2013-09-14 00:59:04 +02:00
|
|
|
#
|
|
|
|
# System Server aka system_server spawned by zygote.
|
|
|
|
# Most of the framework services run in this process.
|
|
|
|
#
|
2013-10-29 19:42:40 +01:00
|
|
|
type system_server, domain, mlstrustedsubject;
|
|
|
|
|
2013-12-23 22:18:55 +01:00
|
|
|
# Define a type for tmpfs-backed ashmem regions.
|
|
|
|
tmpfs_domain(system_server)
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Dalvik Compiler JIT Mapping.
|
|
|
|
allow system_server self:process execmem;
|
2013-12-23 22:18:55 +01:00
|
|
|
allow system_server ashmem_device:chr_file execute;
|
|
|
|
allow system_server system_server_tmpfs:file execute;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
2013-12-23 20:48:02 +01:00
|
|
|
# For art.
|
|
|
|
allow system_server dalvikcache_data_file:file execute;
|
2015-04-07 04:26:33 +02:00
|
|
|
allow system_server dalvikcache_data_file:dir r_dir_perms;
|
2013-12-23 20:48:02 +01:00
|
|
|
|
2014-06-16 23:19:31 +02:00
|
|
|
# /data/resource-cache
|
|
|
|
allow system_server resourcecache_data_file:file r_file_perms;
|
|
|
|
allow system_server resourcecache_data_file:dir r_dir_perms;
|
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# ptrace to processes in the same domain for debugging crashes.
|
|
|
|
allow system_server self:process ptrace;
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Child of the zygote.
|
|
|
|
allow system_server zygote:fd use;
|
|
|
|
allow system_server zygote:process sigchld;
|
|
|
|
allow system_server zygote_tmpfs:file read;
|
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# May kill zygote on crashes.
|
|
|
|
allow system_server zygote:process sigkill;
|
|
|
|
|
|
|
|
# Read /system/bin/app_process.
|
|
|
|
allow system_server zygote_exec:file r_file_perms;
|
|
|
|
|
2014-02-26 04:42:38 +01:00
|
|
|
# Needed to close the zygote socket, which involves getopt / getattr
|
|
|
|
allow system_server zygote:unix_stream_socket { getopt getattr };
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# system server gets network and bluetooth permissions.
|
|
|
|
net_domain(system_server)
|
|
|
|
bluetooth_domain(system_server)
|
2013-09-14 00:59:04 +02:00
|
|
|
|
|
|
|
# These are the capabilities assigned by the zygote to the
|
|
|
|
# system server.
|
|
|
|
allow system_server self:capability {
|
|
|
|
kill
|
|
|
|
net_admin
|
|
|
|
net_bind_service
|
|
|
|
net_broadcast
|
|
|
|
net_raw
|
|
|
|
sys_boot
|
|
|
|
sys_nice
|
|
|
|
sys_resource
|
|
|
|
sys_time
|
|
|
|
sys_tty_config
|
|
|
|
};
|
|
|
|
|
2014-05-23 22:33:32 +02:00
|
|
|
wakelock_use(system_server)
|
2013-12-19 19:53:36 +01:00
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Triggered by /proc/pid accesses, not allowed.
|
|
|
|
dontaudit system_server self:capability sys_ptrace;
|
|
|
|
|
|
|
|
# Trigger module auto-load.
|
|
|
|
allow system_server kernel:system module_request;
|
|
|
|
|
|
|
|
# Use netlink uevent sockets.
|
2014-02-24 21:06:11 +01:00
|
|
|
allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# Use generic netlink sockets.
|
|
|
|
allow system_server self:netlink_socket create_socket_perms;
|
|
|
|
|
2014-07-29 00:13:34 +02:00
|
|
|
# Set and get routes directly via netlink.
|
|
|
|
allow system_server self:netlink_route_socket nlmsg_write;
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Kill apps.
