2017-02-07 00:39:36 +01:00
|
|
|
#
|
|
|
|
# System Server aka system_server spawned by zygote.
|
|
|
|
# Most of the framework services run in this process.
|
|
|
|
#
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute system_server coredomain;
|
2017-02-07 00:39:36 +01:00
|
|
|
typeattribute system_server mlstrustedsubject;
|
2022-10-20 23:09:11 +02:00
|
|
|
typeattribute system_server remote_provisioning_service_server;
|
2019-04-22 19:09:38 +02:00
|
|
|
typeattribute system_server scheduler_service_server;
|
|
|
|
typeattribute system_server sensor_service_server;
|
2020-02-05 23:00:10 +01:00
|
|
|
typeattribute system_server stats_service_server;
|
2022-02-10 01:32:44 +01:00
|
|
|
typeattribute system_server bpfdomain;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2016-07-22 22:13:11 +02:00
|
|
|
# Define a type for tmpfs-backed ashmem regions.
|
|
|
|
tmpfs_domain(system_server)
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2021-03-11 20:32:47 +01:00
|
|
|
userfaultfd_use(system_server)
|
|
|
|
|
2016-10-19 23:39:30 +02:00
|
|
|
# Create a socket for connections from crash_dump.
|
2016-07-22 22:13:11 +02:00
|
|
|
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
2016-10-12 23:58:09 +02:00
|
|
|
|
2019-12-30 06:38:38 +01:00
|
|
|
# Create a socket for connections from zygotes.
|
|
|
|
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
|
|
|
|
|
2021-10-05 16:02:42 +02:00
|
|
|
allow system_server zygote_tmpfs:file { map read };
|
2019-01-29 23:43:45 +01:00
|
|
|
allow system_server appdomain_tmpfs:file { getattr map read write };
|
2016-10-12 23:58:09 +02:00
|
|
|
|
2019-12-17 18:45:43 +01:00
|
|
|
# For Incremental Service to check if incfs is available
|
|
|
|
allow system_server proc_filesystems:file r_file_perms;
|
|
|
|
|
2021-01-15 06:01:25 +01:00
|
|
|
# To create files, get permission to fill blocks, and configure Incremental File System
|
|
|
|
allow system_server incremental_control_file:file { ioctl r_file_perms };
|
|
|
|
allowxperm system_server incremental_control_file:file ioctl {
|
|
|
|
INCFS_IOCTL_CREATE_FILE
|
|
|
|
INCFS_IOCTL_CREATE_MAPPED_FILE
|
|
|
|
INCFS_IOCTL_PERMIT_FILL
|
|
|
|
INCFS_IOCTL_GET_READ_TIMEOUTS
|
|
|
|
INCFS_IOCTL_SET_READ_TIMEOUTS
|
2021-04-30 06:10:51 +02:00
|
|
|
INCFS_IOCTL_GET_LAST_READ_ERROR
|
2021-01-15 06:01:25 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
# To get signature of an APK installed on Incremental File System, and fill in data
|
|
|
|
# blocks and get the filesystem state
|
|
|
|
allowxperm system_server apk_data_file:file ioctl {
|
|
|
|
INCFS_IOCTL_READ_SIGNATURE
|
|
|
|
INCFS_IOCTL_FILL_BLOCKS
|
|
|
|
INCFS_IOCTL_GET_FILLED_BLOCKS
|
|
|
|
INCFS_IOCTL_GET_BLOCK_COUNT
|
2021-05-25 14:13:57 +02:00
|
|
|
F2FS_IOC_GET_FEATURES
|
|
|
|
F2FS_IOC_GET_COMPRESS_BLOCKS
|
|
|
|
F2FS_IOC_COMPRESS_FILE
|
|
|
|
F2FS_IOC_DECOMPRESS_FILE
|
|
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
|
|
F2FS_IOC_RESERVE_COMPRESS_BLOCKS
|
|
|
|
FS_IOC_SETFLAGS
|
|
|
|
FS_IOC_GETFLAGS
|
|
|
|
};
|
|
|
|
|
|
|
|
allowxperm system_server apk_tmp_file:file ioctl {
|
|
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
|
|
FS_IOC_GETFLAGS
|
2021-01-15 06:01:25 +01:00
|
|
|
};
|
2020-02-13 17:38:36 +01:00
|
|
|
|
2021-05-05 07:40:23 +02:00
|
|
|
# For Incremental Service to check incfs metrics
|
|
|
|
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
|
|
|
|
|
2021-05-25 14:13:57 +02:00
|
|
|
# For f2fs-compression support
|
|
|
|
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
|
|
|
|
allow system_server sysfs_fs_f2fs:file r_file_perms;
|
|
|
|
|
2022-05-11 22:43:54 +02:00
|
|
|
# For SdkSandboxManagerService
|
|
|
|
allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# For art.
|
2020-10-16 16:29:55 +02:00
|
|
|
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
|
|
|
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
|
2017-05-03 23:01:58 +02:00
|
|
|
|
2022-02-16 15:11:14 +01:00
|
|
|
# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`.
|
|
|
|
# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a
|
|
|
|
# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks
|
|
|
|
# system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
|
|
|
|
dontaudit system_server apex_art_data_file:file execute;
|
|
|
|
|
2021-11-06 08:17:04 +01:00
|
|
|
# For release odex/vdex compress blocks
|
|
|
|
allowxperm system_server dalvikcache_data_file:file ioctl {
|
|
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
|
|
FS_IOC_GETFLAGS
|
|
|
|
};
|
|
|
|
|
2017-04-04 00:23:16 +02:00
|
|
|
# When running system server under --invoke-with, we'll try to load the boot image under the
|
|
|
|
# system server domain, following links to the system partition.
|
|
|
|
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# /data/resource-cache
|
|
|
|
allow system_server resourcecache_data_file:file r_file_perms;
|
|
|
|
allow system_server resourcecache_data_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
# ptrace to processes in the same domain for debugging crashes.
|
|
|
|
allow system_server self:process ptrace;
|
|
|
|
|
|
|
|
# Child of the zygote.
|
|
|
|
allow system_server zygote:fd use;
|
|
|
|
allow system_server zygote:process sigchld;
|
|
|
|
|
2023-02-24 12:02:55 +01:00
|
|
|
# May kill zygote (or its child processes) on crashes.
|
2019-12-10 11:40:10 +01:00
|
|
|
allow system_server {
|
|
|
|
app_zygote
|
|
|
|
crash_dump
|
2023-02-24 12:02:55 +01:00
|
|
|
crosvm
|
|
|
|
virtualizationmanager
|
2019-12-10 11:40:10 +01:00
|
|
|
webview_zygote
|
|
|
|
zygote
|
2022-01-27 05:17:02 +01:00
|
|
|
}:process { getpgid sigkill signull };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Read /system/bin/app_process.
|
|
|
|
allow system_server zygote_exec:file r_file_perms;
|
|
|
|
|
|
|
|
# Needed to close the zygote socket, which involves getopt / getattr
|
|
|
|
allow system_server zygote:unix_stream_socket { getopt getattr };
|
|
|
|
|
|
|
|
# system server gets network and bluetooth permissions.
|
|
|
|
net_domain(system_server)
|
2020-07-31 20:28:11 +02:00
|
|
|
# in addition to ioctls allowlisted for all domains, also allow system_server
|
2017-02-07 00:39:36 +01:00
|
|
|
# to use privileged ioctls commands. Needed to set up VPNs.
|
|
|
|
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
bluetooth_domain(system_server)
|
|
|
|
|
2019-01-16 12:23:58 +01:00
|
|
|
# Allow setup of tcp keepalive offload. This gives system_server the permission to
|
|
|
|
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
|
2020-07-31 20:28:11 +02:00
|
|
|
# be granted individually, except for a small set of safe values allowlisted in
|
2019-01-16 12:23:58 +01:00
|
|
|
# public/domain.te.
|
|
|
|
allow system_server appdomain:tcp_socket ioctl;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# These are the capabilities assigned by the zygote to the
|
|
|
|
# system server.
|
2017-11-09 23:51:26 +01:00
|
|
|
allow system_server self:global_capability_class_set {
|
2017-02-07 00:39:36 +01:00
|
|
|
ipc_lock
|
|
|
|
kill
|
|
|
|
net_admin
|
|
|
|
net_bind_service
|
|
|
|
net_broadcast
|
|
|
|
net_raw
|
|
|
|
sys_boot
|
|
|
|
sys_nice
|
2017-02-16 00:04:43 +01:00
|
|
|
sys_ptrace
|
2017-02-07 00:39:36 +01:00
|
|
|
sys_time
|
|
|
|
sys_tty_config
|
|
|
|
};
|
|
|
|
|
|
|
|
# Allow alarmtimers to be set
|
2017-11-09 23:51:26 +01:00
|
|
|
allow system_server self:global_capability2_class_set wake_alarm;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2017-06-27 07:06:20 +02:00
|
|
|
# Create and share netlink_netfilter_sockets for tetheroffload.
|
|
|
|
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
|
|
|
|
2018-07-24 07:05:38 +02:00
|
|
|
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
|
2022-05-20 06:34:31 +02:00
|
|
|
allow system_server self:netlink_tcpdiag_socket
|
|
|
|
{ create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
|
2018-07-24 07:05:38 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Use netlink uevent sockets.
|
|
|
|
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
|
2022-05-20 06:34:31 +02:00
|
|
|
allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Use generic netlink sockets.
|
|
|
|
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
|
|
|
|
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
|
2017-05-18 18:59:05 +02:00
|
|
|
# libvintf reads the kernel config to verify vendor interface compatibility.
|
|
|
|
allow system_server config_gz:file { read open };
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Use generic "sockets" where the address family is not known
|
|
|
|
# to the kernel. The ioctl permission is specifically omitted here, but may
|
|
|
|
# be added to device specific policy along with the ioctl commands to be
|
2020-07-31 20:28:11 +02:00
|
|
|
# allowlisted.
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server self:socket create_socket_perms_no_ioctl;
|
|
|
|
|
|
|
|
# Set and get routes directly via netlink.
|
|
|
|
allow system_server self:netlink_route_socket nlmsg_write;
|
|
|
|
|
2022-05-20 22:55:32 +02:00
|
|
|
# Use XFRM (IPsec) netlink sockets
|
|
|
|
allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Kill apps.
|
2017-06-13 23:49:17 +02:00
|
|
|
allow system_server appdomain:process { getpgid sigkill signal };
|
2019-12-06 20:04:23 +01:00
|
|
|
# signull allowed for kill(pid, 0) existence test.
|
|
|
|
allow system_server appdomain:process { signull };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Set scheduling info for apps.
|
|
|
|
allow system_server appdomain:process { getsched setsched };
|
|
|
|
allow system_server audioserver:process { getsched setsched };
|
|
|
|
allow system_server hal_audio:process { getsched setsched };
|
2017-03-23 18:03:49 +01:00
|
|
|
allow system_server hal_bluetooth:process { getsched setsched };
|
2019-04-30 14:09:28 +02:00
|
|
|
allow system_server hal_codec2_server:process { getsched setsched };
|
2018-05-26 01:23:37 +02:00
|
|
|
allow system_server hal_omx_server:process { getsched setsched };
|
2019-04-17 03:16:38 +02:00
|
|
|
allow system_server mediaswcodec:process { getsched setsched };
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server cameraserver:process { getsched setsched };
|
2017-02-15 22:38:25 +01:00
|
|
|
allow system_server hal_camera:process { getsched setsched };
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server mediaserver:process { getsched setsched };
|
|
|
|
allow system_server bootanim:process { getsched setsched };
|
|
|
|
|
2019-05-01 18:38:18 +02:00
|
|
|
# Set scheduling info for psi monitor thread.
|
2019-05-02 17:29:21 +02:00
|
|
|
# TODO: delete this line b/131761776
|
2019-05-01 18:38:18 +02:00
|
|
|
allow system_server kernel:process { getsched setsched };
|
|
|
|
|
2019-03-11 19:27:25 +01:00
|
|
|
# Allow system_server to write to /proc/<pid>/*
|
|
|
|
allow system_server domain:file w_file_perms;
|
2017-07-18 19:18:35 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
|
|
|
|
# within system_server to keep track of memory and CPU usage for
|
|
|
|
# all processes on the device. In addition, /proc/pid files access is needed
|
|
|
|
# for dumping stack traces of native processes.
|
|
|
|
r_dir_file(system_server, domain)
|
|
|
|
|
|
|
|
# Write /proc/uid_cputime/remove_uid_range.
|
|
|
|
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
|
|
|
|
|
|
|
|
# Write /proc/uid_procstat/set.
|
|
|
|
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
|
|
|
|
|
|
|
|
# Write to /proc/sysrq-trigger.
|
|
|
|
allow system_server proc_sysrq:file rw_file_perms;
|
|
|
|
|
2023-02-02 20:57:18 +01:00
|
|
|
# Delete /data/misc/stats-service/ directories.
|
|
|
|
allow system_server stats_config_data_file:dir { open read remove_name search write };
|
|
|
|
allow system_server stats_config_data_file:file unlink;
|
2018-03-29 20:07:13 +02:00
|
|
|
|
2022-02-24 12:50:35 +01:00
|
|
|
# Read metric file & upload to statsd
|
|
|
|
allow system_server odsign_data_file:dir search;
|
|
|
|
allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
|
|
|
|
allow system_server odsign_metrics_file:file { r_file_perms unlink };
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Read /sys/kernel/debug/wakeup_sources.
