1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5type system_server, domain, domain_deprecated, mlstrustedsubject; 6 7# Define a type for tmpfs-backed ashmem regions. 8tmpfs_domain(system_server) 9 10# For art. 11allow system_server dalvikcache_data_file:file execute; 12allow system_server dalvikcache_data_file:dir r_dir_perms; 13 14# Enable system server to check the foreign dex usage markers. 15# We need search on top level directories so that we can get to the files 16allow system_server user_profile_data_file:dir search; 17allow system_server user_profile_data_file:file getattr; 18allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name }; 19allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink }; 20 21# /data/resource-cache 22allow system_server resourcecache_data_file:file r_file_perms; 23allow system_server resourcecache_data_file:dir r_dir_perms; 24 25# ptrace to processes in the same domain for debugging crashes. 26allow system_server self:process ptrace; 27 28# Child of the zygote. 29allow system_server zygote:fd use; 30allow system_server zygote:process sigchld; 31allow system_server zygote_tmpfs:file read; 32 33# May kill zygote on crashes. 34allow system_server zygote:process sigkill; 35 36# Read /system/bin/app_process. 37allow system_server zygote_exec:file r_file_perms; 38 39# Needed to close the zygote socket, which involves getopt / getattr 40allow system_server zygote:unix_stream_socket { getopt getattr }; 41 42# system server gets network and bluetooth permissions. 43net_domain(system_server) 44bluetooth_domain(system_server) 45 46# These are the capabilities assigned by the zygote to the 47# system server. 48allow system_server self:capability { 49 ipc_lock 50 kill 51 net_admin 52 net_bind_service 53 net_broadcast 54 net_raw 55 sys_boot 56 sys_nice 57 sys_resource 58 sys_time 59 sys_tty_config 60}; 61 62wakelock_use(system_server) 63 64# Triggered by /proc/pid accesses, not allowed. 65dontaudit system_server self:capability sys_ptrace; 66 67# Trigger module auto-load. 68allow system_server kernel:system module_request; 69 70# Use netlink uevent sockets. 71allow system_server self:netlink_kobject_uevent_socket create_socket_perms; 72 73# Use generic netlink sockets. 74allow system_server self:netlink_socket create_socket_perms; 75allow system_server self:netlink_generic_socket create_socket_perms; 76 77# Use generic "sockets" where the address family is not known 78# to the kernel. 79allow system_server self:socket create_socket_perms; 80 81# Set and get routes directly via netlink. 82allow system_server self:netlink_route_socket nlmsg_write; 83 84# Kill apps. 85allow system_server { appdomain autoplay_app }:process { sigkill signal }; 86 87# Set scheduling info for apps. 88allow system_server { appdomain autoplay_app }:process { getsched setsched }; 89allow system_server audioserver:process { getsched setsched }; 90allow system_server cameraserver:process { getsched setsched }; 91allow system_server mediaserver:process { getsched setsched }; 92allow system_server bootanim:process { getsched setsched }; 93 94# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 95# within system_server to keep track of memory and CPU usage for 96# all processes on the device. In addition, /proc/pid files access is needed 97# for dumping stack traces of native processes. 98r_dir_file(system_server, domain) 99 100# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. 101allow system_server qtaguid_proc:file rw_file_perms; 102allow system_server qtaguid_device:chr_file rw_file_perms; 103 104# Read /proc/uid_cputime/show_uid_stat. 105allow system_server proc_uid_cputime_showstat:file r_file_perms; 106 107# Write /proc/uid_cputime/remove_uid_range. 108allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 109 110# Write to /proc/sysrq-trigger. 111allow system_server proc_sysrq:file rw_file_perms; 112 113# Read /sys/kernel/debug/wakeup_sources. 114allow system_server debugfs:file r_file_perms; 115 116# The DhcpClient and WifiWatchdog use packet_sockets 117allow system_server self:packet_socket create_socket_perms; 118 119# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same 120# as raw sockets, but the kernel doesn't yet distinguish between the two. 121allow system_server node:rawip_socket node_bind; 122 123# 3rd party VPN clients require a tun_socket to be created 124allow system_server self:tun_socket create_socket_perms; 125 126# Notify init of death. 127allow system_server init:process sigchld; 128 129# Talk to init and various daemons via sockets. 