# # System Server aka system_server spawned by zygote. # Most of the framework services run in this process. # type system_server, domain, mlstrustedsubject; permissive_or_unconfined(system_server) # Define a type for tmpfs-backed ashmem regions. tmpfs_domain(system_server) # Dalvik Compiler JIT Mapping. allow system_server self:process execmem; allow system_server ashmem_device:chr_file execute; allow system_server system_server_tmpfs:file execute; # For art. allow system_server dalvikcache_data_file:file execute; # Child of the zygote. allow system_server zygote:fd use; allow system_server zygote:process sigchld; allow system_server zygote_tmpfs:file read; # system server gets network and bluetooth permissions. net_domain(system_server) bluetooth_domain(system_server) # These are the capabilities assigned by the zygote to the # system server. allow system_server self:capability { kill net_admin net_bind_service net_broadcast net_raw sys_boot sys_module sys_nice sys_resource sys_time sys_tty_config }; allow system_server self:capability2 block_suspend; # Triggered by /proc/pid accesses, not allowed. dontaudit system_server self:capability sys_ptrace; # Trigger module auto-load. allow system_server kernel:system module_request; # Use netlink uevent sockets. allow system_server self:netlink_kobject_uevent_socket create_socket_perms; # Kill apps. allow system_server appdomain:process { sigkill signal }; # Set scheduling info for apps. allow system_server appdomain:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched }; # Read /proc data for apps. allow system_server appdomain:dir r_dir_perms; allow system_server appdomain:{ file lnk_file } rw_file_perms; # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. allow system_server qtaguid_proc:file rw_file_perms; allow system_server qtaguid_device:chr_file rw_file_perms; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs:file r_file_perms; # WifiWatchdog uses a packet_socket allow system_server self:packet_socket create_socket_perms; # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket create_socket_perms; # Notify init of death. allow system_server init:process sigchld; # Talk to init and various daemons via sockets. unix_socket_connect(system_server, property, init) unix_socket_connect(system_server, qemud, qemud) unix_socket_connect(system_server, installd, installd) unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, netd, netd) unix_socket_connect(system_server, vold, vold) unix_socket_connect(system_server, zygote, zygote) unix_socket_connect(system_server, keystore, keystore) unix_socket_connect(system_server, gps, gpsd) unix_socket_connect(system_server, racoon, racoon) unix_socket_send(system_server, wpa, wpa) # Communicate over a socket created by surfaceflinger. allow system_server surfaceflinger:unix_stream_socket { read write setopt }; # Perform Binder IPC. binder_use(system_server) binder_call(system_server, binderservicedomain) binder_call(system_server, appdomain) binder_call(system_server, healthd) binder_call(system_server, dumpstate) binder_service(system_server) # Read /proc/pid files for Binder clients. r_dir_file(system_server, appdomain) r_dir_file(system_server, mediaserver) allow system_server appdomain:process getattr; allow system_server mediaserver:process getattr; # Check SELinux permissions. selinux_check_access(system_server) # XXX Label sysfs files with a specific type? allow system_server sysfs:file rw_file_perms; allow system_server sysfs_nfc_power_writable:file rw_file_perms; # Access devices. allow system_server device:dir r_dir_perms; allow system_server mdns_socket:sock_file rw_file_perms; allow system_server alarm_device:chr_file rw_file_perms; allow system_server gpu_device:chr_file rw_file_perms; allow system_server graphics_device:dir search; allow system_server graphics_device:chr_file rw_file_perms; allow system_server iio_device:chr_file rw_file_perms; allow system_server input_device:dir r_dir_perms; allow system_server input_device:chr_file rw_file_perms; allow system_server tty_device:chr_file rw_file_perms; allow system_server urandom_device:chr_file rw_file_perms; allow system_server usbaccessory_device:chr_file rw_file_perms; allow system_server video_device:dir r_dir_perms; allow system_server video_device:chr_file rw_file_perms; allow system_server qemu_device:chr_file rw_file_perms; allow system_server adbd_socket:sock_file