17369bef4a
As a follow-up to https://r.android.com/2078213, remove init's write access to directories with type system_userdir_file or media_userdir_file. This has been made possible by moving the creation of /data/user/0 and /data/media/obb to vold. Bug: 156305599 Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266
1493 lines
57 KiB
Text
1493 lines
57 KiB
Text
#
|
|
# System Server aka system_server spawned by zygote.
|
|
# Most of the framework services run in this process.
|
|
#
|
|
|
|
typeattribute system_server coredomain;
|
|
typeattribute system_server mlstrustedsubject;
|
|
typeattribute system_server scheduler_service_server;
|
|
typeattribute system_server sensor_service_server;
|
|
typeattribute system_server stats_service_server;
|
|
typeattribute system_server bpfdomain;
|
|
|
|
# Define a type for tmpfs-backed ashmem regions.
|
|
tmpfs_domain(system_server)
|
|
|
|
userfaultfd_use(system_server)
|
|
|
|
# TODO(b/217368496): remove this.
|
|
perfetto_producer(system_server)
|
|
can_profile_heap(system_server)
|
|
can_profile_perf(system_server)
|
|
|
|
# Create a socket for connections from crash_dump.
|
|
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
|
|
|
# Create a socket for connections from zygotes.
|
|
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
|
|
|
|
allow system_server zygote_tmpfs:file { map read };
|
|
allow system_server appdomain_tmpfs:file { getattr map read write };
|
|
|
|
# For Incremental Service to check if incfs is available
|
|
allow system_server proc_filesystems:file r_file_perms;
|
|
|
|
# To create files, get permission to fill blocks, and configure Incremental File System
|
|
allow system_server incremental_control_file:file { ioctl r_file_perms };
|
|
allowxperm system_server incremental_control_file:file ioctl {
|
|
INCFS_IOCTL_CREATE_FILE
|
|
INCFS_IOCTL_CREATE_MAPPED_FILE
|
|
INCFS_IOCTL_PERMIT_FILL
|
|
INCFS_IOCTL_GET_READ_TIMEOUTS
|
|
INCFS_IOCTL_SET_READ_TIMEOUTS
|
|
INCFS_IOCTL_GET_LAST_READ_ERROR
|
|
};
|
|
|
|
# To get signature of an APK installed on Incremental File System, and fill in data
|
|
# blocks and get the filesystem state
|
|
allowxperm system_server apk_data_file:file ioctl {
|
|
INCFS_IOCTL_READ_SIGNATURE
|
|
INCFS_IOCTL_FILL_BLOCKS
|
|
INCFS_IOCTL_GET_FILLED_BLOCKS
|
|
INCFS_IOCTL_GET_BLOCK_COUNT
|
|
F2FS_IOC_GET_FEATURES
|
|
F2FS_IOC_GET_COMPRESS_BLOCKS
|
|
F2FS_IOC_COMPRESS_FILE
|
|
F2FS_IOC_DECOMPRESS_FILE
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
F2FS_IOC_RESERVE_COMPRESS_BLOCKS
|
|
FS_IOC_SETFLAGS
|
|
FS_IOC_GETFLAGS
|
|
};
|
|
|
|
allowxperm system_server apk_tmp_file:file ioctl {
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
FS_IOC_GETFLAGS
|
|
};
|
|
|
|
# For Incremental Service to check incfs metrics
|
|
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
|
|
|
|
# For f2fs-compression support
|
|
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
|
|
allow system_server sysfs_fs_f2fs:file r_file_perms;
|
|
|
|
# For art.
|
|
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
|
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
|
|
|
|
# Ignore the denial on `system@framework@com.android.location.provider.jar@classes.odex`.
|
|
# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a
|
|
# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks
|
|
# system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
|
|
dontaudit system_server apex_art_data_file:file execute;
|
|
|
|
# For release odex/vdex compress blocks
|
|
allowxperm system_server dalvikcache_data_file:file ioctl {
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
FS_IOC_GETFLAGS
|
|
};
|
|
|
|
# When running system server under --invoke-with, we'll try to load the boot image under the
|
|
# system server domain, following links to the system partition.
|
|
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
|
|
|
|
# /data/resource-cache
|
|
allow system_server resourcecache_data_file:file r_file_perms;
|
|
allow system_server resourcecache_data_file:dir r_dir_perms;
|
|
|
|
# ptrace to processes in the same domain for debugging crashes.
|
|
allow system_server self:process ptrace;
|
|
|
|
# Child of the zygote.
|
|
allow system_server zygote:fd use;
|
|
allow system_server zygote:process sigchld;
|
|
|
|
# May kill zygote on crashes.
|
|
allow system_server {
|
|
app_zygote
|
|
crash_dump
|
|
webview_zygote
|
|
zygote
|
|
}:process { getpgid sigkill signull };