130unix_socket_connect(system_server, installd, installd) 131unix_socket_connect(system_server, lmkd, lmkd) 132unix_socket_connect(system_server, mtpd, mtp) 133unix_socket_connect(system_server, netd, netd) 134unix_socket_connect(system_server, vold, vold) 135unix_socket_connect(system_server, zygote, zygote) 136unix_socket_connect(system_server, gps, gpsd) 137unix_socket_connect(system_server, racoon, racoon) 138unix_socket_send(system_server, wpa, wpa) 139unix_socket_connect(system_server, uncrypt, uncrypt) 140 141# Communicate over a socket created by surfaceflinger. 142allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 143 144# Perform Binder IPC. 145binder_use(system_server) 146binder_call(system_server, binderservicedomain) 147binder_call(system_server, gatekeeperd) 148binder_call(system_server, fingerprintd) 149binder_call(system_server, { appdomain autoplay_app }) 150binder_call(system_server, dumpstate) 151binder_call(system_server, netd) 152binder_service(system_server) 153 154# Ask debuggerd to dump backtraces for native stacks of interest. 155# 156# This is derived from the list that system server defines as interesting native processes 157# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 158# frameworks/base/services/core/java/com/android/server/Watchdog.java. 159allow system_server { 160 audioserver 161 bluetooth 162 cameraserver 163 drmserver 164 inputflinger 165 mediacodec 166 mediadrmserver 167 mediaextractor 168 mediaserver 169 sdcardd 170 surfaceflinger 171}:debuggerd dump_backtrace; 172 173# Use sockets received over binder from various services. 174allow system_server audioserver:tcp_socket rw_socket_perms; 175allow system_server audioserver:udp_socket rw_socket_perms; 176allow system_server mediaserver:tcp_socket rw_socket_perms; 177allow system_server mediaserver:udp_socket rw_socket_perms; 178 179# Use sockets received over binder from various services. 180allow system_server mediadrmserver:tcp_socket rw_socket_perms; 181allow system_server mediadrmserver:udp_socket rw_socket_perms; 182 183# Check SELinux permissions. 184selinux_check_access(system_server) 185 186# XXX Label sysfs files with a specific type? 187allow system_server sysfs:file rw_file_perms; 188allow system_server sysfs_nfc_power_writable:file rw_file_perms; 189allow system_server sysfs_devices_system_cpu:file w_file_perms; 190allow system_server sysfs_mac_address:file r_file_perms; 191allow system_server sysfs_thermal:dir search; 192allow system_server sysfs_thermal:file r_file_perms; 193 194# TODO: added to match above sysfs rule. Remove me? 195allow system_server sysfs_usb:file w_file_perms; 196 197# Access devices. 198allow system_server device:dir r_dir_perms; 199allow system_server mdns_socket:sock_file rw_file_perms; 200allow system_server alarm_device:chr_file rw_file_perms; 201allow system_server gpu_device:chr_file rw_file_perms; 202allow system_server iio_device:chr_file rw_file_perms; 203allow system_server input_device:dir r_dir_perms; 204allow system_server input_device:chr_file rw_file_perms; 205allow system_server radio_device:chr_file r_file_perms; 206allow system_server tty_device:chr_file rw_file_perms; 207allow system_server usbaccessory_device:chr_file rw_file_perms; 208allow system_server video_device:dir r_dir_perms; 209allow system_server video_device:chr_file rw_file_perms; 210allow system_server adbd_socket:sock_file rw_file_perms; 211allow system_server rtc_device:chr_file rw_file_perms; 212allow system_server audio_device:dir r_dir_perms; 213 214# write access needed for MIDI 215allow system_server audio_device:chr_file rw_file_perms; 216 217# tun device used for 3rd party vpn apps 218allow system_server tun_device:chr_file rw_file_perms; 219 220# Manage system data files. 221allow system_server system_data_file:dir create_dir_perms; 222allow system_server system_data_file:notdevfile_class_set create_file_perms; 223allow system_server keychain_data_file:dir create_dir_perms; 224allow system_server keychain_data_file:file create_file_perms; 225 226# Manage /data/app. 227allow system_server apk_data_file:dir create_dir_perms; 228allow system_server apk_data_file:file { create_file_perms link }; 229allow system_server apk_tmp_file:dir create_dir_perms; 230allow system_server apk_tmp_file:file create_file_perms; 231 232# Manage /data/app-private. 233allow system_server apk_private_data_file:dir create_dir_perms; 234allow system_server apk_private_data_file:file create_file_perms; 235allow system_server apk_private_tmp_file:dir create_dir_perms; 236allow system_server apk_private_tmp_file:file create_file_perms; 237 238# Manage files within asec containers. 