir_perms; 535allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 536allow system_server apk_tmp_file:dir create_dir_perms; 537allow system_server apk_tmp_file:file create_file_perms; 538 539# Manage /data/app-metadata 540allow system_server apk_metadata_file:dir create_dir_perms; 541allow system_server apk_metadata_file:file create_file_perms; 542 543# Access input configuration files in the /vendor directory 544r_dir_file(system_server, vendor_keylayout_file) 545r_dir_file(system_server, vendor_keychars_file) 546r_dir_file(system_server, vendor_idc_file) 547get_prop(system_server, input_device_config_prop) 548 549# Access /vendor/{app,framework,overlay} 550r_dir_file(system_server, vendor_app_file) 551r_dir_file(system_server, vendor_framework_file) 552r_dir_file(system_server, vendor_overlay_file) 553 554# Manage /data/app-private. 555allow system_server apk_private_data_file:dir create_dir_perms; 556allow system_server apk_private_data_file:file create_file_perms; 557allow system_server apk_private_tmp_file:dir create_dir_perms; 558allow system_server apk_private_tmp_file:file create_file_perms; 559 560# Manage files within asec containers. 561allow system_server asec_apk_file:dir create_dir_perms; 562allow system_server asec_apk_file:file create_file_perms; 563allow system_server asec_public_file:file create_file_perms; 564 565# Manage /data/anr. 566# 567# TODO: Some of these permissions can be withdrawn once we've switched to the 568# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 569# the system_server should never need to create a new anr_data_file:file or write 570# to one, but it will still need to read and append to existing files. 571allow system_server anr_data_file:dir create_dir_perms; 572allow system_server anr_data_file:file create_file_perms; 573 574# New stack dumping scheme : request an output FD from tombstoned via a unix 575# domain socket. 576# 577# Allow system_server to connect and write to the tombstoned java trace socket in 578# order to dump its traces. Also allow the system server to write its traces to 579# dumpstate during bugreport capture and incidentd during incident collection. 580unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 581allow system_server tombstoned:fd use; 582allow system_server dumpstate:fifo_file append; 583allow system_server incidentd:fifo_file append; 584# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 585userdebug_or_eng(` 586 allow system_server su:fifo_file append; 587') 588 589# Allow system_server to read pipes from incidentd (used to deliver incident reports 590# to dropbox) 591allow system_server incidentd:fifo_file read; 592 593# Read /data/misc/incidents - only read. The fd will be sent over binder, 594# with no DAC access to it, for dropbox to read. 595allow system_server incident_data_file:file read; 596 597# Manage /data/misc/prereboot. 598allow system_server prereboot_data_file:dir rw_dir_perms; 599allow system_server prereboot_data_file:file create_file_perms; 600 601# Allow tracing proxy service to read traces. Only the fd is sent over 602# binder. 603allow system_server perfetto_traces_data_file:file { read getattr }; 604allow system_server perfetto:fd use; 605 606# Allow system_server to exec the perfetto cmdline client and pass it a trace config 607domain_auto_trans(system_server, perfetto_exec, perfetto); 608allow system_server perfetto:fifo_file { read write }; 609 610# Allow system server to manage perfetto traces for ProfilingService. 611allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms; 612allow system_server perfetto_traces_profiling_data_file:file create_file_perms; 613allow system_server perfetto_traces_data_file:dir search; 614 615# Allow system server to exec the trace redactor cmdline client and kill the process for 616# ProfilingService. 617domain_auto_trans(system_server, trace_redactor_exec, trace_redactor); 618allow system_server trace_redactor:process signal; 619 620# Allow system server to kill perfetto processes for ProfilingService. 621allow system_server perfetto:process signal; 622 623# Manage /data/backup. 624allow system_server backup_data_file:dir create_dir_perms; 625allow system_server backup_data_file:file create_file_perms; 626 627# Write to /data/system/dropbox 628allow system_server dropbox_data_file:dir create_dir_perms; 629allow system_server dropbox_data_file:file create_file_perms; 630 631# Write to /data/system/heapdump 632allow system_server heapdump_data_file:dir rw_dir_perms; 633allow system_server heapdump_data_file:file create_file_perms; 634 635# Manage /data/misc/adb. 636allow system_server adb_keys_file:dir create_dir_perms; 637allow system_server adb_keys_file:file create_file_perms; 638 639# Manage /data/misc/appcompat. 640allow system_server appcompat_data_file:dir rw_dir_perms; 641allow system_server appcompat_data_file:file create_file_perms; 642 643# Manage /data/misc/connectivityblobdb. 644# Specifically, for vpn and wifi to create, read and write to an sqlite database. 645allow system_server connectivityblob_data_file:dir create_dir_perms; 646allow system_server connectivityblob_data_file:file create_file_perms; 647 648# Manage /data/misc/emergencynumberdb 649allow system_server emergency_data_file:dir create_dir_perms; 650allow system_server emergency_data_file:file create_file_perms; 651 652# Manage /data/misc/network_watchlist 653allow system_server network_watchlist_data_file:dir create_dir_perms; 654allow system_server network_watchlist_data_file:file create_file_perms; 655 656# Manage /data/misc/sms. 657# TODO: Split into a separate type? 658allow system_server radio_data_file:dir create_dir_perms; 659allow system_server radio_data_file:file create_file_perms; 660 661# Manage /data/misc/systemkeys. 662allow system_server systemkeys_data_file:dir create_dir_perms; 663allow system_server systemkeys_data_file:file create_file_perms; 664 665# Manage /data/misc/textclassifier. 666allow system_server textclassifier_data_file:dir create_dir_perms; 667allow system_server textclassifier_data_file:file create_file_perms; 668 669# Manage /data/tombstones. 