|
|
|
|
# Read /system/bin/app_process.
|
|
allow system_server zygote_exec:file r_file_perms;
|
|
|
|
# Needed to close the zygote socket, which involves getopt / getattr
|
|
allow system_server zygote:unix_stream_socket { getopt getattr };
|
|
|
|
# system server gets network and bluetooth permissions.
|
|
net_domain(system_server)
|
|
# in addition to ioctls allowlisted for all domains, also allow system_server
|
|
# to use privileged ioctls commands. Needed to set up VPNs.
|
|
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
|
|
bluetooth_domain(system_server)
|
|
|
|
# Allow setup of tcp keepalive offload. This gives system_server the permission to
|
|
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
|
|
# be granted individually, except for a small set of safe values allowlisted in
|
|
# public/domain.te.
|
|
allow system_server appdomain:tcp_socket ioctl;
|
|
|
|
# These are the capabilities assigned by the zygote to the
|
|
# system server.
|
|
allow system_server self:global_capability_class_set {
|
|
ipc_lock
|
|
kill
|
|
net_admin
|
|
net_bind_service
|
|
net_broadcast
|
|
net_raw
|
|
sys_boot
|
|
sys_nice
|
|
sys_ptrace
|
|
sys_time
|
|
sys_tty_config
|
|
};
|
|
|
|
# Trigger module auto-load.
|
|
allow system_server kernel:system module_request;
|
|
|
|
# Allow alarmtimers to be set
|
|
allow system_server self:global_capability2_class_set wake_alarm;
|
|
|
|
# Create and share netlink_netfilter_sockets for tetheroffload.
|
|
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
|
|
|
|
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
|
|
allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
|
|
|
|
# Use netlink uevent sockets.
|
|
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
# Use generic netlink sockets.
|
|
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
# libvintf reads the kernel config to verify vendor interface compatibility.
|
|
allow system_server config_gz:file { read open };
|
|
|
|
# Use generic "sockets" where the address family is not known
|
|
# to the kernel. The ioctl permission is specifically omitted here, but may
|
|
# be added to device specific policy along with the ioctl commands to be
|
|
# allowlisted.
|
|
allow system_server self:socket create_socket_perms_no_ioctl;
|
|
|
|
# Set and get routes directly via netlink.
|
|
allow system_server self:netlink_route_socket nlmsg_write;
|
|
|
|
# Kill apps.
|
|
allow system_server appdomain:process { getpgid sigkill signal };
|
|
# signull allowed for kill(pid, 0) existence test.
|
|
allow system_server appdomain:process { signull };
|
|
|
|
# Set scheduling info for apps.
|
|
allow system_server appdomain:process { getsched setsched };
|
|
allow system_server audioserver:process { getsched setsched };
|
|
allow system_server hal_audio:process { getsched setsched };
|
|
allow system_server hal_bluetooth:process { getsched setsched };
|
|
allow system_server hal_codec2_server:process { getsched setsched };
|
|
allow system_server hal_omx_server:process { getsched setsched };
|
|
allow system_server mediaswcodec:process { getsched setsched };
|
|
allow system_server cameraserver:process { getsched setsched };
|
|
allow system_server hal_camera:process { getsched setsched };
|
|
allow system_server mediaserver:process { getsched setsched };
|
|
allow system_server bootanim:process { getsched setsched };
|
|
|
|
# Set scheduling info for psi monitor thread.
|
|
# TODO: delete this line b/131761776
|
|
allow system_server kernel:process { getsched setsched };
|
|
|
|
# Allow system_server to write to /proc/<pid>/*
|
|
allow system_server domain:file w_file_perms;
|
|
|
|
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
|
|
# within system_server to keep track of memory and CPU usage for
|
|
# all processes on the device. In addition, /proc/pid files access is needed
|
|
# for dumping stack traces of native processes.
|
|
r_dir_file(system_server, domain)
|
|
|
|
# Write /proc/uid_cputime/remove_uid_range.
|
|
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
|
|
|
|
# Write /proc/uid_procstat/set.
|
|
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
|
|
|
|
# Write to /proc/sysrq-trigger.
|
|
allow system_server proc_sysrq:file rw_file_perms;
|
|
|
|
# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
|
|
allow system_server stats_data_file:dir { open read remove_name search write };
|
|
allow system_server stats_data_file:file unlink;
|
|
|
|
# Read metric file & upload to statsd
|
|
allow system_server odsign_data_file:dir search;
|
|
allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
|
|
allow system_server odsign_metrics_file:file { r_file_perms unlink };