|
|
|
|
allow system_server appdomain:process { sigkill signal };
|
|
|
|
|
|
|
|
# Set scheduling info for apps.
|
|
|
|
allow system_server appdomain:process { getsched setsched };
|
|
|
|
allow system_server mediaserver:process { getsched setsched };
|
|
|
|
|
2014-06-25 18:23:57 +02:00
|
|
|
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
|
|
|
|
# within system_server to keep track of memory and CPU usage for
|
|
|
|
# all processes on the device.
|
|
|
|
r_dir_file(system_server, domain)
|
2014-03-06 19:27:01 +01:00
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
|
|
|
|
allow system_server qtaguid_proc:file rw_file_perms;
|
|
|
|
allow system_server qtaguid_device:chr_file rw_file_perms;
|
|
|
|
|
2015-05-13 02:14:35 +02:00
|
|
|
# Read /proc/uid_cputime/show_uid_stat.
|
|
|
|
allow system_server proc_uid_cputime_showstat:file r_file_perms;
|
|
|
|
|
|
|
|
# Write /proc/uid_cputime/remove_uid_range.
|
|
|
|
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
|
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# Write to /proc/sysrq-trigger.
|
|
|
|
allow system_server proc_sysrq:file rw_file_perms;
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Read /sys/kernel/debug/wakeup_sources.
|
|
|
|
allow system_server debugfs:file r_file_perms;
|
|
|
|
|
|
|
|
# WifiWatchdog uses a packet_socket
|
2014-02-24 21:06:11 +01:00
|
|
|
allow system_server self:packet_socket create_socket_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# 3rd party VPN clients require a tun_socket to be created
|
2014-02-24 21:06:11 +01:00
|
|
|
allow system_server self:tun_socket create_socket_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# Notify init of death.
|
|
|
|
allow system_server init:process sigchld;
|
|
|
|
|
|
|
|
# Talk to init and various daemons via sockets.
|
|
|
|
unix_socket_connect(system_server, installd, installd)
|
2013-12-06 01:55:34 +01:00
|
|
|
unix_socket_connect(system_server, lmkd, lmkd)
|
2014-03-05 15:50:08 +01:00
|
|
|
unix_socket_connect(system_server, mtpd, mtp)
|
2013-10-29 19:42:40 +01:00
|
|
|
unix_socket_connect(system_server, netd, netd)
|
|
|
|
unix_socket_connect(system_server, vold, vold)
|
|
|
|
unix_socket_connect(system_server, zygote, zygote)
|
|
|
|
unix_socket_connect(system_server, gps, gpsd)
|
|
|
|
unix_socket_connect(system_server, racoon, racoon)
|
|
|
|
unix_socket_send(system_server, wpa, wpa)
|
|
|
|
|
|
|
|
# Communicate over a socket created by surfaceflinger.
|
|
|
|
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
|
|
|
|
|
|
|
|
# Perform Binder IPC.
|
|
|
|
binder_use(system_server)
|
|
|
|
binder_call(system_server, binderservicedomain)
|
2015-04-09 06:30:48 +02:00
|
|
|
binder_call(system_server, gatekeeperd)
|
2015-05-13 00:16:06 +02:00
|
|
|
binder_call(system_server, fingerprintd)
|
2013-10-29 19:42:40 +01:00
|
|
|
binder_call(system_server, appdomain)
|
2014-01-29 20:56:41 +01:00
|
|
|
binder_call(system_server, dumpstate)
|
2013-10-29 19:42:40 +01:00
|
|
|
binder_service(system_server)
|
|
|
|
|
2014-07-24 21:25:43 +02:00
|
|
|
# Ask debuggerd to dump backtraces for native stacks of interest.
|
|
|
|
allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
|
|
|
|
|
2014-03-06 19:27:01 +01:00
|
|
|
# Read /proc/pid files for dumping stack traces of native processes.
|
2013-10-29 19:42:40 +01:00
|
|
|
r_dir_file(system_server, mediaserver)
|
2014-03-06 19:27:01 +01:00
|
|
|
r_dir_file(system_server, sdcardd)
|
|
|
|
r_dir_file(system_server, surfaceflinger)
|
2014-03-21 15:40:56 +01:00
|
|
|
r_dir_file(system_server, inputflinger)
|
2013-10-29 19:42:40 +01:00
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# Use sockets received over binder from various services.