670allow system_server tombstone_data_file:dir rw_dir_perms; 671allow system_server tombstone_data_file:file create_file_perms; 672 673# Manage /data/misc/vpn. 674allow system_server vpn_data_file:dir create_dir_perms; 675allow system_server vpn_data_file:file create_file_perms; 676 677# Manage /data/misc/wifi. 678allow system_server wifi_data_file:dir create_dir_perms; 679allow system_server wifi_data_file:file create_file_perms; 680 681# Manage /data/app-staging. 682allow system_server staging_data_file:dir create_dir_perms; 683allow system_server staging_data_file:file create_file_perms; 684 685# Manage /data/rollback. 686allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 687 688# Walk /data/data subdirectories. 689allow system_server app_data_file_type:dir { getattr read search }; 690 691# Also permit for unlabeled /data/data subdirectories and 692# for unlabeled asec containers on upgrades from 4.2. 693allow system_server unlabeled:dir r_dir_perms; 694# Read pkg.apk file before it has been relabeled by vold. 695allow system_server unlabeled:file r_file_perms; 696 697# Populate com.android.providers.settings/databases/settings.db. 698allow system_server system_app_data_file:dir create_dir_perms; 699allow system_server system_app_data_file:file create_file_perms; 700 701# Receive and use open app data files passed over binder IPC. 702allow system_server app_data_file_type:file { getattr read write append map }; 703 704# Access to /data/media for measuring disk usage. 705allow system_server media_rw_data_file:dir { search getattr open read }; 706 707# Access to check if the mainline supplicant binary exists 708allow system_server wifi_mainline_supplicant_exec:file getattr; 709 710# Receive and use open /data/media files passed over binder IPC. 711# Also used for measuring disk usage. 712allow system_server media_rw_data_file:file { getattr read write append }; 713 714# System server needs to setfscreate to packages_list_file when writing 715# /data/system/packages.list 716allow system_server system_server:process setfscreate; 717 718# Relabel apk files. 719allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 720allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 721# Allow PackageManager to: 722# 1. rename file from /data/app-staging folder to /data/app 723# 2. relabel files (linked to /data/rollback) under /data/app-staging 724# during staged apk/apex install. 725allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 726 727# Relabel wallpaper. 728allow system_server system_data_file:file relabelfrom; 729allow system_server wallpaper_file:file relabelto; 730allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 731 732# Backup of wallpaper imagery uses temporary hard links to avoid data churn 733allow system_server { system_data_file wallpaper_file }:file link; 734 735# ShortcutManager icons 736allow system_server system_data_file:dir relabelfrom; 737allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 738allow system_server shortcut_manager_icons:file create_file_perms; 739 740# Manage ringtones. 741allow system_server ringtone_file:dir { create_dir_perms relabelto }; 742allow system_server ringtone_file:file create_file_perms; 743 744# Relabel icon file. 745allow system_server icon_file:file relabelto; 746allow system_server icon_file:file { rw_file_perms unlink }; 747 748# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 749allow system_server system_data_file:dir relabelfrom; 750 751# server_configurable_flags_data_file is used for storing server configurable flags which 752# have been reset during current booting. system_server needs to read the data to perform related 753# disaster recovery actions. 754allow system_server server_configurable_flags_data_file:dir r_dir_perms; 755allow system_server server_configurable_flags_data_file:file r_file_perms; 756 757# Property Service write 758set_prop(system_server, system_prop) 759set_prop(system_server, bootanim_system_prop) 760set_prop(system_server, bluetooth_prop) 761set_prop(system_server, exported_system_prop) 762set_prop(system_server, exported3_system_prop) 763set_prop(system_server, safemode_prop) 764set_prop(system_server, theme_prop) 765set_prop(system_server, dhcp_prop) 766set_prop(system_server, net_connectivity_prop) 767set_prop(system_server, net_radio_prop) 768set_prop(system_server, net_dns_prop) 769set_prop(system_server, usb_control_prop) 770set_prop(system_server, usb_prop) 771set_prop(system_server, debug_prop) 772set_prop(system_server, powerctl_prop) 773set_prop(system_server, fingerprint_prop) 774set_prop(system_server, device_logging_prop) 775set_prop(system_server, dumpstate_options_prop) 776set_prop(system_server, overlay_prop) 777set_prop(system_server, exported_overlay_prop) 778set_prop(system_server, pm_prop) 779set_prop(system_server, exported_pm_prop) 780set_prop(system_server, socket_hook_prop) 781set_prop(system_server, audio_prop) 782set_prop(system_server, boot_status_prop) 783set_prop(system_server, surfaceflinger_color_prop) 784set_prop(system_server, provisioned_prop) 785set_prop(system_server, retaildemo_prop) 786set_prop(system_server, dmesgd_start_prop) 787set_prop(system_server, locale_prop) 788set_prop(system_server, timezone_metadata_prop) 789set_prop(system_server, timezone_prop) 790set_prop(system_server, crashrecovery_prop) 791userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 792userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)') 793 794# ctl interface 795set_prop(system_server, ctl_default_prop) 796set_prop(system_server, ctl_bugreport_prop) 797set_prop(system_server, ctl_gsid_prop) 798set_prop(system_server, ctl_artd_pre_reboot_prop) 799 800# cppreopt property 801set_prop(system_server, cppreopt_prop) 802 803# server configurable flags properties 804set_prop(system_server, device_config_core_experiments_team_internal_prop) 805set_prop(system_server, device_config_edgetpu_native_prop) 806set_prop(system_server, device_config_input_native_boot_prop) 807set_prop(system_server, device_config_netd_native_prop) 808set_prop(system_server, device_config_nnapi_native_prop) 809set_prop(system_server, device_config_activity_manager_native_boot_prop) 810set_prop(system_server, device_config_runtime_native_boot_prop) 811set_prop(system_server, device_config_runtime_native_prop) 812set_prop(system_server, device_config_lmkd_native_prop) 813set_prop(system_server, device_config_media_native_prop) 814set_prop(system_server, device_config_camera_native_prop) 