|
|
|
|
# Read /sys/kernel/debug/wakeup_sources.
|
|
no_debugfs_restriction(`
|
|
allow system_server debugfs_wakeup_sources:file r_file_perms;
|
|
')
|
|
|
|
# Read /sys/kernel/ion/*.
|
|
allow system_server sysfs_ion:file r_file_perms;
|
|
|
|
# Read /sys/kernel/dma_heap/*.
|
|
allow system_server sysfs_dma_heap:file r_file_perms;
|
|
|
|
# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
|
|
allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
|
|
allow system_server sysfs_dmabuf_stats:file r_file_perms;
|
|
|
|
# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
|
|
# for dumpsys meminfo
|
|
allow system_server dmabuf_heap_device:dir r_dir_perms;
|
|
|
|
# Allow reading /proc/vmstat for the oom kill count
|
|
allow system_server proc_vmstat:file r_file_perms;
|
|
|
|
# The DhcpClient and WifiWatchdog use packet_sockets
|
|
allow system_server self:packet_socket create_socket_perms_no_ioctl;
|
|
|
|
# 3rd party VPN clients require a tun_socket to be created
|
|
allow system_server self:tun_socket create_socket_perms_no_ioctl;
|
|
|
|
# Talk to init and various daemons via sockets.
|
|
unix_socket_connect(system_server, lmkd, lmkd)
|
|
unix_socket_connect(system_server, mtpd, mtp)
|
|
unix_socket_connect(system_server, zygote, zygote)
|
|
unix_socket_connect(system_server, racoon, racoon)
|
|
unix_socket_connect(system_server, uncrypt, uncrypt)
|
|
|
|
# Allow system_server to write to statsd.
|
|
unix_socket_send(system_server, statsdw, statsd)
|
|
|
|
# Communicate over a socket created by surfaceflinger.
|
|
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
|
|
|
|
allow system_server gpuservice:unix_stream_socket { read write setopt };
|
|
|
|
# Communicate over a socket created by webview_zygote.
|
|
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
|
|
|
|
# Communicate over a socket created by app_zygote.
|
|
allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
|
|
|
|
# Perform Binder IPC.
|
|
binder_use(system_server)
|
|
binder_call(system_server, appdomain)
|
|
binder_call(system_server, binderservicedomain)
|
|
binder_call(system_server, composd)
|
|
binder_call(system_server, dumpstate)
|
|
binder_call(system_server, fingerprintd)
|
|
binder_call(system_server, gatekeeperd)
|
|
binder_call(system_server, gpuservice)
|
|
binder_call(system_server, idmap)
|
|
binder_call(system_server, installd)
|
|
binder_call(system_server, incidentd)
|
|
binder_call(system_server, iorapd)
|
|
binder_call(system_server, netd)
|
|
userdebug_or_eng(`binder_call(system_server, profcollectd)')
|
|
binder_call(system_server, statsd)
|
|
binder_call(system_server, storaged)
|
|
binder_call(system_server, update_engine)
|
|
binder_call(system_server, vold)
|
|
binder_call(system_server, logd)
|
|
binder_call(system_server, wificond)
|
|
binder_call(system_server, wpantund)
|
|
binder_service(system_server)
|
|
|
|
# Use HALs
|
|
hal_client_domain(system_server, hal_allocator)
|
|
hal_client_domain(system_server, hal_audio)
|
|
hal_client_domain(system_server, hal_authsecret)
|
|
hal_client_domain(system_server, hal_broadcastradio)
|
|
hal_client_domain(system_server, hal_codec2)
|
|
hal_client_domain(system_server, hal_configstore)
|
|
hal_client_domain(system_server, hal_contexthub)
|
|
hal_client_domain(system_server, hal_face)
|
|
hal_client_domain(system_server, hal_fingerprint)
|
|
hal_client_domain(system_server, hal_gnss)
|
|
hal_client_domain(system_server, hal_graphics_allocator)
|
|
hal_client_domain(system_server, hal_health)
|
|
hal_client_domain(system_server, hal_input_classifier)
|
|
hal_client_domain(system_server, hal_input_processor)
|
|
hal_client_domain(system_server, hal_ir)
|
|
hal_client_domain(system_server, hal_light)
|
|
hal_client_domain(system_server, hal_memtrack)
|
|
hal_client_domain(system_server, hal_neuralnetworks)
|
|
hal_client_domain(system_server, hal_oemlock)
|
|
hal_client_domain(system_server, hal_omx)
|
|
hal_client_domain(system_server, hal_power)
|
|
hal_client_domain(system_server, hal_power_stats)
|
|
hal_client_domain(system_server, hal_rebootescrow)
|
|
hal_client_domain(system_server, hal_sensors)
|
|
hal_client_domain(system_server, hal_tetheroffload)
|
|
hal_client_domain(system_server, hal_thermal)
|
|
hal_client_domain(system_server, hal_tv_cec)
|
|
hal_client_domain(system_server, hal_tv_input)
|
|
hal_client_domain(system_server, hal_usb)
|
|
hal_client_domain(system_server, hal_usb_gadget)
|
|
hal_client_domain(system_server, hal_uwb)
|
|
hal_client_domain(system_server, hal_vibrator)
|
|
hal_client_domain(system_server, hal_vr)
|
|
hal_client_domain(system_server, hal_weaver)
|
|
hal_client_domain(system_server, hal_wifi)
|
|
hal_client_domain(system_server, hal_wifi_hostapd)
|
|
hal_client_domain(system_server, hal_wifi_supplicant)