|
2021-05-05 07:01:51 +02:00
|
|
|
no_debugfs_restriction(`
|
|
|
|
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
|
|
|
')
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2019-11-17 23:41:33 +01:00
|
|
|
# Read /sys/kernel/ion/*.
|
|
|
|
allow system_server sysfs_ion:file r_file_perms;
|
|
|
|
|
2021-02-01 19:25:05 +01:00
|
|
|
# Read /sys/kernel/dma_heap/*.
|
|
|
|
allow system_server sysfs_dma_heap:file r_file_perms;
|
|
|
|
|
2021-02-10 20:19:29 +01:00
|
|
|
# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
|
|
|
|
allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
|
|
|
|
allow system_server sysfs_dmabuf_stats:file r_file_perms;
|
|
|
|
|
|
|
|
# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
|
|
|
|
# for dumpsys meminfo
|
|
|
|
allow system_server dmabuf_heap_device:dir r_dir_perms;
|
|
|
|
|
2021-06-07 18:02:56 +02:00
|
|
|
# Allow reading /proc/vmstat for the oom kill count
|
|
|
|
allow system_server proc_vmstat:file r_file_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# The DhcpClient and WifiWatchdog use packet_sockets
|
|
|
|
allow system_server self:packet_socket create_socket_perms_no_ioctl;
|
|
|
|
|
|
|
|
# 3rd party VPN clients require a tun_socket to be created
|
|
|
|
allow system_server self:tun_socket create_socket_perms_no_ioctl;
|
|
|
|
|
|
|
|
# Talk to init and various daemons via sockets.
|
|
|
|
unix_socket_connect(system_server, lmkd, lmkd)
|
|
|
|
unix_socket_connect(system_server, zygote, zygote)
|
|
|
|
unix_socket_connect(system_server, uncrypt, uncrypt)
|
|
|
|
|
2018-10-08 22:15:10 +02:00
|
|
|
# Allow system_server to write to statsd.
|
|
|
|
unix_socket_send(system_server, statsdw, statsd)
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Communicate over a socket created by surfaceflinger.
|
|
|
|
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
|
|
|
|
|
2018-11-01 21:47:51 +01:00
|
|
|
allow system_server gpuservice:unix_stream_socket { read write setopt };
|
|
|
|
|
2018-01-30 16:54:33 +01:00
|
|
|
# Communicate over a socket created by webview_zygote.
|
|
|
|
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
|
|
|
|
|
2018-11-05 11:39:15 +01:00
|
|
|
# Communicate over a socket created by app_zygote.
|
|
|
|
allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Perform Binder IPC.
|
|
|
|
binder_use(system_server)
|
|
|
|
binder_call(system_server, appdomain)
|
2022-05-26 01:14:01 +02:00
|
|
|
binder_call(system_server, artd)
|
2017-02-07 00:39:36 +01:00
|
|
|
binder_call(system_server, binderservicedomain)
|
2021-10-19 17:50:24 +02:00
|
|
|
binder_call(system_server, composd)
|
2023-10-18 18:03:20 +02:00
|
|
|
binder_call(system_server, dexopt_chroot_setup)
|
2017-02-07 00:39:36 +01:00
|
|
|
binder_call(system_server, dumpstate)
|
|
|
|
binder_call(system_server, fingerprintd)
|
|
|
|
binder_call(system_server, gatekeeperd)
|
2020-06-18 01:28:54 +02:00
|
|
|
binder_call(system_server, gpuservice)
|
2018-06-15 08:08:19 +02:00
|
|
|
binder_call(system_server, idmap)
|
2017-02-07 00:39:36 +01:00
|
|
|
binder_call(system_server, installd)
|
2016-11-21 08:23:04 +01:00
|
|
|
binder_call(system_server, incidentd)
|
2017-02-07 00:39:36 +01:00
|
|
|
binder_call(system_server, netd)
|
2022-10-28 09:56:02 +02:00
|
|
|
binder_call(system_server, ot_daemon)
|
2020-08-31 19:54:01 +02:00
|
|
|
userdebug_or_eng(`binder_call(system_server, profcollectd)')
|
2017-12-19 00:14:33 +01:00
|
|
|
binder_call(system_server, statsd)
|
2017-10-17 01:39:13 +02:00
|
|
|
binder_call(system_server, storaged)
|
2018-11-21 19:10:54 +01:00
|
|
|
binder_call(system_server, update_engine)
|
2023-11-20 10:39:22 +01:00
|
|
|
binder_call(system_server, virtual_camera)
|
2017-09-06 19:17:32 +02:00
|
|
|
binder_call(system_server, vold)
|
2022-01-12 00:16:12 +01:00
|
|
|
binder_call(system_server, logd)
|
2017-02-07 00:39:36 +01:00
|
|
|
binder_call(system_server, wificond)
|
2023-12-15 01:48:23 +01:00
|
|
|
binder_call(system_server, uprobestats)
|
2017-02-07 00:39:36 +01:00
|
|
|
binder_service(system_server)
|
|
|
|
|
2017-04-14 04:05:27 +02:00
|
|
|
# Use HALs
|
Mark all clients of Allocator HAL
This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.
This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.
Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.
P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.
Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92
2017-03-21 22:28:53 +01:00
|
|
|
hal_client_domain(system_server, hal_allocator)
|
2019-09-27 22:46:11 +02:00
|
|
|
hal_client_domain(system_server, hal_audio)
|
2023-10-09 16:05:07 +02:00
|
|
|
hal_client_domain(system_server, hal_authgraph)
|
2018-01-10 17:11:46 +01:00
|
|
|
hal_client_domain(system_server, hal_authsecret)
|
2024-01-17 09:43:14 +01:00
|
|
|
hal_client_domain(system_server, hal_bluetooth)
|
2017-08-08 02:06:06 +02:00
|
|
|
hal_client_domain(system_server, hal_broadcastradio)
|
2019-04-30 14:09:28 +02:00
|
|
|
hal_client_domain(system_server, hal_codec2)
|
2017-06-23 17:40:16 +02:00
|
|
|
hal_client_domain(system_server, hal_configstore)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_contexthub)
|
2018-05-24 09:59:40 +02:00
|
|
|
hal_client_domain(system_server, hal_face)
|
Switch Fingerprint HAL policy to _client/_server
This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.
Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.
Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.
NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.
Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
adb shell stop,
adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079
Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-22 00:35:16 +01:00
|
|
|
hal_client_domain(system_server, hal_fingerprint)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_gnss)
|
2017-04-17 21:53:40 +02:00
|
|
|
hal_client_domain(system_server, hal_graphics_allocator)
|
2017-06-02 22:59:39 +02:00
|
|
|
hal_client_domain(system_server, hal_health)
|
2018-01-17 21:27:06 +01:00
|
|
|
hal_client_domain(system_server, hal_input_classifier)
|
2022-01-12 00:06:14 +01:00
|
|
|
hal_client_domain(system_server, hal_input_processor)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_ir)
|
2023-04-17 16:22:17 +02:00
|
|
|
hal_client_domain(system_server, hal_keymint)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_light)
|
|
|
|
hal_client_domain(system_server, hal_memtrack)
|
2017-06-30 03:33:03 +02:00
|
|
|
hal_client_domain(system_server, hal_neuralnetworks)
|
2017-03-27 16:40:21 +02:00
|
|
|
hal_client_domain(system_server, hal_oemlock)
|
2018-05-26 01:23:37 +02:00
|
|
|
hal_client_domain(system_server, hal_omx)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_power)
|
2018-12-10 23:59:57 +01:00
|
|
|
hal_client_domain(system_server, hal_power_stats)
|
2019-12-04 01:55:43 +01:00
|
|
|
hal_client_domain(system_server, hal_rebootescrow)
|
2023-11-14 08:38:18 +01:00
|
|
|
hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
|
2017-03-13 23:13:52 +01:00
|
|
|
hal_client_domain(system_server, hal_sensors)
|
2017-05-22 01:49:37 +02:00
|
|
|
hal_client_domain(system_server, hal_tetheroffload)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_thermal)
|
2023-06-14 07:26:15 +02:00
|
|
|
hal_client_domain(system_server, hal_threadnetwork)
|
2017-04-05 04:20:48 +02:00
|
|
|
hal_client_domain(system_server, hal_tv_cec)
|
2022-09-19 17:46:07 +02:00
|
|
|
hal_client_domain(system_server, hal_tv_hdmi_cec)
|
2022-12-14 08:40:07 +01:00
|
|
|
hal_client_domain(system_server, hal_tv_hdmi_connection)
|
|
|
|
hal_client_domain(system_server, hal_tv_hdmi_earc)
|
2017-03-30 00:03:59 +02:00
|
|
|
hal_client_domain(system_server, hal_tv_input)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_usb)
|
2018-01-08 18:29:40 +01:00
|
|
|
hal_client_domain(system_server, hal_usb_gadget)
|
2021-08-23 18:29:00 +02:00
|
|
|
hal_client_domain(system_server, hal_uwb)
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(system_server, hal_vibrator)
|
|
|
|
hal_client_domain(system_server, hal_vr)
|
2017-03-27 15:27:20 +02:00
|
|
|
hal_client_domain(system_server, hal_weaver)
|
Switch Wi-Fi HAL policy to _client/_server
This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.
Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.
Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.
Test: Setup Wizard (incl. adding a Google Account) completes fine with
Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079
Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f
2017-02-23 00:12:19 +01:00
|
|
|
hal_client_domain(system_server, hal_wifi)
|
2017-12-23 00:03:15 +01:00
|
|
|
hal_client_domain(system_server, hal_wifi_hostapd)
|
2017-02-19 06:32:32 +01:00
|
|
|
hal_client_domain(system_server, hal_wifi_supplicant)
|
2020-12-30 22:07:01 +01:00
|
|
|
# The bootctl is a pass through HAL mode under recovery mode. So we skip the
|
|
|
|
# permission for recovery in order not to give system server the access to
|
|
|
|
# the low level block devices.
|
|
|
|
not_recovery(`hal_client_domain(system_server, hal_bootctl)')
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2017-04-15 00:55:20 +02:00
|
|
|
# Talk with graphics composer fences
|
|
|
|
allow system_server hal_graphics_composer:fd use;
|
|
|
|
|
2017-04-14 04:05:27 +02:00
|
|
|
# Use RenderScript always-passthrough HAL
|
|
|
|
allow system_server hal_renderscript_hwservice:hwservice_manager find;
|
2018-10-18 21:39:35 +02:00
|
|
|
allow system_server same_process_hal_file:file { execute read open getattr map };
|
2017-04-14 04:05:27 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Talk to tombstoned to get ANR traces.
|
|
|
|
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
|
|
|
|
|
2017-04-20 23:34:00 +02:00
|
|
|
# List HAL interfaces to get ANR traces.
|
|
|
|
allow system_server hwservicemanager:hwservice_manager list;
|
2021-02-10 02:06:08 +01:00
|
|
|
allow system_server servicemanager:service_manager list;
|
2017-04-20 23:34:00 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Send signals to trigger ANR traces.