815set_prop(system_server, device_config_mglru_native_prop) 816set_prop(system_server, device_config_profcollect_native_boot_prop) 817set_prop(system_server, device_config_statsd_native_prop) 818set_prop(system_server, device_config_statsd_native_boot_prop) 819set_prop(system_server, device_config_storage_native_boot_prop) 820set_prop(system_server, device_config_swcodec_native_prop) 821set_prop(system_server, device_config_sys_traced_prop) 822set_prop(system_server, device_config_window_manager_native_boot_prop) 823set_prop(system_server, device_config_configuration_prop) 824set_prop(system_server, device_config_connectivity_prop) 825set_prop(system_server, device_config_surface_flinger_native_boot_prop) 826set_prop(system_server, device_config_aconfig_flags_prop) 827set_prop(system_server, device_config_vendor_system_native_prop) 828set_prop(system_server, device_config_vendor_system_native_boot_prop) 829set_prop(system_server, device_config_virtualization_framework_native_prop) 830set_prop(system_server, device_config_memory_safety_native_boot_prop) 831set_prop(system_server, device_config_memory_safety_native_prop) 832set_prop(system_server, device_config_remote_key_provisioning_native_prop) 833set_prop(system_server, device_config_tethering_u_or_later_native_prop) 834set_prop(system_server, device_config_mmd_native_prop) 835set_prop(system_server, smart_idle_maint_enabled_prop) 836set_prop(system_server, arm64_memtag_prop) 837 838# staged flag properties 839set_prop(system_server, next_boot_prop) 840 841# Allow system server to read pm.16kb.app_compat.disabled 842get_prop(system_server, pm_16kb_app_compat_prop) 843 844# Allow query ART device config properties 845get_prop(system_server, device_config_runtime_native_boot_prop) 846get_prop(system_server, device_config_runtime_native_prop) 847 848# BootReceiver to read ro.boot.bootreason 849get_prop(system_server, bootloader_boot_reason_prop) 850# PowerManager to read sys.boot.reason 851get_prop(system_server, system_boot_reason_prop) 852 853# Collect metrics on boot time created by init 854get_prop(system_server, boottime_prop) 855 856# Read device's serial number from system properties 857get_prop(system_server, serialno_prop) 858 859# Read whether uvc gadget is enabled 860get_prop(system_server, usb_uvc_enabled_prop) 861 862# Read/write the property which keeps track of whether this is the first start of system_server 863set_prop(system_server, firstboot_prop) 864 865# Audio service in system server can read audio config properties, 866# such as camera shutter enforcement 867get_prop(system_server, audio_config_prop) 868 869# StorageManager service reads media config while checking if transcoding is supported. 870get_prop(system_server, media_config_prop) 871 872# system server reads this property to keep track of whether server configurable flags have been 873# reset during current boot. 874get_prop(system_server, device_config_reset_performed_prop) 875 876# Read/write the property that enables Test Harness Mode 877set_prop(system_server, test_harness_prop) 878 879# Read gsid.image_running. 880get_prop(system_server, gsid_prop) 881 882# Read the property that mocks an OTA 883get_prop(system_server, mock_ota_prop) 884 885# Read wifi.interface 886get_prop(system_server, wifi_prop) 887 888# Read the vendor property that indicates if Incremental features is enabled 889get_prop(system_server, incremental_prop) 890 891# Read ro.zram. properties 892get_prop(system_server, zram_config_prop) 893 894# Read/write persist.sys.zram_enabled 895set_prop(system_server, zram_control_prop) 896 897# Read/write persist.sys.dalvik.vm.lib.2 898set_prop(system_server, dalvik_runtime_prop) 899 900# Read ro.control_privapp_permissions and ro.cp_system_other_odex 901get_prop(system_server, packagemanager_config_prop) 902 903# Read the net.464xlat.cellular.enabled property (written by init). 904get_prop(system_server, net_464xlat_fromvendor_prop) 905 906# Read hypervisor capabilities ro.boot.hypervisor.* 907get_prop(system_server, hypervisor_prop) 908 909# Read persist.wm.debug. properties 910get_prop(system_server, persist_wm_debug_prop) 911set_prop(system_server, persist_wm_debug_prop) 912 913# Read persist.sysui.notification.builder_extras_override property 914get_prop(system_server, persist_sysui_builder_extras_prop) 915# Read persist.sysui.notification.ranking_update_ashmem property 916get_prop(system_server, persist_sysui_ranking_update_prop) 917 918# Read ro.tuner.lazyhal 919get_prop(system_server, tuner_config_prop) 920# Write tuner.server.enable 921set_prop(system_server, tuner_server_ctl_prop) 922 923# Allow the heap dump ART plugin to the count of sessions waiting for OOME 924get_prop(system_server, traced_oome_heap_session_count_prop) 925 926# Allow the sensor service (running in the system service) to read sensor 927# configuration properties 928get_prop(system_server, sensors_config_prop) 929 930# Allow system server to determine if system services are enabled 931get_prop(system_server, system_service_enable_prop) 932 933# Allow system server to read shared mmd properties 934get_prop(system_server, mmd_shared_prop) 935 936# Create a socket for connections from debuggerd. 937allow system_server system_ndebug_socket:sock_file create_file_perms; 938 939# Create a socket for connections from zygotes. 940allow system_server system_unsolzygote_socket:sock_file create_file_perms; 941 942# Manage cache files. 943allow system_server cache_file:lnk_file r_file_perms; 944allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 945allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 946allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 947 948allow system_server system_file:dir r_dir_perms; 949allow system_server system_file:lnk_file r_file_perms; 950 951# ART locks profile files. 952allow system_server system_file:file lock; 953 954# LocationManager(e.g, GPS) needs to read and write 955# to uart driver and ctrl proc entry 956allow system_server gps_control:file rw_file_perms; 957 958# Allow system_server to use app-created sockets and pipes. 959allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 960allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 961 962# BackupManagerService needs to manipulate backup data files 963allow system_server cache_backup_file:dir rw_dir_perms; 964allow system_server cache_backup_file:file create_file_perms; 965# LocalTransport works inside /cache/backup 966allow system_server cache_private_backup_file:dir create_dir_perms; 967allow system_server cache_private_backup_file:file create_file_perms; 968 969# Allow system to talk to usb device 970allow system_server usb_device:chr_file rw_file_perms; 971allow system_server usb_device:dir r_dir_perms; 972 973# Read and delete files under /dev/fscklogs. 974r_dir_file(system_server, fscklogs) 975allow system_server fscklogs:dir { write remove_name add_name }; 976allow system_server fscklogs:file rename; 977 978# logd access, system_server inherit logd write socket 979# (urge is to deprecate this long term) 980allow system_server zygote:unix_dgram_socket write; 981 982# Read from log daemon. 983read_logd(system_server) 984read_runtime_log_tags(system_server) 985 986# Be consistent with DAC permissions. Allow system_server to write to 987# /sys/module/lowmemorykiller/parameters/adj 988# /sys/module/lowmemorykiller/parameters/minfree 989allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 990 991# Read /sys/fs/pstore/console-ramoops 992# Don't worry about overly broad permissions for now, as there's 993# only one file in /sys/fs/pstore 994allow system_server pstorefs:dir r_dir_perms; 995allow system_server pstorefs:file r_file_perms; 996 997# /sys access 998allow system_server sysfs_zram:dir search; 999allow system_server sysfs_zram:file rw_file_perms; 1000 1001# Read /sys/fs/selinux/policy 1002allow system_server kernel:security read_policy; 1003 1004add_service(system_server, system_server_service); 1005allow system_server artd_service:service_manager find; 1006allow system_server artd_pre_reboot_service:service_manager find; 1007allow system_server audioserver_service:service_manager find; 1008allow system_server authorization_service:service_manager find; 1009allow system_server batteryproperties_service:service_manager find; 1010allow system_server cameraserver_service:service_manager find; 1011allow system_server compos_service:service_manager find; 1012allow system_server dataloader_manager_service:service_manager find; 1013allow system_server dexopt_chroot_setup_service:service_manager find; 1014allow system_server dnsresolver_service:service_manager find; 1015allow system_server drmserver_service:service_manager find; 1016allow system_server dumpstate_service:service_manager find; 1017allow system_server fingerprintd_service:service_manager find; 1018allow system_server gatekeeper_service:service_manager find; 1019allow system_server gpu_service:service_manager find; 1020allow system_server gsi_service:service_manager find; 1021allow system_server idmap_service:service_manager find; 1022allow system_server incident_service:service_manager find; 1023allow system_server incremental_service:service_manager find; 1024allow system_server installd_service:service_manager find; 1025allow system_server keystore_maintenance_service:service_manager find; 1026allow system_server keystore_metrics_service:service_manager find; 1027allow system_server keystore_service:service_manager find; 1028allow system_server mdns_service:service_manager find; 1029allow system_server mediaserver_service:service_manager find; 1030allow system_server mediametrics_service:service_manager find; 1031allow system_server mediaextractor_service:service_manager find; 1032allow system_server mediadrmserver_service:service_manager find; 1033allow system_server mediatuner_service:service_manager find; 1034allow system_server mmd_service:service_manager find; 1035allow system_server netd_service:service_manager find; 1036allow system_server nfc_service:service_manager find; 1037allow system_server ot_daemon_service:service_manager find; 1038allow system_server radio_service:service_manager find; 1039allow system_server stats_service:service_manager find; 1040allow system_server storaged_service:service_manager find; 1041allow system_server surfaceflinger_service:service_manager find; 1042allow system_server update_engine_service:service_manager find; 1043allow system_server virtual_camera_service:service_manager find; 1044is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 1045 allow system_server virtualization_maintenance_service:service_manager find; 1046') 1047allow system_server vold_service:service_manager find; 1048allow system_server wifinl80211_service:service_manager find; 1049allow system_server logd_service:service_manager find; 1050userdebug_or_eng(` 1051 allow system_server profcollectd_service:service_manager find; 1052') 1053allow system_server wifi_mainline_supplicant_service:service_manager find; 1054 1055add_service(system_server, batteryproperties_service) 1056 1057allow system_server keystore:keystore2 { 1058 add_auth 1059 change_password 1060 change_user 1061 clear_ns 1062 clear_uid 1063 delete_all_keys 1064 get_last_auth_time 1065 lock 1066 pull_metrics 1067 reset 1068 unlock 1069}; 1070 1071allow system_server keystore:keystore2_key { 1072 delete 1073 use_dev_id 1074 grant 1075 get_info 1076 rebind 1077 update 1078 use 1079}; 1080 1081# Allow Wifi module to manage Wi-Fi keys. 1082allow system_server wifi_key:keystore2_key { 1083 delete 1084 get_info 1085 rebind 1086 update 1087 use 1088}; 1089 1090# Allow lock_settings service to manage RoR keys. 1091allow system_server resume_on_reboot_key:keystore2_key { 1092 delete 1093 get_info 1094 rebind 1095 update 1096 use 1097}; 1098 1099# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 1100allow system_server locksettings_key:keystore2_key { 1101 delete 1102 get_info 1103 rebind 1104 update 1105 use 1106}; 1107 1108 1109# Allow system server to search and write to the persistent factory reset 1110# protection partition. This block device does not get wiped in a factory reset. 