|
|
|
|
allow system_server mediaserver:tcp_socket rw_socket_perms;
|
|
|
|
allow system_server mediaserver:udp_socket rw_socket_perms;
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Check SELinux permissions.
|
|
|
|
selinux_check_access(system_server)
|
|
|
|
|
|
|
|
# XXX Label sysfs files with a specific type?
|
|
|
|
allow system_server sysfs:file rw_file_perms;
|
|
|
|
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
|
2014-06-11 01:04:44 +02:00
|
|
|
allow system_server sysfs_devices_system_cpu:file w_file_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# Access devices.
|
|
|
|
allow system_server device:dir r_dir_perms;
|
|
|
|
allow system_server mdns_socket:sock_file rw_file_perms;
|
|
|
|
allow system_server alarm_device:chr_file rw_file_perms;
|
2013-12-12 15:09:53 +01:00
|
|
|
allow system_server gpu_device:chr_file rw_file_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
allow system_server iio_device:chr_file rw_file_perms;
|
|
|
|
allow system_server input_device:dir r_dir_perms;
|
|
|
|
allow system_server input_device:chr_file rw_file_perms;
|
2014-03-05 15:50:08 +01:00
|
|
|
allow system_server radio_device:chr_file r_file_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
allow system_server tty_device:chr_file rw_file_perms;
|
|
|
|
allow system_server usbaccessory_device:chr_file rw_file_perms;
|
2014-01-06 21:39:19 +01:00
|
|
|
allow system_server video_device:dir r_dir_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
allow system_server video_device:chr_file rw_file_perms;
|
|
|
|
allow system_server adbd_socket:sock_file rw_file_perms;
|
2015-05-18 23:01:37 +02:00
|
|
|
allow system_server rtc_device:chr_file rw_file_perms;
|
2014-06-19 01:22:43 +02:00
|
|
|
allow system_server audio_device:dir r_dir_perms;
|
2014-11-15 00:25:18 +01:00
|
|
|
|
|
|
|
# write access needed for MIDI
|
|
|
|
allow system_server audio_device:chr_file rw_file_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# tun device used for 3rd party vpn apps
|
|
|
|
allow system_server tun_device:chr_file rw_file_perms;
|
|
|
|
|
2014-05-12 15:23:49 +02:00
|
|
|
# Manage system data files.
|
|
|
|
allow system_server system_data_file:dir create_dir_perms;
|
|
|
|
allow system_server system_data_file:notdevfile_class_set create_file_perms;
|
2014-10-13 13:10:08 +02:00
|
|
|
allow system_server keychain_data_file:dir create_dir_perms;
|
|
|
|
allow system_server keychain_data_file:file create_file_perms;
|
2014-05-12 15:23:49 +02:00
|
|
|
|
|
|
|
# Manage /data/app.
|
|
|
|
allow system_server apk_data_file:dir create_dir_perms;
|
2015-04-08 19:42:30 +02:00
|
|
|
allow system_server apk_data_file:file { create_file_perms link };
|
2014-07-07 19:58:53 +02:00
|
|
|
allow system_server apk_tmp_file:dir create_dir_perms;
|
2014-05-12 15:23:49 +02:00
|
|
|
allow system_server apk_tmp_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/app-private.
|
|
|
|
allow system_server apk_private_data_file:dir create_dir_perms;
|
|
|
|
allow system_server apk_private_data_file:file create_file_perms;
|
2014-07-07 19:58:53 +02:00
|
|
|
allow system_server apk_private_tmp_file:dir create_dir_perms;
|
2014-05-12 15:23:49 +02:00
|
|
|
allow system_server apk_private_tmp_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage files within asec containers.