|
|
|
|
allow system_server {
|
2017-03-24 17:37:17 +01:00
|
|
|
# This is derived from the list that system server defines as interesting native processes
|
|
|
|
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
|
|
|
|
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
|
2023-12-12 14:22:16 +01:00
|
|
|
artd
|
2017-02-07 00:39:36 +01:00
|
|
|
audioserver
|
|
|
|
cameraserver
|
|
|
|
drmserver
|
2018-11-01 21:47:51 +01:00
|
|
|
gpuservice
|
2017-02-07 00:39:36 +01:00
|
|
|
inputflinger
|
2021-05-07 21:22:17 +02:00
|
|
|
keystore
|
2017-02-07 00:39:36 +01:00
|
|
|
mediadrmserver
|
|
|
|
mediaextractor
|
|
|
|
mediametrics
|
2019-04-19 21:13:33 +02:00
|
|
|
mediaserver
|
|
|
|
mediaswcodec
|
2020-10-15 21:38:30 +02:00
|
|
|
mediatranscoding
|
2020-09-12 02:50:45 +02:00
|
|
|
mediatuner
|
2019-11-19 07:29:44 +01:00
|
|
|
netd
|
2017-02-07 00:39:36 +01:00
|
|
|
sdcardd
|
2023-12-05 00:12:01 +01:00
|
|
|
servicemanager
|
2018-01-25 02:56:25 +01:00
|
|
|
statsd
|
2017-02-07 00:39:36 +01:00
|
|
|
surfaceflinger
|
2019-02-05 22:39:02 +01:00
|
|
|
vold
|
2017-03-24 17:37:17 +01:00
|
|
|
|
|
|
|
# This list comes from HAL_INTERFACES_OF_INTEREST in
|
|
|
|
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
|
|
|
|
hal_audio_server
|
|
|
|
hal_bluetooth_server
|
|
|
|
hal_camera_server
|
2019-04-30 14:09:28 +02:00
|
|
|
hal_codec2_server
|
2019-06-19 20:12:11 +02:00
|
|
|
hal_face_server
|
2020-03-03 09:10:39 +01:00
|
|
|
hal_fingerprint_server
|
2020-03-21 01:55:49 +01:00
|
|
|
hal_gnss_server
|
2018-08-10 00:56:09 +02:00
|
|
|
hal_graphics_allocator_server
|
2017-04-20 23:34:00 +02:00
|
|
|
hal_graphics_composer_server
|
2018-11-28 02:35:31 +01:00
|
|
|
hal_health_server
|
2022-07-13 22:56:09 +02:00
|
|
|
hal_input_processor_server
|
2020-11-03 17:05:35 +01:00
|
|
|
hal_light_server
|
2020-03-26 20:55:30 +01:00
|
|
|
hal_neuralnetworks_server
|
2018-05-26 01:23:37 +02:00
|
|
|
hal_omx_server
|
2022-04-22 16:07:50 +02:00
|
|
|
hal_power_server
|
2019-06-19 02:56:47 +02:00
|
|
|
hal_power_stats_server
|
2017-07-12 06:18:53 +02:00
|
|
|
hal_sensors_server
|
2022-04-22 16:07:50 +02:00
|
|
|
hal_vibrator_server
|
2017-03-24 17:37:17 +01:00
|
|
|
hal_vr_server
|
2019-06-28 04:37:42 +02:00
|
|
|
system_suspend_server
|
2017-02-07 00:39:36 +01:00
|
|
|
}:process { signal };
|
|
|
|
|
|
|
|
# Use sockets received over binder from various services.
|
|
|
|
allow system_server audioserver:tcp_socket rw_socket_perms;
|
|
|
|
allow system_server audioserver:udp_socket rw_socket_perms;
|
|
|
|
allow system_server mediaserver:tcp_socket rw_socket_perms;
|
|
|
|
allow system_server mediaserver:udp_socket rw_socket_perms;
|
|
|
|
|
|
|
|
# Use sockets received over binder from various services.
|
|
|
|
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
|
|
|
|
allow system_server mediadrmserver:udp_socket rw_socket_perms;
|
|
|
|
|
2023-02-02 15:24:45 +01:00
|
|
|
# Write trace data to the Perfetto traced daemon. This requires connecting to
|
|
|
|
# its producer socket and obtaining a (per-process) tmpfs fd.
|
|
|
|
perfetto_producer(system_server)
|
2019-10-08 17:15:14 +02:00
|
|
|
|
2017-03-24 23:02:13 +01:00
|
|
|
# Get file context
|
|
|
|
allow system_server file_contexts_file:file r_file_perms;
|
2017-03-27 21:06:04 +02:00
|
|
|
# access for mac_permissions
|
|
|
|
allow system_server mac_perms_file: file r_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
# Check SELinux permissions.
|
|
|
|
selinux_check_access(system_server)
|
|
|
|
|
2022-01-10 08:26:55 +01:00
|
|
|
allow system_server sysfs_type:dir r_dir_perms;
|
2017-12-19 22:23:11 +01:00
|
|
|
|
2017-10-10 05:39:34 +02:00
|
|
|
r_dir_file(system_server, sysfs_android_usb)
|
|
|
|
allow system_server sysfs_android_usb:file w_file_perms;
|
|
|
|
|
2021-09-07 19:03:07 +02:00
|
|
|
r_dir_file(system_server, sysfs_extcon)
|
2019-02-15 21:15:21 +01:00
|
|
|
|
2017-10-10 05:39:34 +02:00
|
|
|
r_dir_file(system_server, sysfs_ipv4)
|
|
|
|
allow system_server sysfs_ipv4:file w_file_perms;
|
|
|
|
|
|
|
|
r_dir_file(system_server, sysfs_rtc)
|
|
|
|
r_dir_file(system_server, sysfs_switch)
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
|
2017-10-17 21:40:02 +02:00
|
|
|
allow system_server sysfs_power:dir search;
|
2017-10-10 05:39:34 +02:00
|
|
|
allow system_server sysfs_power:file rw_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server sysfs_thermal:dir search;
|
|
|
|
allow system_server sysfs_thermal:file r_file_perms;
|
2020-11-21 04:17:22 +01:00
|
|
|
allow system_server sysfs_uhid:dir r_dir_perms;
|
|
|
|
allow system_server sysfs_uhid:file rw_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# TODO: Remove when HALs are forced into separate processes
|
|
|
|
allow system_server sysfs_vibrator:file { write append };
|
|
|
|
|
|
|
|
# TODO: added to match above sysfs rule. Remove me?
|
|
|
|
allow system_server sysfs_usb:file w_file_perms;
|
|
|
|
|
|
|
|
# Access devices.
|
|
|
|
allow system_server device:dir r_dir_perms;
|
|
|
|
allow system_server mdns_socket:sock_file rw_file_perms;
|
|
|
|
allow system_server gpu_device:chr_file rw_file_perms;
|
2022-02-24 19:32:16 +01:00
|
|
|
allow system_server gpu_device:dir r_dir_perms;
|
|
|
|
allow system_server sysfs_gpu:file r_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server input_device:dir r_dir_perms;
|
|
|
|
allow system_server input_device:chr_file rw_file_perms;
|
|
|
|
allow system_server tty_device:chr_file rw_file_perms;
|
|
|
|
allow system_server usbaccessory_device:chr_file rw_file_perms;
|
|
|
|
allow system_server video_device:dir r_dir_perms;
|
|
|
|
allow system_server video_device:chr_file rw_file_perms;
|
|
|
|
allow system_server adbd_socket:sock_file rw_file_perms;
|
|
|
|
allow system_server rtc_device:chr_file rw_file_perms;
|
|
|
|
allow system_server audio_device:dir r_dir_perms;
|
2022-02-04 16:11:26 +01:00
|
|
|
allow system_server uhid_device:chr_file rw_file_perms;
|
2023-12-01 00:28:04 +01:00
|
|
|
allow system_server hidraw_device:dir r_dir_perms;
|
|
|
|
allow system_server hidraw_device:chr_file rw_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2018-11-28 22:47:44 +01:00
|
|
|
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server audio_device:chr_file rw_file_perms;
|
|
|
|
|
2022-06-01 05:29:55 +02:00
|
|
|
# tun device used for 3rd party vpn apps and test network manager
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server tun_device:chr_file rw_file_perms;
|
2022-06-01 05:29:55 +02:00
|
|
|
allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2018-11-21 19:10:54 +01:00
|
|
|
# Manage data/ota_package
|
|
|
|
allow system_server ota_package_file:dir rw_dir_perms;
|
|
|
|
allow system_server ota_package_file:file create_file_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage system data files.
|
|
|
|
allow system_server system_data_file:dir create_dir_perms;
|
|
|
|
allow system_server system_data_file:notdevfile_class_set create_file_perms;
|
Relabel /data/system/packages.list to new type.
Conservatively grant access to packages_list_file to everything that had
access to system_data_file:file even if the comment in the SELinux
policy suggests it was for another use.
Ran a diff on the resulting SEPolicy, the only difference of domains
being granted is those that had system_data_file:dir permissiosn which
is clearly not applicable for packages.list
diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new)
--- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000
+++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000
@@ -3 +2,0 @@
-allow appdomain packages_list_file:dir getattr;
@@ -6 +4,0 @@
-allow coredomain packages_list_file:dir getattr;
@@ -8 +5,0 @@
-allow domain packages_list_file:dir search;
@@ -35 +31,0 @@
-allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name };
@@ -40 +35,0 @@
-allow tee packages_list_file:dir { search read lock getattr ioctl open };
@@ -43,3 +37,0 @@
-allow traced_probes packages_list_file:dir { read getattr open search };
-allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name };
-allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name };
@@ -48 +39,0 @@
-allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name };
@@ -50 +40,0 @@
-allow zygote packages_list_file:dir { search read lock getattr ioctl open };
Bug: 123186697
Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-19 19:14:38 +01:00
|
|
|
allow system_server packages_list_file:file create_file_perms;
|
2022-03-25 19:08:59 +01:00
|
|
|
allow system_server game_mode_intervention_list_file:file create_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server keychain_data_file:dir create_dir_perms;
|
|
|
|
allow system_server keychain_data_file:file create_file_perms;
|
|
|
|
allow system_server keychain_data_file:lnk_file create_file_perms;
|
|
|
|
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# Read the user parent directories like /data/user. Don't allow write access,
|
2022-05-11 07:33:07 +02:00
|
|
|
# as vold is responsible for creating and deleting the subdirectories.
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
allow system_server system_userdir_file:dir r_dir_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage /data/app.
|
|
|
|
allow system_server apk_data_file:dir create_dir_perms;
|
|
|
|
allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
|
|
|
|
allow system_server apk_tmp_file:dir create_dir_perms;
|
|
|
|
allow system_server apk_tmp_file:file create_file_perms;
|
|
|
|
|
2018-10-08 21:04:15 +02:00
|
|
|
# Access input configuration files in the /vendor directory
|
|
|
|
r_dir_file(system_server, vendor_keylayout_file)
|
|
|
|
r_dir_file(system_server, vendor_keychars_file)
|
|
|
|
r_dir_file(system_server, vendor_idc_file)
|
|
|
|
|
2018-02-28 17:19:48 +01:00
|
|
|
# Access /vendor/{app,framework,overlay}
|
2017-04-02 02:17:12 +02:00
|
|
|
r_dir_file(system_server, vendor_app_file)
|
2018-02-28 17:19:48 +01:00
|
|
|
r_dir_file(system_server, vendor_framework_file)
|
2017-04-06 01:16:13 +02:00
|
|
|
r_dir_file(system_server, vendor_overlay_file)
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage /data/app-private.
|
|
|
|
allow system_server apk_private_data_file:dir create_dir_perms;
|
|
|
|
allow system_server apk_private_data_file:file create_file_perms;
|
|
|
|
allow system_server apk_private_tmp_file:dir create_dir_perms;
|
|
|
|
allow system_server apk_private_tmp_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage files within asec containers.
|
|
|
|
allow system_server asec_apk_file:dir create_dir_perms;
|
|
|
|
allow system_server asec_apk_file:file create_file_perms;
|
|
|
|
allow system_server asec_public_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/anr.
|
2017-05-15 19:39:16 +02:00
|
|
|
#
|
|
|
|
# TODO: Some of these permissions can be withdrawn once we've switched to the
|
|
|
|
# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
|
|
|
|
# the system_server should never need to create a new anr_data_file:file or write
|
|
|
|
# to one, but it will still need to read and append to existing files.
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server anr_data_file:dir create_dir_perms;
|
|
|
|
allow system_server anr_data_file:file create_file_perms;
|
|
|
|
|
2017-05-15 19:39:16 +02:00
|
|
|
# New stack dumping scheme : request an output FD from tombstoned via a unix
|
|
|
|
# domain socket.
|
|
|
|
#
|
|
|
|
# Allow system_server to connect and write to the tombstoned java trace socket in
|
2017-05-30 18:52:46 +02:00
|
|
|
# order to dump its traces. Also allow the system server to write its traces to
|
2018-03-13 00:21:40 +01:00
|
|
|
# dumpstate during bugreport capture and incidentd during incident collection.
|
2017-05-15 19:39:16 +02:00
|
|
|
unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
|
|
|
|
allow system_server tombstoned:fd use;
|
2017-05-30 18:52:46 +02:00
|
|
|
allow system_server dumpstate:fifo_file append;
|
2018-03-13 00:21:40 +01:00
|
|
|
allow system_server incidentd:fifo_file append;
|
2018-07-17 21:46:01 +02:00
|
|
|
# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow system_server su:fifo_file append;
|
|
|
|
')
|
2017-05-15 19:39:16 +02:00
|
|
|
|
2019-03-16 23:45:45 +01:00
|
|
|
# Allow system_server to read pipes from incidentd (used to deliver incident reports
|
|
|
|
# to dropbox)
|
|
|
|
allow system_server incidentd:fifo_file read;
|
|
|
|
|
2016-11-21 08:23:04 +01:00
|
|
|
# Read /data/misc/incidents - only read. The fd will be sent over binder,
|
|
|
|
# with no DAC access to it, for dropbox to read.
|
|
|
|
allow system_server incident_data_file:file read;
|
|
|
|
|
2020-01-02 09:14:48 +01:00
|
|
|
# Manage /data/misc/prereboot.
|
|
|
|
allow system_server prereboot_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server prereboot_data_file:file create_file_perms;
|
|
|
|
|
2021-12-10 22:50:44 +01:00
|
|
|
# Allow tracing proxy service to read traces. Only the fd is sent over
|
2018-01-24 17:07:09 +01:00
|
|
|
# binder.
|
2021-12-10 22:50:44 +01:00
|
|
|
allow system_server perfetto_traces_data_file:file { read getattr };
|
2018-01-24 17:07:09 +01:00
|
|
|
allow system_server perfetto:fd use;
|
|
|
|
|
2024-02-12 18:15:49 +01:00
|
|
|
# Allow system_server to exec the perfetto cmdline client and pass it a trace config
|
|
|
|
domain_auto_trans(system_server, perfetto_exec, perfetto);
|
|
|
|
allow system_server perfetto:fifo_file { read write };
|
|
|
|
|
2024-02-15 21:16:46 +01:00
|
|
|
# Allow system server to manage perfetto traces for ProfilingService.
|
|
|
|
allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
|
|
|
|
allow system_server perfetto_traces_data_file:dir search;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage /data/backup.