1111allow system_server block_device:dir search; 1112allow system_server frp_block_device:blk_file rw_file_perms; 1113allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 1114 1115# Create new process groups and clean up old cgroups 1116allow system_server cgroup:dir create_dir_perms; 1117allow system_server cgroup:file setattr; 1118allow system_server cgroup_v2:dir create_dir_perms; 1119allow system_server cgroup_v2:file { r_file_perms setattr }; 1120 1121# /oem access 1122r_dir_file(system_server, oemfs) 1123 1124# Allow resolving per-user storage symlinks 1125allow system_server { mnt_user_file storage_file }:dir { getattr search }; 1126allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 1127 1128# Allow statfs() on storage devices, which happens fast enough that 1129# we shouldn't be killed during unsafe removal 1130allow system_server { sdcard_type fuse }:dir { getattr search }; 1131 1132# Traverse into expanded storage 1133allow system_server mnt_expand_file:dir r_dir_perms; 1134 1135# Allow system process to relabel the fingerprint directory after mkdir 1136# and delete the directory and files when no longer needed 1137allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 1138allow system_server fingerprintd_data_file:file { getattr unlink }; 1139 1140userdebug_or_eng(` 1141 # Allow system server to create and write method traces in /data/misc/trace. 1142 allow system_server method_trace_data_file:dir w_dir_perms; 1143 allow system_server method_trace_data_file:file { create w_file_perms }; 1144 1145 # Allow system server to read dmesg 1146 allow system_server kernel:system syslog_read; 1147 1148 # Allow writing and removing window traces in /data/misc/wmtrace. 1149 allow system_server wm_trace_data_file:dir rw_dir_perms; 1150 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1151 1152 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 1153 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 1154 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1155') 1156 1157# For AppFuse. 1158allow system_server vold:fd use; 1159allow system_server fuse_device:chr_file { read write ioctl getattr }; 1160allow system_server app_fuse_file:file { read write getattr }; 1161 1162# For configuring sdcardfs 1163allow system_server configfs:dir { create_dir_perms }; 1164allow system_server configfs:file { getattr open create unlink write }; 1165 1166# Connect to adbd and use a socket transferred from it. 1167# Used for e.g. jdwp. 1168allow system_server adbd_common:unix_stream_socket connectto; 1169allow system_server adbd_common:fd use; 1170allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1171 1172# Read service.adb.tls.port, persist.adb.wifi. properties 1173get_prop(system_server, adbd_prop) 1174 1175# Set persist.adb.tls_server.enable property 1176set_prop(system_server, system_adbd_prop) 1177 1178# Set service.adbd.tradeinmode from ITradeInService. 1179set_prop(system_server, adbd_tradeinmode_prop) 1180 1181# Allow invoking tools like "timeout" 1182allow system_server toolbox_exec:file rx_file_perms; 1183 1184# Allow invoking pbtombstone 1185allow system_server pbtombstone_exec:file rx_file_perms; 1186 1187# Allow system process to setup fs-verity 1188allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY; 1189 1190# Allow system process to measure fs-verity for apps, including those being installed 1191allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY; 1192allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS; 1193 1194# Postinstall 1195# 1196# For OTA dexopt, allow calls coming from postinstall. 1197binder_call(system_server, postinstall) 1198 1199allow system_server postinstall:fifo_file write; 1200allow system_server update_engine:fd use; 1201allow system_server update_engine:fifo_file write; 1202 1203# Access to /data/preloads 1204allow system_server preloads_data_file:file { r_file_perms unlink }; 1205allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1206allow system_server preloads_media_file:file { r_file_perms unlink }; 1207allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1208 1209r_dir_file(system_server, cgroup) 1210r_dir_file(system_server, cgroup_v2) 1211allow system_server ion_device:chr_file r_file_perms; 1212 1213# Access to /dev/dma_heap/system 1214allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1215# Access to /dev/dma_heap/system-secure 1216allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1217 1218r_dir_file(system_server, proc_asound) 1219r_dir_file(system_server, proc_net_type) 1220r_dir_file(system_server, proc_qtaguid_stat) 1221allow system_server { 1222 proc_cmdline 1223 proc_loadavg 1224 proc_locks 1225 proc_meminfo 1226 proc_pagetypeinfo 1227 proc_pipe_conf 1228 proc_stat 1229 proc_uid_cputime_showstat 1230 proc_uid_io_stats 1231 proc_uid_time_in_state 1232 proc_uid_concurrent_active_time 1233 proc_uid_concurrent_policy_time 1234 proc_version 1235 proc_vmallocinfo 1236}:file r_file_perms; 1237 1238allow system_server proc_uid_time_in_state:dir r_dir_perms; 1239allow system_server proc_uid_cpupower:file r_file_perms; 1240 1241r_dir_file(system_server, rootfs) 1242 1243# Allow WifiService to start, stop, and read wifi-specific trace events. 1244allow system_server debugfs_tracing_instances:dir search; 1245allow system_server debugfs_wifi_tracing:dir search; 1246allow system_server debugfs_wifi_tracing:file rw_file_perms; 1247 1248# Allow BootReceiver to watch trace error_report events. 1249allow system_server debugfs_bootreceiver_tracing:dir search; 1250allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1251 1252# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1253allow system_server debugfs_tracing:file r_file_perms; 1254 1255# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1256# asanwrapper. 1257with_asan(` 1258 allow system_server shell_exec:file rx_file_perms; 1259 allow system_server asanwrapper_exec:file rx_file_perms; 1260 allow system_server zygote_exec:file rx_file_perms; 1261') 1262 1263# allow system_server to read the eBPF maps that stores the traffic stats information and update 1264# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1265# time in state accounting 1266allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 1267allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; 1268allow system_server bpfloader:bpf prog_run; 1269allow system_server self:bpf map_create; 1270allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write }; 1271# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 1272allow system_server self:key_socket create; 1273# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 1274# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... 