|
|
|
|
allow system_server asec_apk_file:dir create_dir_perms;
|
|
|
|
allow system_server asec_apk_file:file create_file_perms;
|
|
|
|
allow system_server asec_public_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/anr.
|
|
|
|
allow system_server anr_data_file:dir create_dir_perms;
|
|
|
|
allow system_server anr_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/backup.
|
|
|
|
allow system_server backup_data_file:dir create_dir_perms;
|
|
|
|
allow system_server backup_data_file:file create_file_perms;
|
|
|
|
|
2014-06-11 03:42:22 +02:00
|
|
|
# Read from /data/dalvik-cache/profiles
|
2014-06-14 06:29:56 +02:00
|
|
|
allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
|
2014-06-11 03:42:22 +02:00
|
|
|
allow system_server dalvikcache_profiles_data_file:file create_file_perms;
|
|
|
|
|
2015-04-08 01:40:44 +02:00
|
|
|
# Write to /data/system/heapdump
|
|
|
|
allow system_server heapdump_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server heapdump_data_file:file create_file_perms;
|
|
|
|
|
2014-05-12 15:23:49 +02:00
|
|
|
# Manage /data/misc/adb.
|
|
|
|
allow system_server adb_keys_file:dir create_dir_perms;
|
|
|
|
allow system_server adb_keys_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/sms.
|
|
|
|
# TODO: Split into a separate type?
|
|
|
|
allow system_server radio_data_file:dir create_dir_perms;
|
|
|
|
allow system_server radio_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/systemkeys.
|
|
|
|
allow system_server systemkeys_data_file:dir create_dir_perms;
|
|
|
|
allow system_server systemkeys_data_file:file create_file_perms;
|
|
|
|
|
2014-05-14 20:26:04 +02:00
|
|
|
# Access /data/tombstones.
|
|
|
|
allow system_server tombstone_data_file:dir r_dir_perms;
|
|
|
|
allow system_server tombstone_data_file:file r_file_perms;
|
|
|
|
|
2014-05-12 15:23:49 +02:00
|
|
|
# Manage /data/misc/vpn.
|
|
|
|
allow system_server vpn_data_file:dir create_dir_perms;
|
|
|
|
allow system_server vpn_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/wifi.
|
|
|
|
allow system_server wifi_data_file:dir create_dir_perms;
|
|
|
|
allow system_server wifi_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/zoneinfo.
|
|
|
|
allow system_server zoneinfo_data_file:dir create_dir_perms;
|
|
|
|
allow system_server zoneinfo_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Walk /data/data subdirectories.
|
|
|
|
# Types extracted from seapp_contexts type= fields.
|
|
|
|
allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
|
2014-05-27 16:56:24 +02:00
|
|
|
# Also permit for unlabeled /data/data subdirectories and
|
|
|
|
# for unlabeled asec containers on upgrades from 4.2.
|
|
|
|
allow system_server unlabeled:dir r_dir_perms;
|
|
|
|
# Read pkg.apk file before it has been relabeled by vold.
|
|
|
|
allow system_server unlabeled:file r_file_perms;
|
2014-05-12 15:23:49 +02:00
|
|
|
|
|
|
|
# Populate com.android.providers.settings/databases/settings.db.
|
|
|
|
allow system_server system_app_data_file:dir create_dir_perms;
|
|
|
|
allow system_server system_app_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Receive and use open app data files passed over binder IPC.
|
|
|
|
# Types extracted from seapp_contexts type= fields.
|
|
|
|
allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
|
2013-10-29 19:42:40 +01:00
|
|
|
|
2014-06-04 19:36:48 +02:00
|
|
|
# Receive and use open /data/media files passed over binder IPC.
|
|
|
|
allow system_server media_rw_data_file:file { getattr read write };
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Read /file_contexts and /data/security/file_contexts
|
|
|
|
security_access_policy(system_server)
|
|
|
|
|
|
|
|
# Relabel apk files.
|
2014-07-07 19:58:53 +02:00
|
|
|
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
|
|
|
|
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# Relabel wallpaper.