|
|
# The bootctl is a pass through HAL mode under recovery mode. So we skip the
|
|
# permission for recovery in order not to give system server the access to
|
|
# the low level block devices.
|
|
not_recovery(`hal_client_domain(system_server, hal_bootctl)')
|
|
|
|
# Talk with graphics composer fences
|
|
allow system_server hal_graphics_composer:fd use;
|
|
|
|
# Use RenderScript always-passthrough HAL
|
|
allow system_server hal_renderscript_hwservice:hwservice_manager find;
|
|
allow system_server same_process_hal_file:file { execute read open getattr map };
|
|
|
|
# Talk to tombstoned to get ANR traces.
|
|
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
|
|
|
|
# List HAL interfaces to get ANR traces.
|
|
allow system_server hwservicemanager:hwservice_manager list;
|
|
allow system_server servicemanager:service_manager list;
|
|
|
|
# Send signals to trigger ANR traces.
|
|
allow system_server {
|
|
# This is derived from the list that system server defines as interesting native processes
|
|
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
|
|
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
|
|
audioserver
|
|
cameraserver
|
|
drmserver
|
|
gpuservice
|
|
inputflinger
|
|
keystore
|
|
mediadrmserver
|
|
mediaextractor
|
|
mediametrics
|
|
mediaserver
|
|
mediaswcodec
|
|
mediatranscoding
|
|
mediatuner
|
|
netd
|
|
sdcardd
|
|
statsd
|
|
surfaceflinger
|
|
vold
|
|
|
|
# This list comes from HAL_INTERFACES_OF_INTEREST in
|
|
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
|
|
hal_audio_server
|
|
hal_bluetooth_server
|
|
hal_camera_server
|
|
hal_codec2_server
|
|
hal_face_server
|
|
hal_fingerprint_server
|
|
hal_gnss_server
|
|
hal_graphics_allocator_server
|
|
hal_graphics_composer_server
|
|
hal_health_server
|
|
hal_light_server
|
|
hal_neuralnetworks_server
|
|
hal_omx_server
|
|
hal_power_server
|
|
hal_power_stats_server
|
|
hal_sensors_server
|
|
hal_vibrator_server
|
|
hal_vr_server
|
|
system_suspend_server
|
|
}:process { signal };
|
|
|
|
# Use sockets received over binder from various services.
|
|
allow system_server audioserver:tcp_socket rw_socket_perms;
|
|
allow system_server audioserver:udp_socket rw_socket_perms;
|
|
allow system_server mediaserver:tcp_socket rw_socket_perms;
|
|
allow system_server mediaserver:udp_socket rw_socket_perms;
|
|
|
|
# Use sockets received over binder from various services.
|
|
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
|
|
allow system_server mediadrmserver:udp_socket rw_socket_perms;
|
|
|
|
userdebug_or_eng(`perfetto_producer({ system_server })')
|
|
|
|
# Get file context
|
|
allow system_server file_contexts_file:file r_file_perms;
|
|
# access for mac_permissions
|
|
allow system_server mac_perms_file: file r_file_perms;
|
|
# Check SELinux permissions.
|
|
selinux_check_access(system_server)
|
|
|
|
allow system_server sysfs_type:dir r_dir_perms;
|
|
|
|
r_dir_file(system_server, sysfs_android_usb)
|
|
allow system_server sysfs_android_usb:file w_file_perms;
|
|
|
|
r_dir_file(system_server, sysfs_extcon)
|
|
|
|
r_dir_file(system_server, sysfs_ipv4)
|
|
allow system_server sysfs_ipv4:file w_file_perms;
|
|
|
|
r_dir_file(system_server, sysfs_rtc)
|
|
r_dir_file(system_server, sysfs_switch)
|
|
|
|
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
|
|
allow system_server sysfs_power:dir search;
|
|
allow system_server sysfs_power:file rw_file_perms;
|
|
allow system_server sysfs_thermal:dir search;
|
|
allow system_server sysfs_thermal:file r_file_perms;
|
|
allow system_server sysfs_uhid:dir r_dir_perms;
|
|
allow system_server sysfs_uhid:file rw_file_perms;
|
|
|
|
# TODO: Remove when HALs are forced into separate processes
|
|
allow system_server sysfs_vibrator:file { write append };