1275dontaudit system_server self:key_socket getopt; 1276 1277# Needed to interact with memevents-eBPF and receive notifications for memory events 1278allow system_server fs_bpf_memevents:dir search; 1279allow system_server fs_bpf_memevents:file { read write }; 1280 1281# Allow system_server to start clatd in its own domain and kill it. 1282domain_auto_trans(system_server, clatd_exec, clatd) 1283allow system_server clatd:process { sigkill signal }; 1284 1285# ART Profiles. 1286# Allow system_server to open profile snapshots for read. 1287# System server never reads the actual content. It passes the descriptor to 1288# to privileged apps which acquire the permissions to inspect the profiles. 1289allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1290allow system_server user_profile_data_file:file { getattr open read }; 1291 1292# System server may dump profile data for debuggable apps in the /data/misc/profman. 1293# As such it needs to be able create files but it should never read from them. 1294# It also needs to stat the directory to check if it has the right permissions. 1295allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1296allow system_server profman_dump_data_file:dir rw_dir_perms; 1297 1298# On userdebug build we may profile system server. Allow it to write and create its own profile. 1299userdebug_or_eng(` 1300 allow system_server user_profile_data_file:dir rw_dir_perms; 1301 allow system_server user_profile_data_file:file create_file_perms; 1302') 1303# Allow system server to load JVMTI agents under control of a property. 1304get_prop(system_server,system_jvmti_agent_prop) 1305 1306# UsbDeviceManager uses /dev/usb-ffs 1307allow system_server functionfs:dir search; 1308allow system_server functionfs:file rw_file_perms; 1309# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks. 1310starting_at_board_api(202504, ` 1311allow system_server sysfs_type:dir search; 1312r_dir_file(system_server, sysfs_udc) 1313') 1314 1315# system_server contains time / time zone detection logic so reads the associated properties. 1316get_prop(system_server, time_prop) 1317 1318# system_server reads this property to know it should expect the lmkd sends notification to it 1319# on low memory kills. 1320get_prop(system_server, system_lmk_prop) 1321 1322get_prop(system_server, wifi_config_prop) 1323 1324# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1325allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1326 1327# Watchdog prints debugging log to /dev/kmsg_debug. 1328userdebug_or_eng(` 1329 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1330') 1331# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1332get_prop(system_server, framework_watchdog_config_prop) 1333 1334 1335# Font files are written by system server 1336allow system_server font_data_file:file create_file_perms; 1337allow system_server font_data_file:dir create_dir_perms; 1338# Allow system process to setup and measure fs-verity for font files 1339allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; 1340 1341# Read qemu.hw.mainkeys property 1342get_prop(system_server, qemu_hw_prop) 1343 1344# Allow system server to read profcollectd reports for upload. 1345userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1346 1347# Power controls for debugging/diagnostics 1348get_prop(system_server, power_debug_prop) 1349set_prop(system_server, power_debug_prop) 1350 1351### 1352### Neverallow rules 1353### 1354### system_server should NEVER do any of this 1355 1356# Do not allow opening files from external storage as unsafe ejection 1357# could cause the kernel to kill the system_server. 1358neverallow system_server { sdcard_type fuse }:dir { open read write }; 1359neverallow system_server { sdcard_type fuse }:file rw_file_perms; 1360 1361# system server should never be operating on zygote spawned app data 1362# files directly. Rather, they should always be passed via a 1363# file descriptor. 1364# Exclude those types that system_server needs to open directly. 1365neverallow system_server { 1366 app_data_file_type 1367 -system_app_data_file 1368 -radio_data_file 1369}:file { open create unlink link }; 1370 1371# Forking and execing is inherently dangerous and racy. See, for 1372# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1373# Prevent the addition of new file execs to stop the problem from 1374# getting worse. b/28035297 1375neverallow system_server { 1376 file_type 1377 -toolbox_exec 1378 -logcat_exec 1379 -pbtombstone_exec 1380 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1381}:file execute_no_trans; 1382 1383# Ensure that system_server doesn't perform any domain transitions other than 1384# transitioning to the crash_dump domain when a crash occurs or fork clatd. 1385# add perfetto and trace_redactor which are exec'd from system server for ProfilingService. 1386neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition; 1387neverallow system_server *:process dyntransition; 1388 1389# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir. 1390neverallow system_server perfetto_traces_data_file:dir ~search; 1391 1392# Only allow crash_dump to connect to system_ndebug_socket. 1393neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1394 1395# Only allow zygotes to connect to system_unsolzygote_socket. 1396neverallow { 1397 domain 1398 -init 1399 -system_server 1400 -zygote 1401 -app_zygote 1402 -webview_zygote 1403} system_unsolzygote_socket:sock_file { open write }; 1404 1405# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1406neverallow { 1407 domain 1408 -init 1409 -system_server 1410 -flags_health_check 1411} { 1412 device_config_core_experiments_team_internal_prop 1413 device_config_activity_manager_native_boot_prop 1414 device_config_connectivity_prop 1415 device_config_input_native_boot_prop 1416 device_config_lmkd_native_prop 1417 device_config_netd_native_prop 1418 device_config_nnapi_native_prop 1419 device_config_edgetpu_native_prop 1420 device_config_runtime_native_boot_prop 1421 device_config_runtime_native_prop 1422 device_config_media_native_prop 1423 device_config_mglru_native_prop 1424 device_config_remote_key_provisioning_native_prop 1425 device_config_storage_native_boot_prop 1426 device_config_surface_flinger_native_boot_prop 1427 device_config_sys_traced_prop 1428 device_config_swcodec_native_prop 1429 device_config_aconfig_flags_prop 1430 device_config_window_manager_native_boot_prop 1431 device_config_tethering_u_or_later_native_prop 1432 device_config_mmd_native_prop 1433 next_boot_prop 1434}:property_service set; 1435 1436# Only allow system_server and init to set tuner_server_ctl_prop 1437neverallow { 1438 domain 1439 -system_server 1440 -init 1441} tuner_server_ctl_prop:property_service set; 1442 1443# system_server should never be executing dex2oat. This is either 1444# a bug (for example, bug 16317188), or represents an attempt by 1445# system server to dynamically load a dex file, something we do not 1446# want to allow. 