239allow system_server asec_apk_file:dir create_dir_perms; 240allow system_server asec_apk_file:file create_file_perms; 241allow system_server asec_public_file:file create_file_perms; 242 243# Manage /data/anr. 244allow system_server anr_data_file:dir create_dir_perms; 245allow system_server anr_data_file:file create_file_perms; 246 247# Manage /data/backup. 248allow system_server backup_data_file:dir create_dir_perms; 249allow system_server backup_data_file:file create_file_perms; 250 251# Write to /data/system/heapdump 252allow system_server heapdump_data_file:dir rw_dir_perms; 253allow system_server heapdump_data_file:file create_file_perms; 254 255# Manage /data/misc/adb. 256allow system_server adb_keys_file:dir create_dir_perms; 257allow system_server adb_keys_file:file create_file_perms; 258 259# Manage /data/misc/sms. 260# TODO: Split into a separate type? 261allow system_server radio_data_file:dir create_dir_perms; 262allow system_server radio_data_file:file create_file_perms; 263 264# Manage /data/misc/systemkeys. 265allow system_server systemkeys_data_file:dir create_dir_perms; 266allow system_server systemkeys_data_file:file create_file_perms; 267 268# Access /data/tombstones. 269allow system_server tombstone_data_file:dir r_dir_perms; 270allow system_server tombstone_data_file:file r_file_perms; 271 272# Manage /data/misc/vpn. 273allow system_server vpn_data_file:dir create_dir_perms; 274allow system_server vpn_data_file:file create_file_perms; 275 276# Manage /data/misc/wifi. 277allow system_server wifi_data_file:dir create_dir_perms; 278allow system_server wifi_data_file:file create_file_perms; 279 280# Manage /data/misc/zoneinfo. 281allow system_server zoneinfo_data_file:dir create_dir_perms; 282allow system_server zoneinfo_data_file:file create_file_perms; 283 284# Walk /data/data subdirectories. 285# Types extracted from seapp_contexts type= fields. 286allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file autoplay_data_file }:dir { getattr read search }; 287# Also permit for unlabeled /data/data subdirectories and 288# for unlabeled asec containers on upgrades from 4.2. 289allow system_server unlabeled:dir r_dir_perms; 290# Read pkg.apk file before it has been relabeled by vold. 291allow system_server unlabeled:file r_file_perms; 292 293# Populate com.android.providers.settings/databases/settings.db. 294allow system_server system_app_data_file:dir create_dir_perms; 295allow system_server system_app_data_file:file create_file_perms; 296 297# Receive and use open app data files passed over binder IPC. 298# Types extracted from seapp_contexts type= fields. 299allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; 300 301# Receive and use open /data/media files passed over binder IPC. 302allow system_server media_rw_data_file:file { getattr read write }; 303 304# Read /file_contexts and /data/security/file_contexts 305security_access_policy(system_server) 306 307# Relabel apk files. 308allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 309allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 310 311# Relabel wallpaper. 312allow system_server system_data_file:file relabelfrom; 313allow system_server wallpaper_file:file relabelto; 314allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 315 316# Backup of wallpaper imagery uses temporary hard links to avoid data churn 317allow system_server { system_data_file wallpaper_file }:file link; 318 319# ShortcutManager icons 320allow system_server system_data_file:dir relabelfrom; 321allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 322allow system_server shortcut_manager_icons:file create_file_perms; 323 324# Manage ringtones. 325allow system_server ringtone_file:dir { create_dir_perms relabelto }; 326allow system_server ringtone_file:file create_file_perms; 327 328# Relabel icon file. 329allow system_server icon_file:file relabelto; 330allow system_server icon_file:file { rw_file_perms unlink }; 331 332# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 333allow system_server system_data_file:dir relabelfrom; 334 335# Property Service write 336set_prop(system_server, system_prop) 337set_prop(system_server, safemode_prop) 338set_prop(system_server, dhcp_prop) 339set_prop(system_server, net_radio_prop) 340set_prop(system_server, system_radio_prop) 341set_prop(system_server, debug_prop) 342set_prop(system_server, powerctl_prop) 343set_prop(system_server, fingerprint_prop) 344set_prop(system_server, device_logging_prop) 345userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 346 347# ctl interface 348set_prop(system_server, ctl_default_prop) 349set_prop(system_server, ctl_bugreport_prop) 350 351# cppreopt property 352set_prop(system_server, cppreopt_prop) 353 354# Create a socket for receiving info from wpa. 355type_transition system_server wifi_data_file:sock_file system_wpa_socket; 356type_transition system_server wpa_socket:sock_file system_wpa_socket; 357allow system_server wpa_socket:dir rw_dir_perms; 358allow system_server system_wpa_socket:sock_file create_file_perms; 359 360# Remove sockets created by wpa_supplicant 361allow system_server wpa_socket:sock_file unlink; 362 363# Create a socket for connections from debuggerd. 364type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 365allow system_server system_ndebug_socket:sock_file create_file_perms; 366 367# Manage cache files. 368allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 369allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 370allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 371 372# Run system programs, e.g. dexopt. 373allow system_server system_file:file x_file_perms; 374 375# LocationManager(e.g, GPS) needs to read and write 376# to uart driver and ctrl proc entry 377allow system_server gps_device:chr_file rw_file_perms; 378allow system_server gps_control:file rw_file_perms; 379 380# Allow system_server to use app-created sockets and pipes. 381allow system_server { appdomain autoplay_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 382allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket } { getattr read write }; 383 384# Allow abstract socket connection 385allow system_server rild:unix_stream_socket connectto; 386 387# BackupManagerService needs to manipulate backup data files 388allow system_server cache_backup_file:dir rw_dir_perms; 389allow system_server cache_backup_file:file create_file_perms; 390# LocalTransport works inside /cache/backup 391allow system_server cache_private_backup_file:dir create_dir_perms; 392allow system_server cache_private_backup_file:file create_file_perms; 393 394# Allow system to talk to usb device 395allow system_server usb_device:chr_file rw_file_perms; 396allow system_server usb_device:dir r_dir_perms; 397 398# Allow system to talk to sensors 399allow system_server sensors_device:chr_file rw_file_perms; 400 401# Read from HW RNG (needed by EntropyMixer). 402allow system_server hw_random_device:chr_file r_file_perms; 403 404# Read and delete files under /dev/fscklogs. 405r_dir_file(system_server, fscklogs) 406allow system_server fscklogs:dir { write remove_name }; 407allow system_server fscklogs:file unlink; 408 409# logd access, system_server inherit logd write socket 410# (urge is to deprecate this long term) 411allow system_server zygote:unix_dgram_socket write; 412 413# Read from log daemon. 414read_logd(system_server) 415 416# Be consistent with DAC permissions. Allow system_server to write to 417# /sys/module/lowmemorykiller/parameters/adj 418# /sys/module/lowmemorykiller/parameters/minfree 419allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 420 421# Read /sys/fs/pstore/console-ramoops 422# Don't worry about overly broad permissions for now, as there's 423# only one file in /sys/fs/pstore 424allow system_server pstorefs:dir r_dir_perms; 425allow system_server pstorefs:file r_file_perms; 426 427# /sys access 428allow system_server sysfs_zram:dir search; 429allow system_server sysfs_zram:file r_file_perms; 430 431allow system_server audioserver_service:service_manager find; 432allow system_server cameraserver_service:service_manager find; 433allow system_server drmserver_service:service_manager find; 434allow system_server batteryproperties_service:service_manager find; 435allow system_server keystore_service:service_manager find; 436allow system_server gatekeeper_service:service_manager find; 437allow system_server fingerprintd_service:service_manager find; 438allow system_server mediaserver_service:service_manager find; 439allow system_server mediaextractor_service:service_manager find; 440allow system_server mediacodec_service:service_manager find; 441allow system_server mediadrmserver_service:service_manager find; 442allow system_server netd_service:service_manager find; 443allow system_server nfc_service:service_manager find; 444allow system_server radio_service:service_manager find; 445allow system_server system_server_service:service_manager { add find }; 446allow system_server surfaceflinger_service:service_manager find; 447 448allow system_server keystore:keystore_key { 449 get_state 450 get 451 insert 452 delete 453 exist 454 list 455 reset 456 password 457 lock 458 unlock 459 is_empty 460 sign 461 verify 462 grant 463 duplicate 464 clear_uid 465 add_auth 466 user_changed 467}; 468 469# Allow system server to search and write to the persistent factory reset 470# protection partition. This block device does not get wiped in a factory reset. 