|
|
|
|
allow system_server backup_data_file:dir create_dir_perms;
|
|
|
|
allow system_server backup_data_file:file create_file_perms;
|
|
|
|
|
2018-04-16 16:49:49 +02:00
|
|
|
# Write to /data/system/dropbox
|
|
|
|
allow system_server dropbox_data_file:dir create_dir_perms;
|
|
|
|
allow system_server dropbox_data_file:file create_file_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Write to /data/system/heapdump
|
|
|
|
allow system_server heapdump_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server heapdump_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/adb.
|
|
|
|
allow system_server adb_keys_file:dir create_dir_perms;
|
|
|
|
allow system_server adb_keys_file:file create_file_perms;
|
|
|
|
|
2020-12-23 16:21:23 +01:00
|
|
|
# Manage /data/misc/appcompat.
|
|
|
|
allow system_server appcompat_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server appcompat_data_file:file create_file_perms;
|
|
|
|
|
2019-10-15 22:13:56 +02:00
|
|
|
# Manage /data/misc/emergencynumberdb
|
|
|
|
allow system_server emergency_data_file:dir create_dir_perms;
|
|
|
|
allow system_server emergency_data_file:file create_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2017-12-14 10:56:32 +01:00
|
|
|
# Manage /data/misc/network_watchlist
|
|
|
|
allow system_server network_watchlist_data_file:dir create_dir_perms;
|
|
|
|
allow system_server network_watchlist_data_file:file create_file_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage /data/misc/sms.
|
|
|
|
# TODO: Split into a separate type?
|
|
|
|
allow system_server radio_data_file:dir create_dir_perms;
|
|
|
|
allow system_server radio_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/systemkeys.
|
|
|
|
allow system_server systemkeys_data_file:dir create_dir_perms;
|
|
|
|
allow system_server systemkeys_data_file:file create_file_perms;
|
|
|
|
|
2017-04-26 22:20:20 +02:00
|
|
|
# Manage /data/misc/textclassifier.
|
|
|
|
allow system_server textclassifier_data_file:dir create_dir_perms;
|
|
|
|
allow system_server textclassifier_data_file:file create_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2022-06-01 14:53:01 +02:00
|
|
|
# Manage /data/tombstones.
|
|
|
|
allow system_server tombstone_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server tombstone_data_file:file create_file_perms;
|
2021-02-02 01:48:07 +01:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage /data/misc/vpn.
|
|
|
|
allow system_server vpn_data_file:dir create_dir_perms;
|
|
|
|
allow system_server vpn_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage /data/misc/wifi.
|
|
|
|
allow system_server wifi_data_file:dir create_dir_perms;
|
|
|
|
allow system_server wifi_data_file:file create_file_perms;
|
|
|
|
|
2019-02-27 12:21:20 +01:00
|
|
|
# Manage /data/app-staging.
|
2019-01-02 15:20:52 +01:00
|
|
|
allow system_server staging_data_file:dir create_dir_perms;
|
|
|
|
allow system_server staging_data_file:file create_file_perms;
|
|
|
|
|
2020-11-23 09:29:55 +01:00
|
|
|
# Manage /data/rollback.
|
|
|
|
allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Walk /data/data subdirectories.
|
2020-10-27 18:35:33 +01:00
|
|
|
allow system_server app_data_file_type:dir { getattr read search };
|
2018-08-03 00:54:23 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Also permit for unlabeled /data/data subdirectories and
|
|
|
|
# for unlabeled asec containers on upgrades from 4.2.
|
|
|
|
allow system_server unlabeled:dir r_dir_perms;
|
|
|
|
# Read pkg.apk file before it has been relabeled by vold.
|
|
|
|
allow system_server unlabeled:file r_file_perms;
|
|
|
|
|
|
|
|
# Populate com.android.providers.settings/databases/settings.db.
|
|
|
|
allow system_server system_app_data_file:dir create_dir_perms;
|
|
|
|
allow system_server system_app_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Receive and use open app data files passed over binder IPC.
|
2020-10-27 18:35:33 +01:00
|
|
|
allow system_server app_data_file_type:file { getattr read write append map };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Access to /data/media for measuring disk usage.
|
|
|
|
allow system_server media_rw_data_file:dir { search getattr open read };
|
|
|
|
|
|
|
|
# Receive and use open /data/media files passed over binder IPC.
|
|
|
|
# Also used for measuring disk usage.
|
|
|
|
allow system_server media_rw_data_file:file { getattr read write append };
|
|
|
|
|
Relabel /data/system/packages.list to new type.
Conservatively grant access to packages_list_file to everything that had
access to system_data_file:file even if the comment in the SELinux
policy suggests it was for another use.
Ran a diff on the resulting SEPolicy, the only difference of domains
being granted is those that had system_data_file:dir permissiosn which
is clearly not applicable for packages.list
diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new)
--- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000
+++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000
@@ -3 +2,0 @@
-allow appdomain packages_list_file:dir getattr;
@@ -6 +4,0 @@
-allow coredomain packages_list_file:dir getattr;
@@ -8 +5,0 @@
-allow domain packages_list_file:dir search;
@@ -35 +31,0 @@
-allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name };
@@ -40 +35,0 @@
-allow tee packages_list_file:dir { search read lock getattr ioctl open };
@@ -43,3 +37,0 @@
-allow traced_probes packages_list_file:dir { read getattr open search };
-allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name };
-allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name };
@@ -48 +39,0 @@
-allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name };
@@ -50 +40,0 @@
-allow zygote packages_list_file:dir { search read lock getattr ioctl open };
Bug: 123186697
Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-19 19:14:38 +01:00
|
|
|
# System server needs to setfscreate to packages_list_file when writing
|
|
|
|
# /data/system/packages.list
|
|
|
|
allow system_server system_server:process setfscreate;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Relabel apk files.
|
|
|
|
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
|
|
|
|
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
|
2020-11-20 09:19:13 +01:00
|
|
|
# Allow PackageManager to:
|
|
|
|
# 1. rename file from /data/app-staging folder to /data/app
|
|
|
|
# 2. relabel files (linked to /data/rollback) under /data/app-staging
|
|
|
|
# during staged apk/apex install.
|
|
|
|
allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Relabel wallpaper.
|
|
|
|
allow system_server system_data_file:file relabelfrom;
|
|
|
|
allow system_server wallpaper_file:file relabelto;
|
|
|
|
allow system_server wallpaper_file:file { rw_file_perms rename unlink };
|
|
|
|
|
|
|
|
# Backup of wallpaper imagery uses temporary hard links to avoid data churn
|
|
|
|
allow system_server { system_data_file wallpaper_file }:file link;
|
|
|
|
|
|
|
|
# ShortcutManager icons
|
|
|
|
allow system_server system_data_file:dir relabelfrom;
|
|
|
|
allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
|
|
|
|
allow system_server shortcut_manager_icons:file create_file_perms;
|
|
|
|
|
|
|
|
# Manage ringtones.
|
|
|
|
allow system_server ringtone_file:dir { create_dir_perms relabelto };
|
|
|
|
allow system_server ringtone_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Relabel icon file.
|
|
|
|
allow system_server icon_file:file relabelto;
|
|
|
|
allow system_server icon_file:file { rw_file_perms unlink };
|
|
|
|
|
|
|
|
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
|
|
|
|
allow system_server system_data_file:dir relabelfrom;
|
|
|
|
|
2018-11-27 22:23:21 +01:00
|
|
|
# server_configurable_flags_data_file is used for storing server configurable flags which
|
|
|
|
# have been reset during current booting. system_server needs to read the data to perform related
|
|
|
|
# disaster recovery actions.
|
|
|
|
allow system_server server_configurable_flags_data_file:dir r_dir_perms;
|
|
|
|
allow system_server server_configurable_flags_data_file:file r_file_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Property Service write
|
|
|
|
set_prop(system_server, system_prop)
|
2021-04-28 14:57:11 +02:00
|
|
|
set_prop(system_server, bootanim_system_prop)
|
2022-11-11 03:00:55 +01:00
|
|
|
set_prop(system_server, bluetooth_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
set_prop(system_server, exported_system_prop)
|
|
|
|
set_prop(system_server, exported3_system_prop)
|
2017-02-07 00:39:36 +01:00
|
|
|
set_prop(system_server, safemode_prop)
|
2019-06-15 02:00:16 +02:00
|
|
|
set_prop(system_server, theme_prop)
|
2017-02-07 00:39:36 +01:00
|
|
|
set_prop(system_server, dhcp_prop)
|
2021-03-10 07:31:36 +01:00
|
|
|
set_prop(system_server, net_connectivity_prop)
|
2017-02-07 00:39:36 +01:00
|
|
|
set_prop(system_server, net_radio_prop)
|
2017-02-10 01:08:11 +01:00
|
|
|
set_prop(system_server, net_dns_prop)
|
2020-04-27 14:13:01 +02:00
|
|
|
set_prop(system_server, usb_control_prop)
|
|
|
|
set_prop(system_server, usb_prop)
|
2017-02-07 00:39:36 +01:00
|
|
|
set_prop(system_server, debug_prop)
|
|
|
|
set_prop(system_server, powerctl_prop)
|
|
|
|
set_prop(system_server, fingerprint_prop)
|
|
|
|
set_prop(system_server, device_logging_prop)
|
|
|
|
set_prop(system_server, dumpstate_options_prop)
|
|
|
|
set_prop(system_server, overlay_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
set_prop(system_server, exported_overlay_prop)
|
2017-11-16 06:28:14 +01:00
|
|
|
set_prop(system_server, pm_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
set_prop(system_server, exported_pm_prop)
|
2020-02-10 10:43:15 +01:00
|
|
|
set_prop(system_server, socket_hook_prop)
|
2020-04-10 22:06:15 +02:00
|
|
|
set_prop(system_server, audio_prop)
|
2020-04-24 08:03:01 +02:00
|
|
|
set_prop(system_server, boot_status_prop)
|
2020-04-24 14:25:17 +02:00
|
|
|
set_prop(system_server, surfaceflinger_color_prop)
|
2020-05-13 18:38:40 +02:00
|
|
|
set_prop(system_server, provisioned_prop)
|
|
|
|
set_prop(system_server, retaildemo_prop)
|
2022-01-28 19:48:27 +01:00
|
|
|
set_prop(system_server, dmesgd_start_prop)
|
2022-09-23 15:10:35 +02:00
|
|
|
set_prop(system_server, locale_prop)
|
2022-09-23 15:10:35 +02:00
|
|
|
set_prop(system_server, timezone_metadata_prop)
|
2022-09-23 15:10:35 +02:00
|
|
|
set_prop(system_server, timezone_prop)
|
2024-02-01 14:00:46 +01:00
|
|
|
set_prop(system_server, crashrecovery_prop)
|
2017-02-07 00:39:36 +01:00
|
|
|
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