rw_file_perms; # tun device used for 3rd party vpn apps allow system_server tun_device:chr_file rw_file_perms; # Manage data files. allow system_server data_file_type:dir create_dir_perms; allow system_server data_file_type:notdevfile_class_set create_file_perms; # Read /file_contexts and /data/security/file_contexts security_access_policy(system_server) # Relabel apk files. relabelto_domain(system_server) allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto }; allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto }; # Relabel wallpaper. allow system_server system_data_file:file relabelfrom; allow system_server wallpaper_file:file relabelto; allow system_server wallpaper_file:file rw_file_perms; # Relabel /data/anr. allow system_server system_data_file:dir relabelfrom; allow system_server anr_data_file:dir relabelto; # Property Service write allow system_server system_prop:property_service set; allow system_server radio_prop:property_service set; allow system_server debug_prop:property_service set; allow system_server powerctl_prop:property_service set; # ctl interface allow system_server ctl_default_prop:property_service set; # Create a socket for receiving info from wpa. type_transition system_server wifi_data_file:sock_file system_wpa_socket; type_transition system_server wpa_socket:sock_file system_wpa_socket; allow system_server wpa_socket:dir rw_dir_perms; allow system_server system_wpa_socket:sock_file create_file_perms; # Remove sockets created by wpa_supplicant allow system_server wpa_socket:sock_file unlink; # Create a socket for connections from debuggerd. type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; allow system_server system_ndebug_socket:sock_file create_file_perms; # Specify any arguments to zygote. allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; # Manage cache files. allow system_server cache_file:dir { relabelfrom create_dir_perms }; allow system_server cache_file:file { relabelfrom create_file_perms }; # Run system programs, e.g. dexopt. allow system_server system_file:file x_file_perms; # Allow reading of /proc/pid data for other domains. # XXX dontaudit candidate allow system_server domain:dir r_dir_perms; allow system_server domain:file r_file_perms; # LocationManager(e.g, GPS) needs to read and write # to uart driver and ctrl proc entry allow system_server gps_device:chr_file rw_file_perms; allow system_server gps_control:file rw_file_perms; # Allow system_server to use app-created sockets. allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write }; # Allow abstract socket connection allow system_server rild:unix_stream_socket connectto; # connect to vpn tunnel allow system_server mtp:unix_stream_socket { connectto }; # BackupManagerService lets PMS create a data backup file allow system_server cache_backup_file:file create_file_perms; # Relabel /data/backup allow system_server backup_data_file:dir { relabelto relabelfrom }; # Relabel /cache/.*\.{data|restore} allow system_server cache_backup_file:file { relabelto relabelfrom }; # LocalTransport creates and relabels /cache/backup allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; # Allow system to talk to usb device allow system_server usb_device:chr_file rw_file_perms; allow system_server usb_device:dir r_dir_perms; # Allow system to talk to sensors allow system_server sensors_device:chr_file rw_file_perms; # Read from HW RNG (needed by EntropyMixer). allow system_server hw_random_device:chr_file r_file_perms; # Access to wake locks allow system_server sysfs_wake_lock:file rw_file_perms; # Read and delete files under /dev/fscklogs. r_dir_file(system_server, fscklogs) allow system_server fscklogs:dir { write remove_name }; allow system_server fscklogs:file unlink; # For SELinuxPolicyInstallReceiver selinux_manage_policy(system_server) # For legacy unlabeled userdata on existing devices. # See discussion of Unlabeled files in domain.te for more information. # This rule is for dalvikcache mmap/mprotect PROT_EXEC. allow system_server unlabeled:file execute; # logd access, system_server inherit logd write socket # (urge is to deprecate this long term) allow system_server zygote:unix_dgram_socket write; # Be consistent with DAC permissions. Allow system_server to write to # /sys/module/lowmemorykiller/parameters/adj # /sys/module/lowmemorykiller/parameters/minfree allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };