tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/system_server.te
Nick Kralevich 623975fa5a Support forcing permissive domains to unconfined. 
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00

246 lines
8.6 KiB
Text
Raw Blame History

#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain, mlstrustedsubject;
permissive_or_unconfined(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
# Dalvik Compiler JIT Mapping.
allow system_server self:process execmem;
allow system_server ashmem_device:chr_file execute;
allow system_server system_server_tmpfs:file execute;
# For art.
allow system_server dalvikcache_data_file:file execute;
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
allow system_server zygote_tmpfs:file read;
# Needed to close the zygote socket, which involves getopt / getattr
# This should be deleted after b/12061011 is fixed
allow system_server zygote:unix_stream_socket { getopt getattr };
# system server gets network and bluetooth permissions.
net_domain(system_server)
bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
kill
net_admin
net_bind_service
net_broadcast
net_raw
sys_boot
sys_module
sys_nice
sys_resource
sys_time
sys_tty_config
};
allow system_server self:capability2 block_suspend;
# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;
# Trigger module auto-load.
allow system_server kernel:system module_request;
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket *;
# Kill apps.
allow system_server appdomain:process { sigkill signal };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
# Read /proc data for apps.
allow system_server appdomain:dir r_dir_perms;
allow system_server appdomain:{ file lnk_file } rw_file_perms;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
# WifiWatchdog uses a packet_socket
allow system_server self:packet_socket *;
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create;
# Notify init of death.
allow system_server init:process sigchld;
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, property, init)
unix_socket_connect(system_server, qemud, qemud)
unix_socket_connect(system_server, installd, installd)
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, keystore, keystore)
unix_socket_connect(system_server, gps, gpsd)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
binder_call(system_server, healthd)
binder_service(system_server)
# Read /proc/pid files for Binder clients.
r_dir_file(system_server, appdomain)
r_dir_file(system_server, mediaserver)
allow system_server appdomain:process getattr;
allow system_server mediaserver:process getattr;
# Check SELinux permissions.
selinux_check_access(system_server)
# XXX Label sysfs files with a specific type?
allow system_server sysfs:file rw_file_perms;
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
# Access devices.
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server alarm_device:chr_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
allow system_server graphics_device:dir search;
allow system_server graphics_device:chr_file rw_file_perms;
allow system_server iio_device:chr_file rw_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
allow system_server urandom_device:chr_file rw_file_perms;
allow system_server usbaccessory_device:chr_file rw_file_perms;
allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server qemu_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
# Manage data files.
allow system_server data_file_type:dir create_dir_perms;
allow system_server data_file_type:notdevfile_class_set create_file_perms;
# Read /file_contexts and /data/security/file_contexts
security_access_policy(system_server)
# Relabel apk files.
relabelto_domain(system_server)
allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file rw_file_perms;
# Relabel /data/anr.
allow system_server system_data_file:dir relabelfrom;
allow system_server anr_data_file:dir relabelto;
# Property Service write
allow system_server system_prop:property_service set;
allow system_server radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;
# ctl interface
allow system_server ctl_default_prop:property_service set;
# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
allow system_server system_wpa_socket:sock_file create_file_perms;
# Remove sockets created by wpa_supplicant
allow system_server wpa_socket:sock_file unlink;
# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Specify any arguments to zygote.
allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
# Manage cache files.
allow system_server cache_file:dir { relabelfrom create_dir_perms };
allow system_server cache_file:file { relabelfrom create_file_perms };
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
# Allow reading of /proc/pid data for other domains.
# XXX dontaudit candidate
allow system_server domain:dir r_dir_perms;
allow system_server domain:file r_file_perms;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file rw_file_perms;
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets.
allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
# connect to vpn tunnel
allow system_server mtp:unix_stream_socket { connectto };
# BackupManagerService lets PMS create a data backup file
allow system_server cache_backup_file:file create_file_perms;
# Relabel /data/backup
allow system_server backup_data_file:dir { relabelto relabelfrom };
# Relabel /cache/.*\.{data|restore}
allow system_server cache_backup_file:file { relabelto relabelfrom };
# LocalTransport creates and relabels /cache/backup
allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
# Allow system to talk to usb device
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
# Allow system to talk to sensors
allow system_server sensors_device:chr_file rw_file_perms;
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
# Access to wake locks
allow system_server sysfs_wake_lock:file rw_file_perms;
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
allow system_server fscklogs:file unlink;
# For SELinuxPolicyInstallReceiver
selinux_manage_policy(system_server)
# For legacy unlabeled userdata on existing devices.
# See discussion of Unlabeled files in domain.te for more information.
# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
allow system_server unlabeled:file execute;
Reference in a new issue View git blame Copy permalink