|
2022-04-20 18:47:04 +02:00
|
|
|
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# ctl interface
|
|
|
|
set_prop(system_server, ctl_default_prop)
|
|
|
|
set_prop(system_server, ctl_bugreport_prop)
|
2019-02-28 03:31:11 +01:00
|
|
|
set_prop(system_server, ctl_gsid_prop)
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# cppreopt property
|
|
|
|
set_prop(system_server, cppreopt_prop)
|
|
|
|
|
2018-11-16 01:27:18 +01:00
|
|
|
# server configurable flags properties
|
2023-07-25 22:15:02 +02:00
|
|
|
set_prop(system_server, device_config_core_experiments_team_internal_prop)
|
2023-02-13 22:55:57 +01:00
|
|
|
set_prop(system_server, device_config_edgetpu_native_prop)
|
2019-01-14 23:18:38 +01:00
|
|
|
set_prop(system_server, device_config_input_native_boot_prop)
|
2018-12-27 11:01:25 +01:00
|
|
|
set_prop(system_server, device_config_netd_native_prop)
|
2021-10-05 16:23:18 +02:00
|
|
|
set_prop(system_server, device_config_nnapi_native_prop)
|
2019-01-17 22:30:05 +01:00
|
|
|
set_prop(system_server, device_config_activity_manager_native_boot_prop)
|
2019-02-01 22:43:11 +01:00
|
|
|
set_prop(system_server, device_config_runtime_native_boot_prop)
|
2019-01-29 18:57:11 +01:00
|
|
|
set_prop(system_server, device_config_runtime_native_prop)
|
2021-08-04 21:31:43 +02:00
|
|
|
set_prop(system_server, device_config_lmkd_native_prop)
|
2019-01-31 00:28:31 +01:00
|
|
|
set_prop(system_server, device_config_media_native_prop)
|
2022-12-09 19:23:37 +01:00
|
|
|
set_prop(system_server, device_config_camera_native_prop)
|
2022-04-06 23:31:26 +02:00
|
|
|
set_prop(system_server, device_config_mglru_native_prop)
|
2020-10-26 19:29:52 +01:00
|
|
|
set_prop(system_server, device_config_profcollect_native_boot_prop)
|
2020-11-18 04:26:23 +01:00
|
|
|
set_prop(system_server, device_config_statsd_native_prop)
|
|
|
|
set_prop(system_server, device_config_statsd_native_boot_prop)
|
2019-09-23 16:14:47 +02:00
|
|
|
set_prop(system_server, device_config_storage_native_boot_prop)
|
2021-02-11 18:12:51 +01:00
|
|
|
set_prop(system_server, device_config_swcodec_native_prop)
|
2019-04-05 17:41:30 +02:00
|
|
|
set_prop(system_server, device_config_sys_traced_prop)
|
2020-01-16 19:52:34 +01:00
|
|
|
set_prop(system_server, device_config_window_manager_native_boot_prop)
|
2020-02-27 23:05:05 +01:00
|
|
|
set_prop(system_server, device_config_configuration_prop)
|
2021-02-02 11:27:38 +01:00
|
|
|
set_prop(system_server, device_config_connectivity_prop)
|
2021-06-29 22:48:27 +02:00
|
|
|
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
|
2023-08-16 21:10:13 +02:00
|
|
|
set_prop(system_server, device_config_aconfig_flags_prop)
|
2022-04-12 10:11:53 +02:00
|
|
|
set_prop(system_server, device_config_vendor_system_native_prop)
|
2022-08-08 11:26:22 +02:00
|
|
|
set_prop(system_server, device_config_vendor_system_native_boot_prop)
|
2021-10-29 16:20:02 +02:00
|
|
|
set_prop(system_server, device_config_virtualization_framework_native_prop)
|
2023-02-01 00:47:07 +01:00
|
|
|
set_prop(system_server, device_config_memory_safety_native_boot_prop)
|
2022-06-08 19:45:18 +02:00
|
|
|
set_prop(system_server, device_config_memory_safety_native_prop)
|
2022-09-29 23:20:22 +02:00
|
|
|
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
|
2023-05-11 12:36:18 +02:00
|
|
|
set_prop(system_server, device_config_tethering_u_or_later_native_prop)
|
2022-03-18 10:45:46 +01:00
|
|
|
set_prop(system_server, smart_idle_maint_enabled_prop)
|
2022-12-17 01:50:13 +01:00
|
|
|
set_prop(system_server, arm64_memtag_prop)
|
2021-05-19 00:33:08 +02:00
|
|
|
|
2023-09-29 19:28:28 +02:00
|
|
|
# staged flag properties
|
|
|
|
set_prop(system_server, next_boot_prop)
|
|
|
|
|
2021-05-19 00:33:08 +02:00
|
|
|
# Allow query ART device config properties
|
|
|
|
get_prop(system_server, device_config_runtime_native_boot_prop)
|
|
|
|
get_prop(system_server, device_config_runtime_native_prop)
|
|
|
|
|
2017-08-14 23:25:10 +02:00
|
|
|
# BootReceiver to read ro.boot.bootreason
|
|
|
|
get_prop(system_server, bootloader_boot_reason_prop)
|
2018-06-05 18:41:59 +02:00
|
|
|
# PowerManager to read sys.boot.reason
|
|
|
|
get_prop(system_server, system_boot_reason_prop)
|
2017-08-14 23:25:10 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Collect metrics on boot time created by init
|
|
|
|
get_prop(system_server, boottime_prop)
|
|
|
|
|
|
|
|
# Read device's serial number from system properties
|
|
|
|
get_prop(system_server, serialno_prop)
|
|
|
|
|
|
|
|
# Read/write the property which keeps track of whether this is the first start of system_server
|
|
|
|
set_prop(system_server, firstboot_prop)
|
|
|
|
|
2020-05-06 12:17:42 +02:00
|
|
|
# Audio service in system server can read audio config properties,
|
2018-06-20 23:08:02 +02:00
|
|
|
# such as camera shutter enforcement
|
2020-05-06 12:17:42 +02:00
|
|
|
get_prop(system_server, audio_config_prop)
|
2018-06-20 23:08:02 +02:00
|
|
|
|
2023-04-05 09:26:05 +02:00
|
|
|
# StorageManager service reads media config while checking if transcoding is supported.
|
|
|
|
get_prop(system_server, media_config_prop)
|
|
|
|
|
2018-11-16 23:59:10 +01:00
|
|
|
# system server reads this property to keep track of whether server configurable flags have been
|
|
|
|
# reset during current boot.
|
|
|
|
get_prop(system_server, device_config_reset_performed_prop)
|
|
|
|
|
2019-01-15 22:39:30 +01:00
|
|
|
# Read/write the property that enables Test Harness Mode
|
|
|
|
set_prop(system_server, test_harness_prop)
|
|
|
|
|
2019-02-07 22:14:20 +01:00
|
|
|
# Read gsid.image_running.
|
|
|
|
get_prop(system_server, gsid_prop)
|
|
|
|
|
2019-10-09 18:09:48 +02:00
|
|
|
# Read the property that mocks an OTA
|
|
|
|
get_prop(system_server, mock_ota_prop)
|
|
|
|
|
2019-11-27 19:06:03 +01:00
|
|
|
# Read the property as feature flag for protecting apks with fs-verity.
|
|
|
|
get_prop(system_server, apk_verity_prop)
|
|
|
|
|
2019-12-29 16:17:07 +01:00
|
|
|
# Read wifi.interface
|
|
|
|
get_prop(system_server, wifi_prop)
|
|
|
|
|
2020-04-28 22:24:54 +02:00
|
|
|
# Read the vendor property that indicates if Incremental features is enabled
|
|
|
|
get_prop(system_server, incremental_prop)
|
|
|
|
|
2020-05-08 13:42:25 +02:00
|
|
|
# Read ro.zram. properties
|
|
|
|
get_prop(system_server, zram_config_prop)
|
|
|
|
|
|
|
|
# Read/write persist.sys.zram_enabled
|
|
|
|
set_prop(system_server, zram_control_prop)
|
|
|
|
|
2020-05-12 15:51:48 +02:00
|
|
|
# Read/write persist.sys.dalvik.vm.lib.2
|
|
|
|
set_prop(system_server, dalvik_runtime_prop)
|
|
|
|
|
2020-06-16 13:00:41 +02:00
|
|
|
# Read ro.control_privapp_permissions and ro.cp_system_other_odex
|
|
|
|
get_prop(system_server, packagemanager_config_prop)
|
|
|
|
|
2021-03-10 06:45:07 +01:00
|
|
|
# Read the net.464xlat.cellular.enabled property (written by init).
|
|
|
|
get_prop(system_server, net_464xlat_fromvendor_prop)
|
|
|
|
|
2022-02-04 18:56:09 +01:00
|
|
|
# Read hypervisor capabilities ro.boot.hypervisor.*
|
|
|
|
get_prop(system_server, hypervisor_prop)
|
|
|
|
|
2022-03-02 23:13:58 +01:00
|
|
|
# Read persist.wm.debug. properties
|
|
|
|
get_prop(system_server, persist_wm_debug_prop)
|
|
|
|
|
2023-03-23 03:19:22 +01:00
|
|
|
# Read persist.sysui.notification.builder_extras_override property
|
|
|
|
get_prop(system_server, persist_sysui_builder_extras_prop)
|
2023-05-31 23:25:50 +02:00
|
|
|
# Read persist.sysui.notification.ranking_update_ashmem property
|
|
|
|
get_prop(system_server, persist_sysui_ranking_update_prop)
|
2023-03-23 03:19:22 +01:00
|
|
|
|
2022-08-09 23:57:02 +02:00
|
|
|
# Read ro.tuner.lazyhal
|
|
|
|
get_prop(system_server, tuner_config_prop)
|
|
|
|
# Write tuner.server.enable
|
|
|
|
set_prop(system_server, tuner_server_ctl_prop)
|
|
|
|
|
2023-02-10 18:52:19 +01:00
|
|
|
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
|
2023-03-06 19:29:21 +01:00
|
|
|
get_prop(system_server, traced_oome_heap_session_count_prop)
|
2023-02-10 18:52:19 +01:00
|
|
|
|
2023-07-20 21:09:48 +02:00
|
|
|
# Allow the sensor service (running in the system service) to read sensor
|
|
|
|
# configuration properties
|
|
|
|
get_prop(system_server, sensors_config_prop)
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Create a socket for connections from debuggerd.
|
|
|
|
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
|
|
|
|
2019-12-30 06:38:38 +01:00
|
|
|
# Create a socket for connections from zygotes.
|
|
|
|
allow system_server system_unsolzygote_socket:sock_file create_file_perms;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Manage cache files.
|
2017-07-26 18:54:36 +02:00
|
|
|
allow system_server cache_file:lnk_file r_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
|
|
|
|
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
|
|
|
|
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
|
|
|
|
|
|
|
|
allow system_server system_file:dir r_dir_perms;
|
|
|
|
allow system_server system_file:lnk_file r_file_perms;
|
|
|
|
|
2019-05-10 03:44:47 +02:00
|
|
|
# ART locks profile files.
|
|
|
|
allow system_server system_file:file lock;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# LocationManager(e.g, GPS) needs to read and write
|
|
|
|
# to uart driver and ctrl proc entry
|
|
|
|
allow system_server gps_control:file rw_file_perms;
|
|
|
|
|
|
|
|
# Allow system_server to use app-created sockets and pipes.
|
|
|
|
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
|
|
|
|
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
|
|
|
|
|
|
|
|
# BackupManagerService needs to manipulate backup data files
|
|
|
|
allow system_server cache_backup_file:dir rw_dir_perms;
|
|
|
|
allow system_server cache_backup_file:file create_file_perms;
|
|
|
|
# LocalTransport works inside /cache/backup
|
|
|
|
allow system_server cache_private_backup_file:dir create_dir_perms;
|
|
|
|
allow system_server cache_private_backup_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Allow system to talk to usb device
|
|
|
|
allow system_server usb_device:chr_file rw_file_perms;
|
|
|
|
allow system_server usb_device:dir r_dir_perms;
|
|
|
|
|
|
|
|
# Read and delete files under /dev/fscklogs.
|
|
|
|
r_dir_file(system_server, fscklogs)
|
2022-05-03 02:08:54 +02:00
|
|
|
allow system_server fscklogs:dir { write remove_name add_name };
|
|
|
|
allow system_server fscklogs:file rename;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# logd access, system_server inherit logd write socket
|
|
|
|
# (urge is to deprecate this long term)
|
|
|
|
allow system_server zygote:unix_dgram_socket write;
|
|
|
|
|
|
|
|
# Read from log daemon.
|
|
|
|
read_logd(system_server)
|
|
|
|
read_runtime_log_tags(system_server)
|
|
|
|
|
|
|
|
# Be consistent with DAC permissions. Allow system_server to write to
|
|
|
|
# /sys/module/lowmemorykiller/parameters/adj
|
|
|
|
# /sys/module/lowmemorykiller/parameters/minfree
|
|
|
|
allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
|
|
|
|
|
|
|
|
# Read /sys/fs/pstore/console-ramoops
|
|
|
|
# Don't worry about overly broad permissions for now, as there's
|
|
|
|
# only one file in /sys/fs/pstore
|
|
|
|
allow system_server pstorefs:dir r_dir_perms;
|
|
|
|
allow system_server pstorefs:file r_file_perms;
|
|
|
|
|
|
|
|
# /sys access
|
|
|
|
allow system_server sysfs_zram:dir search;
|
2019-01-09 20:24:26 +01:00
|
|
|
allow system_server sysfs_zram:file rw_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2023-10-31 01:24:35 +01:00
|
|
|
# Read /sys/fs/selinux/policy
|
|
|
|
allow system_server kernel:security read_policy;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
add_service(system_server, system_server_service);
|
2022-05-26 01:14:01 +02:00
|
|
|
allow system_server artd_service:service_manager find;
|
2023-10-18 18:03:20 +02:00
|
|
|
allow system_server artd_pre_reboot_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server audioserver_service:service_manager find;
|
2020-12-17 02:36:21 +01:00
|
|
|
allow system_server authorization_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server batteryproperties_service:service_manager find;
|
|
|
|
allow system_server cameraserver_service:service_manager find;
|
2021-10-19 17:50:24 +02:00
|
|
|
allow system_server compos_service:service_manager find;
|
2019-12-10 22:27:08 +01:00
|
|
|
allow system_server dataloader_manager_service:service_manager find;
|
2023-10-18 18:03:20 +02:00
|
|
|
allow system_server dexopt_chroot_setup_service:service_manager find;
|
2019-02-25 13:12:15 +01:00
|
|
|
allow system_server dnsresolver_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server drmserver_service:service_manager find;
|
|
|
|
allow system_server dumpstate_service:service_manager find;
|
|
|
|
allow system_server fingerprintd_service:service_manager find;
|
|
|
|
allow system_server gatekeeper_service:service_manager find;
|
2018-11-01 21:47:51 +01:00
|
|
|
allow system_server gpu_service:service_manager find;
|
2019-01-13 12:13:19 +01:00
|
|
|
allow system_server gsi_service:service_manager find;
|
2018-06-15 08:08:19 +02:00
|
|
|
allow system_server idmap_service:service_manager find;
|
2016-11-21 08:23:04 +01:00
|
|
|
allow system_server incident_service:service_manager find;
|
2019-12-16 20:19:12 +01:00
|
|
|
allow system_server incremental_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server installd_service:service_manager find;
|
2021-03-08 18:19:38 +01:00
|
|
|
allow system_server keystore_maintenance_service:service_manager find;
|
2021-06-10 17:05:49 +02:00
|
|
|
allow system_server keystore_metrics_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server keystore_service:service_manager find;
|
2021-12-09 04:49:23 +01:00
|
|
|
allow system_server mdns_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server mediaserver_service:service_manager find;
|
|
|
|
allow system_server mediametrics_service:service_manager find;
|
|
|
|
allow system_server mediaextractor_service:service_manager find;
|
|
|
|
allow system_server mediadrmserver_service:service_manager find;
|
2020-09-12 02:50:45 +02:00
|
|
|
allow system_server mediatuner_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server netd_service:service_manager find;
|
|
|
|
allow system_server nfc_service:service_manager find;
|
2022-10-28 09:56:02 +02:00
|
|
|
allow system_server ot_daemon_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server radio_service:service_manager find;
|
2017-12-19 00:14:33 +01:00
|
|
|
allow system_server stats_service:service_manager find;
|
2017-10-17 01:39:13 +02:00
|
|
|
allow system_server storaged_service:service_manager find;
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server surfaceflinger_service:service_manager find;
|
2018-11-21 19:10:54 +01:00
|
|
|
allow system_server update_engine_service:service_manager find;
|
2022-11-04 13:51:18 +01:00
|
|
|
allow system_server virtual_camera_service:service_manager find;
|
2024-02-20 12:06:37 +01:00
|
|
|
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
|
|
|
|
allow system_server virtualization_maintenance_service:service_manager find;
|
|
|
|
')
|
2017-09-06 19:17:32 +02:00
|
|
|
allow system_server vold_service:service_manager find;
|
2020-05-07 12:14:36 +02:00
|
|
|
allow system_server wifinl80211_service:service_manager find;
|
2022-01-12 00:16:12 +01:00
|
|
|
allow system_server logd_service:service_manager find;
|
2020-06-18 06:43:23 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
allow system_server profcollectd_service:service_manager find;
|
|
|
|
')
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2017-10-18 03:30:06 +02:00
|
|
|
add_service(system_server, batteryproperties_service)
|
|
|
|
|
2020-07-27 21:53:20 +02:00
|
|
|
allow system_server keystore:keystore2 {
|
|
|
|
add_auth
|
2021-01-27 02:01:45 +01:00
|
|
|
change_password
|
|
|
|
change_user
|
2020-07-27 21:53:20 +02:00
|
|
|
clear_ns
|
2021-01-27 02:01:45 +01:00
|
|
|
clear_uid
|
2023-10-03 23:24:20 +02:00
|
|
|
get_last_auth_time
|
2020-07-27 21:53:20 +02:00
|
|
|
lock
|
2021-06-10 17:05:49 +02:00
|
|
|
pull_metrics
|
2020-07-27 21:53:20 +02:00
|
|
|
reset
|
|
|
|
unlock
|
|
|
|
};
|
|
|
|
|
|
|
|
allow system_server keystore:keystore2_key {
|
|
|
|
delete
|
|
|
|
use_dev_id
|
|
|
|
grant
|
|
|
|
get_info
|
|
|
|
rebind
|
|
|
|
update
|
|
|
|
use
|
|
|
|
};
|
|
|
|
|
2021-02-09 21:31:01 +01:00
|
|
|
# Allow Wifi module to manage Wi-Fi keys.
|
|
|
|
allow system_server wifi_key:keystore2_key {
|
|
|
|
delete
|
|
|
|
get_info
|
|
|
|
rebind
|
|
|
|
update
|
|
|
|
use
|
|
|
|
};
|
|
|
|
|
2020-12-16 01:57:26 +01:00
|
|
|
# Allow lock_settings service to manage RoR keys.
|
|
|
|
allow system_server resume_on_reboot_key:keystore2_key {
|
|
|
|
delete
|
|
|
|
get_info
|
2021-02-09 21:31:01 +01:00
|
|
|
rebind
|
|
|
|
update
|
|
|
|
use
|
|
|
|
};
|
|
|
|
|
2021-04-15 01:03:13 +02:00
|
|
|
# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
|
|
|
|
allow system_server locksettings_key:keystore2_key {
|
|
|
|
delete
|
|
|
|
get_info
|
|
|
|
rebind
|
|
|
|
update
|
|
|
|
use
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Allow system server to search and write to the persistent factory reset
|
|
|
|
# protection partition. This block device does not get wiped in a factory reset.
|
|
|
|
allow system_server block_device:dir search;
|
|
|
|
allow system_server frp_block_device:blk_file rw_file_perms;
|
2018-11-21 02:57:04 +01:00
|
|
|
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2021-02-12 22:25:59 +01:00
|
|
|
# Create new process groups and clean up old cgroups
|
2023-06-26 08:52:01 +02:00
|
|
|
allow system_server cgroup:dir create_dir_perms;
|
2023-08-02 06:03:52 +02:00
|
|
|
allow system_server cgroup:file setattr;
|
2021-02-12 22:25:59 +01:00
|
|
|
allow system_server cgroup_v2:dir create_dir_perms;
|
|
|
|
allow system_server cgroup_v2:file { r_file_perms setattr };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# /oem access
|
|
|
|
r_dir_file(system_server, oemfs)
|
|
|
|
|
|
|
|
# Allow resolving per-user storage symlinks
|
|
|
|
allow system_server { mnt_user_file storage_file }:dir { getattr search };
|
|
|
|
allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
|
|
|
|
|
|
|
|
# Allow statfs() on storage devices, which happens fast enough that
|
|
|
|
# we shouldn't be killed during unsafe removal
|
2021-06-23 10:21:49 +02:00
|
|
|
allow system_server { sdcard_type fuse }:dir { getattr search };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Traverse into expanded storage
|
|
|
|
allow system_server mnt_expand_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
# Allow system process to relabel the fingerprint directory after mkdir
|
|
|
|
# and delete the directory and files when no longer needed
|
|
|
|
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
|
|
|
|
allow system_server fingerprintd_data_file:file { getattr unlink };
|
|
|
|
|
|
|
|
userdebug_or_eng(`
|
|
|
|
# Allow system server to create and write method traces in /data/misc/trace.
|
|
|
|
allow system_server method_trace_data_file:dir w_dir_perms;
|
|
|
|
allow system_server method_trace_data_file:file { create w_file_perms };
|
|
|
|
|
|
|
|
# Allow system server to read dmesg
|
|
|
|
allow system_server kernel:system syslog_read;
|
2017-11-17 17:23:32 +01:00
|
|
|
|
2017-11-21 00:21:56 +01:00
|
|
|
# Allow writing and removing window traces in /data/misc/wmtrace.
|
2017-11-17 17:23:32 +01:00
|
|
|
allow system_server wm_trace_data_file:dir rw_dir_perms;
|
2017-11-21 00:21:56 +01:00
|
|
|
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
|
2021-02-09 21:03:40 +01:00
|
|
|
|
|
|
|
# Allow writing and removing accessibility traces in /data/misc/a11ytrace.
|
|
|
|
allow system_server accessibility_trace_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
|
2017-02-07 00:39:36 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
# For AppFuse.
|
|
|
|
allow system_server vold:fd use;
|
|
|
|
allow system_server fuse_device:chr_file { read write ioctl getattr };
|
2018-10-30 18:29:22 +01:00
|
|
|
allow system_server app_fuse_file:file { read write getattr };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# For configuring sdcardfs
|
|
|
|
allow system_server configfs:dir { create_dir_perms };
|
2017-12-01 11:18:31 +01:00
|
|
|
allow system_server configfs:file { getattr open create unlink write };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Connect to adbd and use a socket transferred from it.
|
|
|
|
# Used for e.g. jdwp.
|
|
|
|
allow system_server adbd:unix_stream_socket connectto;
|
|
|
|
allow system_server adbd:fd use;
|
|
|
|
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
|
|
|
|
|
2020-02-12 19:18:10 +01:00
|
|
|
# Read service.adb.tls.port, persist.adb.wifi. properties
|
|
|
|
get_prop(system_server, adbd_prop)
|
|
|
|
|
|
|
|
# Set persist.adb.tls_server.enable property
|
|
|
|
set_prop(system_server, system_adbd_prop)
|
2020-01-15 17:46:17 +01:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Allow invoking tools like "timeout"
|
|
|
|
allow system_server toolbox_exec:file rx_file_perms;
|
|
|
|
|
2022-08-31 21:07:53 +02:00
|
|
|
# Allow system process to setup fs-verity
|
2023-09-13 21:09:09 +02:00
|
|
|
allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
|
2019-01-04 22:06:20 +01:00
|
|
|
|
2023-04-27 17:34:00 +02:00
|
|
|
# Allow system process to measure fs-verity for apps, including those being installed
|
|
|
|
allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
|
2023-04-20 01:51:10 +02:00
|
|
|
allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
|
2022-05-05 01:30:21 +02:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Postinstall
|
|
|
|
#
|
|
|
|
# For OTA dexopt, allow calls coming from postinstall.
|
|
|
|
binder_call(system_server, postinstall)
|
|
|
|
|
|
|
|
allow system_server postinstall:fifo_file write;
|
|
|
|
allow system_server update_engine:fd use;
|
|
|
|
allow system_server update_engine:fifo_file write;
|
|
|
|
|
|
|
|
# Access to /data/preloads
|
|
|
|
allow system_server preloads_data_file:file { r_file_perms unlink };
|
|
|
|
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
2017-03-14 19:42:03 +01:00
|
|
|
allow system_server preloads_media_file:file { r_file_perms unlink };
|
|
|
|
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
r_dir_file(system_server, cgroup)
|
2021-02-12 00:18:11 +01:00
|
|
|
r_dir_file(system_server, cgroup_v2)
|
2017-02-07 00:39:36 +01:00
|
|
|
allow system_server ion_device:chr_file r_file_perms;
|
|
|
|
|
2020-09-11 23:00:59 +02:00
|
|
|
# Access to /dev/dma_heap/system
|
|
|
|
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
|
2021-01-12 21:05:20 +01:00
|
|
|
# Access to /dev/dma_heap/system-secure
|
|
|
|
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
|
2020-09-11 23:00:59 +02:00
|
|
|
|
2017-10-06 19:20:53 +02:00
|
|
|
r_dir_file(system_server, proc_asound)
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
r_dir_file(system_server, proc_net_type)
|
2018-01-02 22:10:46 +01:00
|
|
|
r_dir_file(system_server, proc_qtaguid_stat)
|
2017-11-15 01:32:36 +01:00
|
|
|
allow system_server {
|
2019-03-18 00:51:46 +01:00
|
|
|
proc_cmdline
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_loadavg
|
2021-01-07 00:14:24 +01:00
|
|
|
proc_locks
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_meminfo
|
|
|
|
proc_pagetypeinfo
|
|
|
|
proc_pipe_conf
|
|
|
|
proc_stat
|
|
|
|
proc_uid_cputime_showstat
|
2018-09-24 19:31:52 +02:00
|
|
|
proc_uid_io_stats
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_uid_time_in_state
|
2017-11-10 23:10:19 +01:00
|
|
|
proc_uid_concurrent_active_time
|
|
|
|
proc_uid_concurrent_policy_time
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_version
|
|
|
|
proc_vmallocinfo
|
|
|
|
}:file r_file_perms;
|
|
|
|
|
2017-11-18 00:40:51 +01:00
|
|
|
allow system_server proc_uid_time_in_state:dir r_dir_perms;
|
2018-01-19 22:48:31 +01:00
|
|
|
allow system_server proc_uid_cpupower:file r_file_perms;
|
2017-11-18 00:40:51 +01:00
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
r_dir_file(system_server, rootfs)