1447neverallow system_server dex2oat_exec:file no_x_file_perms; 1448 1449# system_server should never execute or load executable shared libraries 1450# in /data. Executable files in /data are a persistence vector. 1451# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1452neverallow system_server data_file_type:file no_x_file_perms; 1453 1454# The only block device system_server should be writing to is 1455# the frp_block_device. This helps avoid a system_server to root 1456# escalation by writing to raw block devices. 1457# The system_server may need to read from vd_device if it uses 1458# block apexes. 1459neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; 1460neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; 1461 1462# system_server should never use JIT functionality 1463# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1464# in the section titled "A Short ROP Chain" for why. 1465# However, in emulator builds without OpenGL passthrough, we use software 1466# rendering via SwiftShader, which requires JIT support. These builds are 1467# never shipped to users. 1468ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1469 `allow system_server self:process execmem;', 1470 on_physical_device(`neverallow system_server self:process execmem;')) 1471neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1472 1473# TODO: deal with tmpfs_domain pub/priv split properly 1474neverallow system_server system_server_tmpfs:file execute; 1475 1476# Resources handed off by system_server_startup 1477allow system_server system_server_startup:fd use; 1478allow system_server system_server_startup_tmpfs:file { read write map }; 1479allow system_server system_server_startup:unix_dgram_socket write; 1480 1481# Allow system server to communicate to apexd 1482allow system_server apex_service:service_manager find; 1483allow system_server apexd:binder call; 1484 1485# Allow system server to scan /apex for flattened APEXes 1486allow system_server apex_mnt_dir:dir r_dir_perms; 1487 1488# Allow system server to read /apex/apex-info-list.xml 1489allow system_server apex_info_file:file r_file_perms; 1490 1491# Allow system_server to communicate with tradeinmode. 1492binder_call(system_server, tradeinmode) 1493 1494# Allow system server to communicate to system-suspend's control interface 1495allow system_server system_suspend_control_internal_service:service_manager find; 1496allow system_server system_suspend_control_service:service_manager find; 1497binder_call(system_server, system_suspend) 1498binder_call(system_suspend, system_server) 1499 1500# Allow system server to communicate to system-suspend's wakelock interface 1501wakelock_use(system_server) 1502 1503# Allow the system server to read files under /data/apex. The system_server 1504# needs these privileges to compare file signatures while processing installs. 1505# 1506# Only apexd is allowed to create new entries or write to any file under /data/apex. 1507allow system_server apex_data_file:dir { getattr search }; 1508allow system_server apex_data_file:file r_file_perms; 1509 1510# Allow the system server to read files under /vendor/apex. This is where 1511# vendor APEX packages might be installed and system_server needs to parse 1512# these packages to inspect the signatures and other metadata. 1513allow system_server vendor_apex_file:dir { getattr search }; 1514allow system_server vendor_apex_file:file r_file_perms; 1515 1516# Allow the system server to manage relevant apex module data files. 1517allow system_server apex_module_data_file:dir { getattr search }; 1518# These are modules where the code runs in system_server, so we need full access. 1519allow system_server apex_system_server_data_file:dir create_dir_perms; 1520allow system_server apex_system_server_data_file:file create_file_perms; 1521allow system_server apex_tethering_data_file:dir create_dir_perms; 1522allow system_server apex_tethering_data_file:file create_file_perms; 1523allow system_server apex_uwb_data_file:dir create_dir_perms; 1524allow system_server apex_uwb_data_file:file create_file_perms; 1525# Legacy labels that we still need to support (b/217581286) 1526allow system_server { 1527 apex_appsearch_data_file 1528 apex_permission_data_file 1529 apex_scheduling_data_file 1530 apex_wifi_data_file 1531}:dir create_dir_perms; 1532allow system_server { 1533 apex_appsearch_data_file 1534 apex_permission_data_file 1535 apex_scheduling_data_file 1536 apex_wifi_data_file 1537}:file create_file_perms; 1538 1539# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1540# communicate which slots are available for use. 1541allow system_server metadata_file:dir search; 1542allow system_server password_slot_metadata_file:dir rw_dir_perms; 1543allow system_server password_slot_metadata_file:file create_file_perms; 1544 1545# Allow TradeInMode service rw access to /metadata/tradeinmode. 1546allow system_server tradeinmode_metadata_file:dir rw_dir_perms; 1547allow system_server tradeinmode_metadata_file:file create_file_perms; 1548 1549allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1550allow system_server userspace_reboot_metadata_file:file create_file_perms; 1551 1552# Allow system server rw access to files in /metadata/staged-install folder 1553allow system_server staged_install_file:dir rw_dir_perms; 1554allow system_server staged_install_file:file create_file_perms; 1555 1556allow system_server watchdog_metadata_file:dir rw_dir_perms; 1557allow system_server watchdog_metadata_file:file create_file_perms; 1558 1559# allow system_server write to aconfigd socket 1560unix_socket_connect(system_server, aconfigd, aconfigd); 1561 1562# allow system_server write to aconfigd_mainline socket 1563unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline); 1564 1565allow system_server repair_mode_metadata_file:dir rw_dir_perms; 1566allow system_server repair_mode_metadata_file:file create_file_perms; 1567 1568allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1569allow system_server gsi_persistent_data_file:file create_file_perms; 1570 1571# Allow system server read and remove files under /data/misc/odrefresh 1572allow system_server odrefresh_data_file:dir rw_dir_perms; 1573allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1574 1575# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1576allow system_server surfaceflinger_exec:file r_file_perms; 1577 1578# Allow init to set sysprop used to compute stats about userspace reboot. 