471allow system_server block_device:dir search; 472allow system_server frp_block_device:blk_file rw_file_perms; 473 474# Clean up old cgroups 475allow system_server cgroup:dir { remove_name rmdir }; 476 477# /oem access 478r_dir_file(system_server, oemfs) 479 480# Allow resolving per-user storage symlinks 481allow system_server { mnt_user_file storage_file }:dir { getattr search }; 482allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 483 484# Allow statfs() on storage devices, which happens fast enough that 485# we shouldn't be killed during unsafe removal 486allow system_server sdcard_type:dir { getattr search }; 487 488# Traverse into expanded storage 489allow system_server mnt_expand_file:dir r_dir_perms; 490 491# Allow system process to relabel the fingerprint directory after mkdir 492# and delete the directory and files when no longer needed 493allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 494allow system_server fingerprintd_data_file:file { getattr unlink }; 495 496# Allow system process to read network MAC address 497allow system_server sysfs_mac_address:file r_file_perms; 498 499userdebug_or_eng(` 500 # Allow system server to create and write method traces in /data/misc/trace. 501 allow system_server method_trace_data_file:dir w_dir_perms; 502 allow system_server method_trace_data_file:file { create w_file_perms }; 503 504 # Allow system server to read dmesg 505 allow system_server kernel:system syslog_read; 506') 507 508# For AppFuse. 509allow system_server vold:fd use; 510allow system_server fuse_device:chr_file { read write ioctl getattr }; 511 512# For configuring sdcardfs 513allow system_server configfs:dir { create_dir_perms }; 514allow system_server configfs:file { getattr open unlink write }; 515 516# Connect to adbd and use a socket transferred from it. 517# Used for e.g. jdwp. 518allow system_server adbd:unix_stream_socket connectto; 519allow system_server adbd:fd use; 520allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 521 522# Access to /data/media. 523# This should be removed if sdcardfs is modified to alter the secontext for its 524# accesses to the underlying FS. 525allow system_server media_rw_data_file:dir search; 526 527# Allow invoking tools like "timeout" 528allow system_server toolbox_exec:file rx_file_perms; 529 530# Postinstall 531# 532# For OTA dexopt, allow calls coming from postinstall. 533binder_call(system_server, postinstall) 534 535allow system_server postinstall:fifo_file write; 536allow system_server update_engine:fd use; 537allow system_server update_engine:fifo_file write; 538 539# Access to /data/preloads 540allow system_server preloads_data_file:file { r_file_perms unlink }; 541allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 542 543### 544### Neverallow rules 545### 546### system_server should NEVER do any of this 547 548# Do not allow opening files from external storage as unsafe ejection 549# could cause the kernel to kill the system_server. 550neverallow system_server sdcard_type:dir { open read write }; 551neverallow system_server sdcard_type:file rw_file_perms; 552 553# system server should never be opening zygote spawned app data 554# files directly. Rather, they should always be passed via a 555# file descriptor. 556# Types extracted from seapp_contexts type= fields, excluding 557# those types that system_server needs to open directly. 558neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open; 559 560# system_server should never be executing dex2oat. This is either 561# a bug (for example, bug 16317188), or represents an attempt by 562# system server to dynamically load a dex file, something we do not 563# want to allow. 564neverallow system_server dex2oat_exec:file no_x_file_perms; 565 566# system_server should never execute anything from /data except for /data/dalvik-cache files. 567neverallow system_server { 568 data_file_type 569 -dalvikcache_data_file #mapping with PROT_EXEC 570}:file no_x_file_perms; 571 572# The only block device system_server should be accessing is 573# the frp_block_device. This helps avoid a system_server to root 574# escalation by writing to raw block devices. 575neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 576 577# system_server should never use JIT functionality 578neverallow system_server self:process execmem; 579neverallow system_server ashmem_device:chr_file execute; 580neverallow system_server system_server_tmpfs:file execute; 581