|
|
|
|
|
2017-02-23 03:01:00 +01:00
|
|
|
# Allow WifiService to start, stop, and read wifi-specific trace events.
|
|
|
|
allow system_server debugfs_tracing_instances:dir search;
|
2017-07-06 19:59:11 +02:00
|
|
|
allow system_server debugfs_wifi_tracing:dir search;
|
2017-02-23 03:01:00 +01:00
|
|
|
allow system_server debugfs_wifi_tracing:file rw_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2021-03-02 16:46:50 +01:00
|
|
|
# Allow BootReceiver to watch trace error_report events.
|
|
|
|
allow system_server debugfs_bootreceiver_tracing:dir search;
|
|
|
|
allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
|
|
|
|
|
2020-01-15 00:45:55 +01:00
|
|
|
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
|
|
|
|
allow system_server debugfs_tracing:file r_file_perms;
|
|
|
|
|
2017-05-04 17:35:03 +02:00
|
|
|
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
|
2017-03-13 20:22:15 +01:00
|
|
|
# asanwrapper.
|
|
|
|
with_asan(`
|
|
|
|
allow system_server shell_exec:file rx_file_perms;
|
2017-04-04 00:23:16 +02:00
|
|
|
allow system_server asanwrapper_exec:file rx_file_perms;
|
2017-05-04 17:35:03 +02:00
|
|
|
allow system_server zygote_exec:file rx_file_perms;
|
2017-03-13 20:22:15 +01:00
|
|
|
')
|
|
|
|
|
2018-12-05 02:59:18 +01:00
|
|
|
# allow system_server to read the eBPF maps that stores the traffic stats information and update
|
2020-01-15 00:45:55 +01:00
|
|
|
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
|
|
|
|
# time in state accounting
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
|
2023-03-28 03:14:40 +02:00
|
|
|
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
|
2020-01-15 00:45:55 +01:00
|
|
|
allow system_server bpfloader:bpf { map_read map_write prog_run };
|
2022-01-28 08:04:09 +01:00
|
|
|
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
|
|
|
allow system_server self:key_socket create;
|
2023-11-08 09:28:00 +01:00
|
|
|
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
|
|
|
|
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
|
|
|
|
dontaudit system_server self:key_socket getopt;
|
2017-11-21 19:53:01 +01:00
|
|
|
|
2022-01-15 07:57:50 +01:00
|
|
|
# Allow system_server to start clatd in its own domain and kill it.
|
|
|
|
domain_auto_trans(system_server, clatd_exec, clatd)
|
2023-04-05 09:46:41 +02:00
|
|
|
allow system_server clatd:process { sigkill signal };
|
2022-01-15 07:57:50 +01:00
|
|
|
|
2017-11-22 09:09:25 +01:00
|
|
|
# ART Profiles.
|
|
|
|
# Allow system_server to open profile snapshots for read.
|
|
|
|
# System server never reads the actual content. It passes the descriptor to
|
|
|
|
# to privileged apps which acquire the permissions to inspect the profiles.
|
2020-12-04 15:07:52 +01:00
|
|
|
allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
|
2017-11-30 03:35:04 +01:00
|
|
|
allow system_server user_profile_data_file:file { getattr open read };
|
2017-11-22 09:09:25 +01:00
|
|
|
|
2018-05-05 02:44:33 +02:00
|
|
|
# System server may dump profile data for debuggable apps in the /data/misc/profman.
|
|
|
|
# As such it needs to be able create files but it should never read from them.
|
2022-12-13 18:50:02 +01:00
|
|
|
# It also needs to stat the directory to check if it has the right permissions.
|
2018-05-05 02:44:33 +02:00
|
|
|
allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
|
2022-12-13 18:50:02 +01:00
|
|
|
allow system_server profman_dump_data_file:dir rw_dir_perms;
|
2018-05-05 02:44:33 +02:00
|
|
|
|
2018-05-04 05:14:51 +02:00
|
|
|
# On userdebug build we may profile system server. Allow it to write and create its own profile.
|
|
|
|
userdebug_or_eng(`
|
2023-05-12 10:57:20 +02:00
|
|
|
allow system_server user_profile_data_file:dir w_dir_perms;
|
2018-05-04 05:14:51 +02:00
|
|
|
allow system_server user_profile_data_file:file create_file_perms;
|
|
|
|
')
|
2019-11-25 23:03:59 +01:00
|
|
|
# Allow system server to load JVMTI agents under control of a property.
|
|
|
|
get_prop(system_server,system_jvmti_agent_prop)
|
2018-05-04 05:14:51 +02:00
|
|
|
|
2017-12-07 01:13:59 +01:00
|
|
|
# UsbDeviceManager uses /dev/usb-ffs
|
|
|
|
allow system_server functionfs:dir search;
|
|
|
|
allow system_server functionfs:file rw_file_perms;
|
|
|
|
|
2018-06-25 16:36:51 +02:00
|
|
|
# system_server contains time / time zone detection logic so reads the associated properties.
|
|
|
|
get_prop(system_server, time_prop)
|
|
|
|
|
2019-11-02 01:37:06 +01:00
|
|
|
# system_server reads this property to know it should expect the lmkd sends notification to it
|
|
|
|
# on low memory kills.
|
|
|
|
get_prop(system_server, system_lmk_prop)
|
|
|
|
|
2020-07-20 13:26:07 +02:00
|
|
|
get_prop(system_server, wifi_config_prop)
|
|
|
|
|
2020-09-12 00:41:31 +02:00
|
|
|
# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
|
|
|
|
allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
|
2020-09-03 21:07:33 +02:00
|
|
|
|
2020-05-25 10:33:17 +02:00
|
|
|
# Watchdog prints debugging log to /dev/kmsg_debug.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow system_server kmsg_debug_device:chr_file { open append getattr };
|
|
|
|
')
|
|
|
|
# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
|
|
|
|
get_prop(system_server, framework_watchdog_config_prop)
|
|
|
|
|
2021-01-21 22:08:31 +01:00
|
|
|
|
|
|
|
# Font files are written by system server
|
|
|
|
allow system_server font_data_file:file create_file_perms;
|
|
|
|
allow system_server font_data_file:dir create_dir_perms;
|
2022-11-01 08:11:16 +01:00
|
|
|
# Allow system process to setup and measure fs-verity for font files
|
|
|
|
allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
|
2021-01-21 22:08:31 +01:00
|
|
|
|
2021-06-09 11:31:41 +02:00
|
|
|
# Read qemu.hw.mainkeys property
|
|
|
|
get_prop(system_server, qemu_hw_prop)
|
|
|
|
|
|
|
|
# Allow system server to read profcollectd reports for upload.
|
|
|
|
userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
### system_server should NEVER do any of this
|
|
|
|
|
|
|
|
# Do not allow opening files from external storage as unsafe ejection
|
|
|
|
# could cause the kernel to kill the system_server.
|
2021-06-23 10:21:49 +02:00
|
|
|
neverallow system_server { sdcard_type fuse }:dir { open read write };
|
|
|
|
neverallow system_server { sdcard_type fuse }:file rw_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# system server should never be operating on zygote spawned app data
|
|
|
|
# files directly. Rather, they should always be passed via a
|
|
|
|
# file descriptor.
|
2020-10-27 18:35:33 +01:00
|
|
|
# Exclude those types that system_server needs to open directly.
|
2018-08-03 00:54:23 +02:00
|
|
|
neverallow system_server {
|
2020-10-27 18:35:33 +01:00
|
|
|
app_data_file_type
|
|
|
|
-system_app_data_file
|
|
|
|
-radio_data_file
|
2018-08-03 00:54:23 +02:00
|
|
|
}:file { open create unlink link };
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Forking and execing is inherently dangerous and racy. See, for
|
|
|
|
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
|
|
|
|
# Prevent the addition of new file execs to stop the problem from
|
|
|
|
# getting worse. b/28035297
|
2017-03-13 20:22:15 +01:00
|
|
|
neverallow system_server {
|
|
|
|
file_type
|
|
|
|
-toolbox_exec
|
|
|
|
-logcat_exec
|
2017-04-04 00:23:16 +02:00
|
|
|
with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
|
2017-03-13 20:22:15 +01:00
|
|
|
}:file execute_no_trans;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# Ensure that system_server doesn't perform any domain transitions other than
|
2022-01-15 07:57:50 +01:00
|
|
|
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
|
2024-02-12 18:15:49 +01:00
|
|
|
neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
|
2017-02-07 00:39:36 +01:00
|
|
|
neverallow system_server *:process dyntransition;
|
|
|
|
|
2024-02-15 21:16:46 +01:00
|
|
|
# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
|
|
|
|
neverallow system_server perfetto_traces_data_file:dir ~search;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# Only allow crash_dump to connect to system_ndebug_socket.
|
|
|
|
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
|
|
|
|
|
2019-12-30 06:38:38 +01:00
|
|
|
# Only allow zygotes to connect to system_unsolzygote_socket.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-zygote
|
|
|
|
-app_zygote
|
|
|
|
-webview_zygote
|
|
|
|
} system_unsolzygote_socket:sock_file { open write };
|
|
|
|
|
2018-11-16 01:27:18 +01:00
|
|
|
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-flags_health_check
|
|
|
|
} {
|
2023-07-25 22:15:02 +02:00
|
|
|
device_config_core_experiments_team_internal_prop
|
2019-01-17 22:30:05 +01:00
|
|
|
device_config_activity_manager_native_boot_prop
|
2021-02-02 11:27:38 +01:00
|
|
|
device_config_connectivity_prop
|
2019-01-14 23:18:38 +01:00
|
|
|
device_config_input_native_boot_prop
|
2021-08-04 21:31:43 +02:00
|
|
|
device_config_lmkd_native_prop
|
2018-12-27 11:01:25 +01:00
|
|
|
device_config_netd_native_prop
|
2021-10-05 16:23:18 +02:00
|
|
|
device_config_nnapi_native_prop
|
2023-02-13 22:55:57 +01:00
|
|
|
device_config_edgetpu_native_prop
|
2019-02-01 22:43:11 +01:00
|
|
|
device_config_runtime_native_boot_prop
|
2019-01-29 18:57:11 +01:00
|
|
|
device_config_runtime_native_prop
|
2019-01-31 00:28:31 +01:00
|
|
|
device_config_media_native_prop
|
2022-04-06 23:31:26 +02:00
|
|
|
device_config_mglru_native_prop
|
2022-09-29 23:20:22 +02:00
|
|
|
device_config_remote_key_provisioning_native_prop
|
2019-09-23 16:14:47 +02:00
|
|
|
device_config_storage_native_boot_prop
|
2021-06-29 22:48:27 +02:00
|
|
|
device_config_surface_flinger_native_boot_prop
|
2019-04-05 17:41:30 +02:00
|
|
|
device_config_sys_traced_prop
|
2021-02-11 18:12:51 +01:00
|
|
|
device_config_swcodec_native_prop
|
2023-08-16 21:10:13 +02:00
|
|
|
device_config_aconfig_flags_prop
|
2020-01-16 19:52:34 +01:00
|
|
|
device_config_window_manager_native_boot_prop
|
2023-05-11 12:36:18 +02:00
|
|
|
device_config_tethering_u_or_later_native_prop
|
2023-09-29 19:28:28 +02:00
|
|
|
next_boot_prop
|
2018-11-16 01:27:18 +01:00
|
|
|
}:property_service set;
|
|
|
|
|
2022-08-09 23:57:02 +02:00
|
|
|
# Only allow system_server and init to set tuner_server_ctl_prop
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-system_server
|
|
|
|
-init
|
|
|
|
} tuner_server_ctl_prop:property_service set;
|
|
|
|
|
2017-02-07 00:39:36 +01:00
|
|
|
# system_server should never be executing dex2oat. This is either
|
|
|
|
# a bug (for example, bug 16317188), or represents an attempt by
|
|
|
|
# system server to dynamically load a dex file, something we do not
|
|
|
|
# want to allow.
|
|
|
|
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
|
|
|
|
|
|
|
# system_server should never execute or load executable shared libraries
|
2018-09-13 00:41:54 +02:00
|
|
|
# in /data. Executable files in /data are a persistence vector.
|
|
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
2017-10-20 22:27:26 +02:00
|
|
|
neverallow system_server data_file_type:file no_x_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2021-11-22 22:16:12 +01:00