|
|
|
|
allow system_server system_data_file:file relabelfrom;
|
|
|
|
allow system_server wallpaper_file:file relabelto;
|
2014-03-05 15:50:08 +01:00
|
|
|
allow system_server wallpaper_file:file { rw_file_perms unlink };
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# Relabel /data/anr.
|
|
|
|
allow system_server system_data_file:dir relabelfrom;
|
|
|
|
allow system_server anr_data_file:dir relabelto;
|
|
|
|
|
|
|
|
# Property Service write
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(system_server, system_prop)
|
|
|
|
set_prop(system_server, dhcp_prop)
|
|
|
|
set_prop(system_server, net_radio_prop)
|
|
|
|
set_prop(system_server, system_radio_prop)
|
|
|
|
set_prop(system_server, debug_prop)
|
|
|
|
set_prop(system_server, powerctl_prop)
|
|
|
|
set_prop(system_server, fingerprint_prop)
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# ctl interface
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(system_server, ctl_default_prop)
|
|
|
|
set_prop(system_server, ctl_dhcp_pan_prop)
|
|
|
|
set_prop(system_server, ctl_bugreport_prop)
|
2013-10-29 19:42:40 +01:00
|
|
|
|
2013-09-14 00:59:04 +02:00
|
|
|
# Create a socket for receiving info from wpa.
|
|
|
|
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
|
2014-01-29 19:45:51 +01:00
|
|
|
type_transition system_server wpa_socket:sock_file system_wpa_socket;
|
|
|
|
allow system_server wpa_socket:dir rw_dir_perms;
|
2013-09-27 16:24:49 +02:00
|
|
|
allow system_server system_wpa_socket:sock_file create_file_perms;
|
|
|
|
|
2014-01-08 14:15:04 +01:00
|
|
|
# Remove sockets created by wpa_supplicant
|
|
|
|
allow system_server wpa_socket:sock_file unlink;
|
|
|
|
|
2013-09-27 16:24:49 +02:00
|
|
|
# Create a socket for connections from debuggerd.
|
|
|
|
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
|
|
|
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
|
|
|
|
2013-10-29 19:42:40 +01:00
|
|
|
# Manage cache files.
|
|
|
|
allow system_server cache_file:dir { relabelfrom create_dir_perms };
|
|
|
|
allow system_server cache_file:file { relabelfrom create_file_perms };
|
2015-05-21 01:29:42 +02:00
|
|
|
allow system_server cache_file:fifo_file create_file_perms;
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# Run system programs, e.g. dexopt.
|
|
|
|
allow system_server system_file:file x_file_perms;
|
|
|
|
|
|
|
|
# LocationManager(e.g, GPS) needs to read and write
|
|
|
|
# to uart driver and ctrl proc entry
|
|
|
|
allow system_server gps_device:chr_file rw_file_perms;
|
|
|
|
allow system_server gps_control:file rw_file_perms;
|
|
|
|
|
2014-03-05 15:50:08 +01:00
|
|
|
# Allow system_server to use app-created sockets and pipes.
|
|
|
|
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
|
2015-03-09 07:02:59 +01:00
|
|
|
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
|
2013-10-29 19:42:40 +01:00
|
|
|
|
|
|
|
# Allow abstract socket connection
|
|
|
|
allow system_server rild:unix_stream_socket connectto;
|
|
|
|
|
|
|
|
# BackupManagerService lets PMS create a data backup file
|
|
|
|
allow system_server cache_backup_file:file create_file_perms;
|
|
|
|
# Relabel /data/backup
|
|
|
|
allow system_server backup_data_file:dir { relabelto relabelfrom };
|
|
|
|
# Relabel /cache/.*\.{data|restore}
|
|
|
|
allow system_server cache_backup_file:file { relabelto relabelfrom };
|
|
|
|
# LocalTransport creates and relabels /cache/backup
|
|
|
|
allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
|
|
|
|
|
|
|
|
# Allow system to talk to usb device
|
|
|
|
allow system_server usb_device:chr_file rw_file_perms;
|
|
|
|
allow system_server usb_device:dir r_dir_perms;
|
|
|
|
|
|
|
|
# Allow system to talk to sensors
|
|
|
|
allow system_server sensors_device:chr_file rw_file_perms;