|
|
|
|
# TODO: added to match above sysfs rule. Remove me?
|
|
allow system_server sysfs_usb:file w_file_perms;
|
|
|
|
# Access devices.
|
|
allow system_server device:dir r_dir_perms;
|
|
allow system_server mdns_socket:sock_file rw_file_perms;
|
|
allow system_server gpu_device:chr_file rw_file_perms;
|
|
allow system_server gpu_device:dir r_dir_perms;
|
|
allow system_server sysfs_gpu:file r_file_perms;
|
|
allow system_server input_device:dir r_dir_perms;
|
|
allow system_server input_device:chr_file rw_file_perms;
|
|
allow system_server tty_device:chr_file rw_file_perms;
|
|
allow system_server usbaccessory_device:chr_file rw_file_perms;
|
|
allow system_server video_device:dir r_dir_perms;
|
|
allow system_server video_device:chr_file rw_file_perms;
|
|
allow system_server adbd_socket:sock_file rw_file_perms;
|
|
allow system_server rtc_device:chr_file rw_file_perms;
|
|
allow system_server audio_device:dir r_dir_perms;
|
|
allow system_server uhid_device:chr_file rw_file_perms;
|
|
|
|
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
|
|
allow system_server audio_device:chr_file rw_file_perms;
|
|
|
|
# tun device used for 3rd party vpn apps
|
|
allow system_server tun_device:chr_file rw_file_perms;
|
|
allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
|
|
|
|
# Manage data/ota_package
|
|
allow system_server ota_package_file:dir rw_dir_perms;
|
|
allow system_server ota_package_file:file create_file_perms;
|
|
|
|
# Manage system data files.
|
|
allow system_server system_data_file:dir create_dir_perms;
|
|
allow system_server system_data_file:notdevfile_class_set create_file_perms;
|
|
allow system_server packages_list_file:file create_file_perms;
|
|
allow system_server game_mode_intervention_list_file:file create_file_perms;
|
|
allow system_server keychain_data_file:dir create_dir_perms;
|
|
allow system_server keychain_data_file:file create_file_perms;
|
|
allow system_server keychain_data_file:lnk_file create_file_perms;
|
|
|
|
# Read the user parent directories like /data/user. Don't allow write access,
|
|
# as vold is responsible for creating and deleting the subdirectories.
|
|
allow system_server system_userdir_file:dir r_dir_perms;
|
|
|
|
# Manage /data/app.
|
|
allow system_server apk_data_file:dir create_dir_perms;
|
|
allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
|
|
allow system_server apk_tmp_file:dir create_dir_perms;
|
|
allow system_server apk_tmp_file:file create_file_perms;
|
|
|
|
# Access input configuration files in the /vendor directory
|
|
r_dir_file(system_server, vendor_keylayout_file)
|
|
r_dir_file(system_server, vendor_keychars_file)
|
|
r_dir_file(system_server, vendor_idc_file)
|
|
|
|
# Access /vendor/{app,framework,overlay}
|
|
r_dir_file(system_server, vendor_app_file)
|
|
r_dir_file(system_server, vendor_framework_file)
|
|
r_dir_file(system_server, vendor_overlay_file)
|
|
|
|
# Manage /data/app-private.
|
|
allow system_server apk_private_data_file:dir create_dir_perms;
|
|
allow system_server apk_private_data_file:file create_file_perms;
|
|
allow system_server apk_private_tmp_file:dir create_dir_perms;
|
|
allow system_server apk_private_tmp_file:file create_file_perms;
|
|
|
|
# Manage files within asec containers.
|
|
allow system_server asec_apk_file:dir create_dir_perms;
|
|
allow system_server asec_apk_file:file create_file_perms;
|
|
allow system_server asec_public_file:file create_file_perms;
|
|
|
|
# Manage /data/anr.
|
|
#
|
|
# TODO: Some of these permissions can be withdrawn once we've switched to the
|
|
# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
|
|
# the system_server should never need to create a new anr_data_file:file or write
|
|
# to one, but it will still need to read and append to existing files.
|
|
allow system_server anr_data_file:dir create_dir_perms;
|
|
allow system_server anr_data_file:file create_file_perms;
|
|
|
|
# New stack dumping scheme : request an output FD from tombstoned via a unix
|
|
# domain socket.
|
|
#
|
|
# Allow system_server to connect and write to the tombstoned java trace socket in
|
|
# order to dump its traces. Also allow the system server to write its traces to
|
|
# dumpstate during bugreport capture and incidentd during incident collection.
|
|
unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
|
|
allow system_server tombstoned:fd use;
|
|
allow system_server dumpstate:fifo_file append;
|
|
allow system_server incidentd:fifo_file append;
|
|
# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
|
|
userdebug_or_eng(`
|
|
allow system_server su:fifo_file append;
|
|
')
|
|
|
|
# Allow system_server to read pipes from incidentd (used to deliver incident reports
|
|
# to dropbox)
|
|
allow system_server incidentd:fifo_file read;
|
|
|
|
# Read /data/misc/incidents - only read. The fd will be sent over binder,
|
|
# with no DAC access to it, for dropbox to read.
|
|
allow system_server incident_data_file:file read;
|
|
|
|
# Manage /data/misc/prereboot.
|
|
allow system_server prereboot_data_file:dir rw_dir_perms;
|
|
allow system_server prereboot_data_file:file create_file_perms;
|
|
|
|
# Allow tracing proxy service to read traces. Only the fd is sent over
|
|
# binder.
|
|
allow system_server perfetto_traces_data_file:file { read getattr };
|
|
allow system_server perfetto:fd use;
|
|
|
|
# Manage /data/backup.
|
|
allow system_server backup_data_file:dir create_dir_perms;
|
|
allow system_server backup_data_file:file create_file_perms;
|
|
|
|
# Write to /data/system/dropbox
|
|
allow system_server dropbox_data_file:dir create_dir_perms;
|
|
allow system_server dropbox_data_file:file create_file_perms;
|
|
|
|
# Write to /data/system/heapdump
|
|
allow system_server heapdump_data_file:dir rw_dir_perms;
|
|
allow system_server heapdump_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/adb.
|
|
allow system_server adb_keys_file:dir create_dir_perms;
|
|
allow system_server adb_keys_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/appcompat.
|
|
allow system_server appcompat_data_file:dir rw_dir_perms;
|
|
allow system_server appcompat_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/emergencynumberdb
|
|
allow system_server emergency_data_file:dir create_dir_perms;
|
|
allow system_server emergency_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/network_watchlist
|
|
allow system_server network_watchlist_data_file:dir create_dir_perms;
|
|
allow system_server network_watchlist_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/sms.
|
|
# TODO: Split into a separate type?
|
|
allow system_server radio_data_file:dir create_dir_perms;
|
|
allow system_server radio_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/systemkeys.
|
|
allow system_server systemkeys_data_file:dir create_dir_perms;
|
|
allow system_server systemkeys_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/textclassifier.
|
|
allow system_server textclassifier_data_file:dir create_dir_perms;
|
|
allow system_server textclassifier_data_file:file create_file_perms;
|
|
|
|
# Access /data/tombstones.
|
|
allow system_server tombstone_data_file:dir r_dir_perms;
|
|
allow system_server tombstone_data_file:file r_file_perms;
|
|
|
|
# Allow write access to be able to truncate tombstones.
|
|
allow system_server tombstone_data_file:file write;
|
|
|
|
# Manage /data/misc/vpn.
|
|
allow system_server vpn_data_file:dir create_dir_perms;
|
|
allow system_server vpn_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/wifi.
|
|
allow system_server wifi_data_file:dir create_dir_perms;
|
|
allow system_server wifi_data_file:file create_file_perms;
|
|
|
|
# Manage /data/misc/zoneinfo.
|
|
allow system_server zoneinfo_data_file:dir create_dir_perms;
|
|
allow system_server zoneinfo_data_file:file create_file_perms;
|
|
|
|
# Manage /data/app-staging.
|
|
allow system_server staging_data_file:dir create_dir_perms;
|
|
allow system_server staging_data_file:file create_file_perms;
|
|
|
|
# Manage /data/rollback.
|
|
allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
|
|
|
|
# Walk /data/data subdirectories.
|
|
allow system_server app_data_file_type:dir { getattr read search };
|
|
|
|
# Also permit for unlabeled /data/data subdirectories and
|
|
# for unlabeled asec containers on upgrades from 4.2.
|
|
allow system_server unlabeled:dir r_dir_perms;
|
|
# Read pkg.apk file before it has been relabeled by vold.
|
|
allow system_server unlabeled:file r_file_perms;
|
|
|
|
# Populate com.android.providers.settings/databases/settings.db.
|
|
allow system_server system_app_data_file:dir create_dir_perms;
|
|
allow system_server system_app_data_file:file create_file_perms;
|
|
|
|
# Receive and use open app data files passed over binder IPC.
|
|
allow system_server app_data_file_type:file { getattr read write append map };
|
|
|
|
# Access to /data/media for measuring disk usage.
|
|
allow system_server media_rw_data_file:dir { search getattr open read };
|
|
|
|
# Receive and use open /data/media files passed over binder IPC.
|
|
# Also used for measuring disk usage.
|
|
allow system_server media_rw_data_file:file { getattr read write append };
|
|
|
|
# System server needs to setfscreate to packages_list_file when writing
|
|
# /data/system/packages.list
|
|
allow system_server system_server:process setfscreate;
|
|
|
|
# Relabel apk files.
|
|
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
|
|
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
|
|
# Allow PackageManager to:
|
|
# 1. rename file from /data/app-staging folder to /data/app
|
|
# 2. relabel files (linked to /data/rollback) under /data/app-staging
|
|
# during staged apk/apex install.
|
|
allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
|
|
|
|
# Relabel wallpaper.
|
|
allow system_server system_data_file:file relabelfrom;
|
|
allow system_server wallpaper_file:file relabelto;
|
|
allow system_server wallpaper_file:file { rw_file_perms rename unlink };
|
|
|
|
# Backup of wallpaper imagery uses temporary hard links to avoid data churn
|
|
allow system_server { system_data_file wallpaper_file }:file link;
|
|
|
|
# ShortcutManager icons
|
|
allow system_server system_data_file:dir relabelfrom;
|
|
allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
|
|
allow system_server shortcut_manager_icons:file create_file_perms;
|
|
|
|
# Manage ringtones.
|
|
allow system_server ringtone_file:dir { create_dir_perms relabelto };
|
|
allow system_server ringtone_file:file create_file_perms;
|
|
|
|
# Relabel icon file.
|
|
allow system_server icon_file:file relabelto;
|
|
allow system_server icon_file:file { rw_file_perms unlink };
|
|
|
|
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
|
|
allow system_server system_data_file:dir relabelfrom;
|
|
|
|
# server_configurable_flags_data_file is used for storing server configurable flags which
|
|
# have been reset during current booting. system_server needs to read the data to perform related
|
|
# disaster recovery actions.
|
|
allow system_server server_configurable_flags_data_file:dir r_dir_perms;
|
|
allow system_server server_configurable_flags_data_file:file r_file_perms;
|
|
|
|
# Property Service write
|
|
set_prop(system_server, system_prop)
|
|
set_prop(system_server, bootanim_system_prop)
|
|
set_prop(system_server, exported_system_prop)
|
|
set_prop(system_server, exported3_system_prop)
|
|
set_prop(system_server, safemode_prop)
|
|
set_prop(system_server, theme_prop)
|
|
set_prop(system_server, dhcp_prop)
|
|
set_prop(system_server, net_connectivity_prop)
|
|
set_prop(system_server, net_radio_prop)
|
|
set_prop(system_server, net_dns_prop)
|
|
set_prop(system_server, usb_control_prop)
|
|
set_prop(system_server, usb_prop)
|
|
set_prop(system_server, debug_prop)
|
|
set_prop(system_server, powerctl_prop)
|
|
set_prop(system_server, fingerprint_prop)
|
|
set_prop(system_server, device_logging_prop)
|
|
set_prop(system_server, dumpstate_options_prop)
|
|
set_prop(system_server, overlay_prop)
|
|
set_prop(system_server, exported_overlay_prop)
|
|
set_prop(system_server, pm_prop)
|
|
set_prop(system_server, exported_pm_prop)
|
|
set_prop(system_server, socket_hook_prop)
|
|
set_prop(system_server, audio_prop)
|
|
set_prop(system_server, boot_status_prop)
|
|
set_prop(system_server, surfaceflinger_color_prop)
|
|
set_prop(system_server, provisioned_prop)
|
|
set_prop(system_server, retaildemo_prop)
|
|
set_prop(system_server, dmesgd_start_prop)
|
|
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
|
|
userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
|
|
|
|
# ctl interface
|
|
set_prop(system_server, ctl_default_prop)
|
|
set_prop(system_server, ctl_bugreport_prop)
|
|
set_prop(system_server, ctl_gsid_prop)
|
|
|
|
# cppreopt property
|
|
set_prop(system_server, cppreopt_prop)
|
|
|
|
# server configurable flags properties
|
|
set_prop(system_server, device_config_input_native_boot_prop)
|
|
set_prop(system_server, device_config_netd_native_prop)
|
|
set_prop(system_server, device_config_nnapi_native_prop)
|
|
set_prop(system_server, device_config_activity_manager_native_boot_prop)
|
|
set_prop(system_server, device_config_runtime_native_boot_prop)
|
|
set_prop(system_server, device_config_runtime_native_prop)
|
|
set_prop(system_server, device_config_lmkd_native_prop)
|
|
set_prop(system_server, device_config_media_native_prop)
|
|
set_prop(system_server, device_config_mglru_native_prop)
|
|
set_prop(system_server, device_config_profcollect_native_boot_prop)
|
|
set_prop(system_server, device_config_statsd_native_prop)