|
|
|
# The only block device system_server should be writing to is
|
2017-02-07 00:39:36 +01:00
|
|
|
# the frp_block_device. This helps avoid a system_server to root
|
|
|
|
# escalation by writing to raw block devices.
|
2021-11-22 22:16:12 +01:00
|
|
|
# The system_server may need to read from vd_device if it uses
|
|
|
|
# block apexes.
|
|
|
|
neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
|
|
|
|
neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
|
|
|
# system_server should never use JIT functionality
|
2018-09-13 00:41:54 +02:00
|
|
|
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
|
|
|
|
# in the section titled "A Short ROP Chain" for why.
|
2019-10-16 03:10:38 +02:00
|
|
|
# However, in emulator builds without OpenGL passthrough, we use software
|
|
|
|
# rendering via SwiftShader, which requires JIT support. These builds are
|
|
|
|
# never shipped to users.
|
|
|
|
ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
|
|
|
|
`allow system_server self:process execmem;',
|
|
|
|
`neverallow system_server self:process execmem;')
|
2020-02-25 19:37:20 +01:00
|
|
|
neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
|
2017-02-07 00:39:36 +01:00
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# TODO: deal with tmpfs_domain pub/priv split properly
|
2016-12-10 05:14:31 +01:00
|
|
|
neverallow system_server system_server_tmpfs:file execute;
|
2017-01-18 05:31:31 +01:00
|
|
|
|
2018-10-04 19:57:29 +02:00
|
|
|
# Resources handed off by system_server_startup
|
|
|
|
allow system_server system_server_startup:fd use;
|
|
|
|
allow system_server system_server_startup_tmpfs:file { read write map };
|
|
|
|
allow system_server system_server_startup:unix_dgram_socket write;
|
|
|
|
|
2018-10-18 13:50:06 +02:00
|
|
|
# Allow system server to communicate to apexd
|
|
|
|
allow system_server apex_service:service_manager find;
|
|
|
|
allow system_server apexd:binder call;
|
|
|
|
|
2019-11-25 12:31:59 +01:00
|
|
|
# Allow system server to scan /apex for flattened APEXes
|
|
|
|
allow system_server apex_mnt_dir:dir r_dir_perms;
|
|
|
|
|
2020-05-11 13:49:07 +02:00
|
|
|
# Allow system server to read /apex/apex-info-list.xml
|
|
|
|
allow system_server apex_info_file:file r_file_perms;
|
|
|
|
|
2019-01-21 14:45:47 +01:00
|
|
|
# Allow system server to communicate to system-suspend's control interface
|
2020-11-03 00:54:21 +01:00
|
|
|
allow system_server system_suspend_control_internal_service:service_manager find;
|
2019-01-21 14:45:47 +01:00
|
|
|
allow system_server system_suspend_control_service:service_manager find;
|
2019-02-27 01:45:40 +01:00
|
|
|
binder_call(system_server, system_suspend)
|
|
|
|
binder_call(system_suspend, system_server)
|
|
|
|
|
|
|
|
# Allow system server to communicate to system-suspend's wakelock interface
|
|
|
|
wakelock_use(system_server)
|
2019-01-21 14:45:47 +01:00
|
|
|
|
2019-01-04 17:22:19 +01:00
|
|
|
# Allow the system server to read files under /data/apex. The system_server
|
|
|
|
# needs these privileges to compare file signatures while processing installs.
|
|
|
|
#
|
|
|
|
# Only apexd is allowed to create new entries or write to any file under /data/apex.
|
2019-06-28 17:28:28 +02:00
|
|
|
allow system_server apex_data_file:dir { getattr search };
|
2019-01-04 17:22:19 +01:00
|
|
|
allow system_server apex_data_file:file r_file_perms;
|
|
|
|
|
2019-10-15 13:44:04 +02:00
|
|
|
# Allow the system server to read files under /vendor/apex. This is where
|
|
|
|
# vendor APEX packages might be installed and system_server needs to parse
|
|
|
|
# these packages to inspect the signatures and other metadata.
|
|
|
|
allow system_server vendor_apex_file:dir { getattr search };
|
|
|
|
allow system_server vendor_apex_file:file r_file_perms;
|
|
|
|
|
2020-01-17 00:47:02 +01:00
|
|
|
# Allow the system server to manage relevant apex module data files.
|
|
|
|
allow system_server apex_module_data_file:dir { getattr search };
|
2021-07-12 15:21:48 +02:00
|
|
|
# These are modules where the code runs in system_server, so we need full access.
|
|
|
|
allow system_server apex_system_server_data_file:dir create_dir_perms;
|
|
|
|
allow system_server apex_system_server_data_file:file create_file_perms;
|
2024-01-02 08:10:27 +01:00
|
|
|
allow system_server apex_tethering_data_file:dir create_dir_perms;
|
|
|
|
allow system_server apex_tethering_data_file:file create_file_perms;
|
2022-02-08 16:44:06 +01:00
|
|
|
# Legacy labels that we still need to support (b/217581286)
|
|
|
|
allow system_server {
|
|
|
|
apex_appsearch_data_file
|
|
|
|
apex_permission_data_file
|
|
|
|
apex_scheduling_data_file
|
|
|
|
apex_wifi_data_file
|
|
|
|
}:dir create_dir_perms;
|
|
|
|
allow system_server {
|
|
|
|
apex_appsearch_data_file
|
|
|
|
apex_permission_data_file
|
|
|
|
apex_scheduling_data_file
|
|
|
|
apex_wifi_data_file
|
|
|
|
}:file create_file_perms;
|
2020-01-17 00:47:02 +01:00
|
|
|
|
2019-02-28 23:11:34 +01:00
|
|
|
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
|
|
|
|
# communicate which slots are available for use.
|
|
|
|
allow system_server metadata_file:dir search;
|
|
|
|
allow system_server password_slot_metadata_file:dir rw_dir_perms;
|
|
|
|
allow system_server password_slot_metadata_file:file create_file_perms;
|
2020-05-19 13:43:18 +02:00
|
|
|
|
2020-06-02 11:47:16 +02:00
|
|
|
allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
|
|
|
|
allow system_server userspace_reboot_metadata_file:file create_file_perms;
|
|
|
|
|
2020-05-19 13:43:18 +02:00
|
|
|
# Allow system server rw access to files in /metadata/staged-install folder
|
|
|
|
allow system_server staged_install_file:dir rw_dir_perms;
|
|
|
|
allow system_server staged_install_file:file create_file_perms;
|
2019-02-28 23:11:34 +01:00
|
|
|
|
2020-12-05 18:25:35 +01:00
|
|
|
allow system_server watchdog_metadata_file:dir rw_dir_perms;
|
|
|
|
allow system_server watchdog_metadata_file:file create_file_perms;
|
|
|
|
|
2024-02-13 04:18:32 +01:00
|
|
|
allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
|
|
|
|
allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
|
|
|
|
|
2023-05-25 08:59:05 +02:00
|
|
|
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
|
|
|
|
allow system_server repair_mode_metadata_file:file create_file_perms;
|
|
|
|
|
2020-12-25 10:32:13 +01:00
|
|
|
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server gsi_persistent_data_file:file create_file_perms;
|
|
|
|
|
2021-04-09 16:17:38 +02:00
|
|
|
# Allow system server read and remove files under /data/misc/odrefresh
|
|
|
|
allow system_server odrefresh_data_file:dir rw_dir_perms;
|
|
|
|
allow system_server odrefresh_data_file:file { r_file_perms unlink };
|
|
|
|
|
2021-01-19 21:09:50 +01:00
|
|
|
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
|
|
|
|
allow system_server surfaceflinger_exec:file r_file_perms;
|
|
|
|
|
2020-02-07 01:10:29 +01:00
|
|
|
# Allow init to set sysprop used to compute stats about userspace reboot.
|
|
|
|
set_prop(system_server, userspace_reboot_log_prop)
|
|
|
|
|
2019-11-25 23:03:59 +01:00
|
|
|
# JVMTI agent settings are only readable from the system server.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-system_server
|
|
|
|
-dumpstate
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
} {
|
|
|
|
system_jvmti_agent_prop
|
|
|
|
}:file no_rw_file_perms;
|
|
|
|
|
2019-02-14 18:26:46 +01:00
|
|
|
# Read/Write /proc/pressure/memory
|
|
|
|
allow system_server proc_pressure_mem:file rw_file_perms;
|
2022-05-23 18:13:02 +02:00
|
|
|
# Read /proc/pressure/cpu and /proc/pressure/io
|
|
|
|
allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
|
2019-02-14 18:26:46 +01:00
|
|
|
|
2017-01-18 05:31:31 +01:00
|
|
|
# dexoptanalyzer is currently used only for secondary dex files which
|
|
|
|
# system_server should never access.
|
|
|
|
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
|
2017-02-16 00:04:43 +01:00
|
|
|
|
|
|
|
# No ptracing others
|
|
|
|
neverallow system_server { domain -system_server }:process ptrace;
|
|
|
|
|
|
|
|
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
|
|
|
|
# file read access. However, that is now unnecessary (b/34951864)
|
2017-11-22 18:59:08 +01:00
|
|
|
neverallow system_server system_server:global_capability_class_set sys_resource;
|
2019-02-28 23:11:34 +01:00
|
|
|
|
|
|
|
# Only system_server/init should access /metadata/password_slots.
|
|
|
|
neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
|
2020-01-11 02:23:45 +01:00
|
|
|
|
2020-06-02 11:47:16 +02:00
|
|
|
# Only system_server/init should access /metadata/userspacereboot.
|
|
|
|
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
|
|
|
|
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
|
|
|
|
|
2024-02-13 04:18:32 +01:00
|
|
|
# Only system server should access /metadata/aconfig
|
|
|
|
# TODO: add storage daemon to neverallow exception when it is introduced
|
|
|
|
neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
|
|
|
|
neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
|
|
|
|
|
2020-01-11 02:23:45 +01:00
|
|
|
# Allow systemserver to read/write the invalidation property
|
|
|
|
set_prop(system_server, binder_cache_system_server_prop)
|
|
|
|
neverallow { domain -system_server -init }
|
|
|
|
binder_cache_system_server_prop:property_service set;
|
2020-01-15 00:45:55 +01:00
|
|
|
|
|
|
|
# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
|
|
|
|
# system_server cannot use this access to read perf event data like process stacks.
|
|
|
|
allow system_server self:perf_event { open write cpu kernel };
|
|
|
|
neverallow system_server self:perf_event ~{ open write cpu kernel };
|
2020-02-10 10:43:15 +01:00
|
|
|
|
2023-02-06 09:32:45 +01:00
|
|
|
# Allow writing files under /data/system/shutdown-checkpoints/
|
|
|
|
allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
|
|
|
|
allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
|
|
|
|
|
2020-02-10 10:43:15 +01:00
|
|
|
# Do not allow any domain other than init or system server to set the property
|
|
|
|
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
|
2020-04-24 08:03:01 +02:00
|
|
|
|
|
|
|
neverallow { domain -init -system_server } boot_status_prop:property_service set;
|
2020-07-20 13:26:07 +02:00
|
|
|
|
|
|
|
neverallow {
|
2021-03-10 02:42:23 +01:00
|
|
|
domain
|
2020-07-20 13:26:07 +02:00
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
-system_server
|
|
|
|
} wifi_config_prop:file no_rw_file_perms;
|
2020-09-03 21:07:33 +02:00
|
|
|
|
2020-11-21 04:17:22 +01:00
|
|
|
# Only allow system server to write uhid sysfs files
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
-ueventd
|
|
|
|
-vendor_init
|
|
|
|
} sysfs_uhid:file no_w_file_perms;
|
|
|
|
|
2020-09-03 21:07:33 +02:00
|
|
|
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
|
|
|
|
# can be accessed by system_server only (b/143717177)
|
2020-09-12 00:41:31 +02:00
|
|
|
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
|
|
|
|
# interface
|
|
|
|
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
|
2021-01-21 22:08:31 +01:00
|
|
|
|
|
|
|
# Only system server can write the font files.
|
|
|
|
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
|
|
|
|
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
|
2023-03-30 16:50:05 +02:00
|
|
|
|
2023-07-21 07:29:24 +02:00
|
|
|
# Allow reading /system/etc/font_fallback.xml
|
|
|
|
allow system_server system_font_fallback_file:file r_file_perms;
|
|
|
|
|
2023-03-30 16:50:05 +02:00
|
|
|
# Allow system server to set dynamic ART properties.
|
|
|
|
set_prop(system_server, dalvik_dynamic_config_prop)
|
2023-10-12 06:48:19 +02:00
|
|
|
|
|
|
|
# Allow system server to read binderfs
|
|
|
|
allow system_server binderfs_logs:dir r_dir_perms;
|
|
|
|
allow system_server binderfs_logs_stats:file r_file_perms;
|
2023-10-20 02:43:51 +02:00
|
|
|
|
|
|
|
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
|
|
|
|
set_prop(system_server, game_manager_config_prop)
|
|
|
|
|
2024-01-11 15:59:51 +01:00
|
|
|
# ThreadNetworkService reads Thread Network properties
|
|
|
|
get_prop(system_server, threadnetwork_config_prop)
|
|
|
|
|
|
|
|
# Do not allow any domain other than init and system server to set the property
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-dumpstate
|
|
|
|
-system_server
|
|
|
|
} threadnetwork_config_prop:file no_rw_file_perms;
|
2024-01-22 19:53:59 +01:00
|
|
|
|
|
|
|
# Allow system server to read pm.archiving.enabled prop
|
|
|
|
# TODO(azilio): Remove system property after archiving testing is completed.
|
|
|
|
get_prop(system_server, pm_archiving_enabled_prop)
|
2024-02-01 14:00:46 +01:00
|
|
|
|
|
|
|
# Do not allow any domain other than init or system server to get or set the property
|
|
|
|
neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
|
|
|
|
neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
|