|
|
|
|
|
2013-10-03 22:35:56 +02:00
|
|
|
# Read from HW RNG (needed by EntropyMixer).
|
|
|
|
allow system_server hw_random_device:chr_file r_file_perms;
|
|
|
|
|
2013-11-04 15:47:29 +01:00
|
|
|
# Read and delete files under /dev/fscklogs.
|
|
|
|
r_dir_file(system_server, fscklogs)
|
|
|
|
allow system_server fscklogs:dir { write remove_name };
|
|
|
|
allow system_server fscklogs:file unlink;
|
2013-12-02 20:22:17 +01:00
|
|
|
|
|
|
|
# For SELinuxPolicyInstallReceiver
|
|
|
|
selinux_manage_policy(system_server)
|
2014-01-09 14:28:06 +01:00
|
|
|
|
2013-11-13 00:34:52 +01:00
|
|
|
# logd access, system_server inherit logd write socket
|
|
|
|
# (urge is to deprecate this long term)
|
|
|
|
allow system_server zygote:unix_dgram_socket write;
|
2014-02-13 21:19:50 +01:00
|
|
|
|
2014-03-14 13:37:16 +01:00
|
|
|
# Read from log daemon.
|
|
|
|
read_logd(system_server)
|
|
|
|
|
2014-02-13 21:19:50 +01:00
|
|
|
# Be consistent with DAC permissions. Allow system_server to write to
|
|
|
|
# /sys/module/lowmemorykiller/parameters/adj
|
|
|
|
# /sys/module/lowmemorykiller/parameters/minfree
|
2014-02-21 17:39:30 +01:00
|
|
|
allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
|
2014-03-05 19:07:01 +01:00
|
|
|
|
2014-04-15 23:24:39 +02:00
|
|
|
# Read /sys/fs/pstore/console-ramoops
|
|
|
|
# Don't worry about overly broad permissions for now, as there's
|
|
|
|
# only one file in /sys/fs/pstore
|
|
|
|
allow system_server pstorefs:dir r_dir_perms;
|
|
|
|
allow system_server pstorefs:file r_file_perms;
|
|
|
|
|
2015-03-03 20:20:15 +01:00
|
|
|
allow system_server drmserver_service:service_manager find;
|
2014-12-12 01:01:27 +01:00
|
|
|
allow system_server healthd_service:service_manager find;
|
|
|
|
allow system_server keystore_service:service_manager find;
|
2015-04-04 01:46:33 +02:00
|
|
|
allow system_server gatekeeper_service:service_manager find;
|
2015-05-13 00:16:06 +02:00
|
|
|
allow system_server fingerprintd_service:service_manager find;
|
2014-12-12 01:01:27 +01:00
|
|
|
allow system_server mediaserver_service:service_manager find;
|
2015-03-03 20:20:15 +01:00
|
|
|
allow system_server nfc_service:service_manager find;
|
2014-12-12 01:01:27 +01:00
|
|
|
allow system_server radio_service:service_manager find;
|
|
|
|
allow system_server system_server_service:service_manager { add find };
|
|
|
|
allow system_server surfaceflinger_service:service_manager find;
|
2014-12-17 00:45:26 +01:00
|
|
|
|
2014-06-17 23:58:52 +02:00
|
|
|
allow system_server keystore:keystore_key {
|
2015-05-13 23:39:48 +02:00
|
|
|
get_state
|
2014-06-17 23:58:52 +02:00
|
|
|
get
|
|
|
|
insert
|
|
|
|
delete
|
|
|
|
exist
|
2015-05-13 23:39:48 +02:00
|
|
|
list
|
2014-06-17 23:58:52 +02:00
|
|
|
reset
|
|
|
|
password
|
|
|
|
lock
|
|
|
|
unlock
|
2015-05-13 23:39:48 +02:00
|
|
|
is_empty
|
2014-06-17 23:58:52 +02:00
|
|
|
sign
|
|
|
|
verify
|
|
|
|
grant
|
|
|
|
duplicate
|
|
|
|
clear_uid
|
2015-03-31 22:03:06 +02:00
|
|
|
add_auth
|
2015-05-12 21:33:40 +02:00
|
|
|
user_changed
|
2014-06-17 23:58:52 +02:00
|
|
|
};