1579set_prop(system_server, userspace_reboot_log_prop) 1580 1581# JVMTI agent settings are only readable from the system server. 1582neverallow { 1583 domain 1584 -system_server 1585 -dumpstate 1586 -init 1587 -vendor_init 1588} { 1589 system_jvmti_agent_prop 1590}:file no_rw_file_perms; 1591 1592# Read/Write /proc/pressure/memory 1593allow system_server proc_pressure_mem:file rw_file_perms; 1594# Read /proc/pressure/cpu and /proc/pressure/io 1595allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms; 1596 1597# No ptracing others 1598neverallow system_server { domain -system_server }:process ptrace; 1599 1600# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1601# file read access. However, that is now unnecessary (b/34951864) 1602neverallow system_server system_server:global_capability_class_set sys_resource; 1603 1604# Only system_server/init should access /metadata/password_slots. 1605neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1606neverallow { 1607 domain 1608 -init 1609 -system_server 1610} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1611neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1612 1613# Allow systemserver to read/write the invalidation property 1614set_prop(system_server, binder_cache_system_server_prop) 1615neverallow { domain -system_server -init } 1616 binder_cache_system_server_prop:property_service set; 1617 1618# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1619# system_server cannot use this access to read perf event data like process stacks. 1620allow system_server self:perf_event { open write cpu kernel }; 1621neverallow system_server self:perf_event ~{ open write cpu kernel }; 1622 1623# Allow writing files under /data/system/shutdown-checkpoints/ 1624allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms; 1625allow system_server shutdown_checkpoints_system_data_file:file create_file_perms; 1626 1627# Do not allow any domain other than init or system server to set the property 1628neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1629 1630neverallow { domain -init -system_server } boot_status_prop:property_service set; 1631 1632neverallow { 1633 domain 1634 -init 1635 -vendor_init 1636 -dumpstate 1637 -system_server 1638} wifi_config_prop:file no_rw_file_perms; 1639 1640# Only allow system server to write uhid sysfs files 1641neverallow { 1642 domain 1643 -init 1644 -system_server 1645 -ueventd 1646 -vendor_init 1647} sysfs_uhid:file no_w_file_perms; 1648 1649# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1650# can be accessed by system_server only (b/143717177) 1651# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1652# interface 1653neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1654 1655# Only system server can write the font files. 1656neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1657neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1658 1659# Allow reading /system/etc/font_fallback.xml 1660allow system_server system_font_fallback_file:file r_file_perms; 1661 1662# Allow system server to set dynamic ART properties. 1663set_prop(system_server, dalvik_dynamic_config_prop) 1664 1665# Allow system server to read binderfs 1666allow system_server binderfs_logs:dir r_dir_perms; 1667allow system_server binderfs_logs_stats:file r_file_perms; 1668 1669# For ANRs 1670userdebug_or_eng(` 1671 allow system_server binderfs_logs_transactions:file r_file_perms; 1672') 1673 1674# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled 1675set_prop(system_server, game_manager_config_prop) 1676 1677# Allow system server to write HintManagerService properties 1678set_prop(system_server, hint_manager_config_prop) 1679neverallow { 1680 domain 1681 -init 1682 -vendor_init 1683 -system_server 1684 userdebug_or_eng(`-shell') 1685} hint_manager_config_prop:property_service set; 1686 1687# ThreadNetworkService reads Thread Network properties 1688get_prop(system_server, threadnetwork_config_prop) 1689 1690# Do not allow any domain other than init and system server to set the property 1691neverallow { 1692 domain 1693 -init 1694 -vendor_init 1695 -dumpstate 1696 -system_server 1697} threadnetwork_config_prop:file no_rw_file_perms; 1698 1699# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar 1700# in Pre-reboot Dexopt. 1701allow system_server pre_reboot_dexopt_file:dir { getattr search }; 1702 1703# Allow system_server to reopen its own memfd. 1704# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path 1705# /proc/self/fd/<fd> with a classloader. 1706allow system_server system_server_tmpfs:file open; 1707 1708# Allow system_server to read from postinstall scripts through STDIN, to check if the 1709# otapreopt_script is still alive. 1710allow system_server postinstall:fifo_file read; 1711 1712# Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing 1713# files in chroot when we teardown chroot. 1714allow system_server { 1715 artd 1716 derive_classpath 1717 dex2oat 1718 odrefresh 1719 profman 1720}:process sigkill; 1721 1722# Do not allow any domain other than init or system server to get or set the property 1723neverallow { domain -init -system_server } crashrecovery_prop:property_service set; 1724neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms; 1725 1726# Do not allow anything other than system_server and init to touch /metadata/tradeinmode. 1727neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms; 1728 1729neverallow { 1730 domain 1731 -init 1732 -vendor_init 1733 -system_server 1734 -shell 1735} power_debug_prop:property_service set; 1736