|
|
|
|
|
2014-09-08 22:11:01 +02:00
|
|
|
# Allow system server to search and write to the persistent factory reset
|
|
|
|
# protection partition. This block device does not get wiped in a factory reset.
|
2014-07-10 00:18:32 +02:00
|
|
|
allow system_server block_device:dir search;
|
2014-09-08 22:11:01 +02:00
|
|
|
allow system_server frp_block_device:blk_file rw_file_perms;
|
2014-07-10 00:18:32 +02:00
|
|
|
|
2014-07-10 01:35:30 +02:00
|
|
|
# Clean up old cgroups
|
|
|
|
allow system_server cgroup:dir { remove_name rmdir };
|
|
|
|
|
2014-07-15 08:31:31 +02:00
|
|
|
# /oem access
|
2014-10-11 00:56:22 +02:00
|
|
|
r_dir_file(system_server, oemfs)
|
2014-07-15 08:31:31 +02:00
|
|
|
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
# Allow resolving per-user storage symlinks
|
|
|
|
allow system_server { mnt_user_file storage_file }:dir { getattr search };
|
|
|
|
allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
|
|
|
|
|
|
|
|
# Allow statfs() on storage devices, which happens fast enough that
|
|
|
|
# we shouldn't be killed during unsafe removal
|
|
|
|
allow system_server sdcard_type:dir { getattr search };
|
|
|
|
|
2015-04-07 01:21:54 +02:00
|
|
|
# Traverse into expanded storage
|
|
|
|
allow system_server mnt_expand_file:dir r_dir_perms;
|
|
|
|
|
2015-05-22 02:42:09 +02:00
|
|
|
# Allow system process to relabel the fingerprint directory after mkdir
|
|
|
|
allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
|
|
|
|
|
2014-03-05 19:07:01 +01:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
### system_server should NEVER do any of this
|
|
|
|
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
# Do not allow opening files from external storage as unsafe ejection
|
|
|
|
# could cause the kernel to kill the system_server.
|
|
|
|
neverallow system_server sdcard_type:dir { open read write };
|
2014-07-04 20:45:49 +02:00
|
|
|
neverallow system_server sdcard_type:file rw_file_perms;
|
2014-10-23 19:29:10 +02:00
|
|
|
|
|
|
|
# system server should never be opening zygote spawned app data
|
|
|
|
# files directly. Rather, they should always be passed via a
|
|
|
|
# file descriptor.
|
|
|
|
# Types extracted from seapp_contexts type= fields, excluding
|
|
|
|
# those types that system_server needs to open directly.
|
|
|
|
neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
|
2015-01-30 01:49:52 +01:00
|
|
|
|
|
|
|
# system_server should never be executing dex2oat. This is either
|
|
|
|
# a bug (for example, bug 16317188), or represents an attempt by
|
|
|
|
# system server to dynamically load a dex file, something we do not
|
|
|
|
# want to allow.
|
|
|
|
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
2015-03-11 20:44:27 +01:00
|
|
|
|
|
|
|
# The only block device system_server should be accessing is
|
|
|
|
# the frp_block_device. This helps avoid a system_server to root
|
|
|
|
# escalation by writing to raw block devices.
|
|
|
|
neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
|