|
|
set_prop(system_server, device_config_statsd_native_boot_prop)
|
|
set_prop(system_server, device_config_storage_native_boot_prop)
|
|
set_prop(system_server, device_config_swcodec_native_prop)
|
|
set_prop(system_server, device_config_sys_traced_prop)
|
|
set_prop(system_server, device_config_window_manager_native_boot_prop)
|
|
set_prop(system_server, device_config_configuration_prop)
|
|
set_prop(system_server, device_config_connectivity_prop)
|
|
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
|
|
set_prop(system_server, device_config_vendor_system_native_prop)
|
|
set_prop(system_server, device_config_virtualization_framework_native_prop)
|
|
set_prop(system_server, smart_idle_maint_enabled_prop)
|
|
|
|
# Allow query ART device config properties
|
|
get_prop(system_server, device_config_runtime_native_boot_prop)
|
|
get_prop(system_server, device_config_runtime_native_prop)
|
|
|
|
# BootReceiver to read ro.boot.bootreason
|
|
get_prop(system_server, bootloader_boot_reason_prop)
|
|
# PowerManager to read sys.boot.reason
|
|
get_prop(system_server, system_boot_reason_prop)
|
|
|
|
# Collect metrics on boot time created by init
|
|
get_prop(system_server, boottime_prop)
|
|
|
|
# Read device's serial number from system properties
|
|
get_prop(system_server, serialno_prop)
|
|
|
|
# Read/write the property which keeps track of whether this is the first start of system_server
|
|
set_prop(system_server, firstboot_prop)
|
|
|
|
# Audio service in system server can read audio config properties,
|
|
# such as camera shutter enforcement
|
|
get_prop(system_server, audio_config_prop)
|
|
|
|
# system server reads this property to keep track of whether server configurable flags have been
|
|
# reset during current boot.
|
|
get_prop(system_server, device_config_reset_performed_prop)
|
|
|
|
# Read/write the property that enables Test Harness Mode
|
|
set_prop(system_server, test_harness_prop)
|
|
|
|
# Read gsid.image_running.
|
|
get_prop(system_server, gsid_prop)
|
|
|
|
# Read the property that mocks an OTA
|
|
get_prop(system_server, mock_ota_prop)
|
|
|
|
# Read the property as feature flag for protecting apks with fs-verity.
|
|
get_prop(system_server, apk_verity_prop)
|
|
|
|
# Read wifi.interface
|
|
get_prop(system_server, wifi_prop)
|
|
|
|
# Read the vendor property that indicates if Incremental features is enabled
|
|
get_prop(system_server, incremental_prop)
|
|
|
|
# Read ro.zram. properties
|
|
get_prop(system_server, zram_config_prop)
|
|
|
|
# Read/write persist.sys.zram_enabled
|
|
set_prop(system_server, zram_control_prop)
|
|
|
|
# Read/write persist.sys.dalvik.vm.lib.2
|
|
set_prop(system_server, dalvik_runtime_prop)
|
|
|
|
# Read ro.control_privapp_permissions and ro.cp_system_other_odex
|
|
get_prop(system_server, packagemanager_config_prop)
|
|
|
|
# Read the net.464xlat.cellular.enabled property (written by init).
|
|
get_prop(system_server, net_464xlat_fromvendor_prop)
|
|
|
|
# Read hypervisor capabilities ro.boot.hypervisor.*
|
|
get_prop(system_server, hypervisor_prop)
|
|
|
|
# Read persist.wm.debug. properties
|
|
get_prop(system_server, persist_wm_debug_prop)
|
|
|
|
# Create a socket for connections from debuggerd.
|
|
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
|
|
|
# Create a socket for connections from zygotes.
|
|
allow system_server system_unsolzygote_socket:sock_file create_file_perms;
|
|
|
|
# Manage cache files.
|
|
allow system_server cache_file:lnk_file r_file_perms;
|
|
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
|
|
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
|
|
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
|
|
|
|
allow system_server system_file:dir r_dir_perms;
|
|
allow system_server system_file:lnk_file r_file_perms;
|
|
|
|
# ART locks profile files.
|
|
allow system_server system_file:file lock;
|
|
|
|
# LocationManager(e.g, GPS) needs to read and write
|
|
# to uart driver and ctrl proc entry
|
|
allow system_server gps_control:file rw_file_perms;
|
|
|
|
# Allow system_server to use app-created sockets and pipes.
|
|
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
|
|
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
|
|
|
|
# BackupManagerService needs to manipulate backup data files
|
|
allow system_server cache_backup_file:dir rw_dir_perms;
|
|
allow system_server cache_backup_file:file create_file_perms;
|
|
# LocalTransport works inside /cache/backup
|
|
allow system_server cache_private_backup_file:dir create_dir_perms;
|
|
allow system_server cache_private_backup_file:file create_file_perms;
|
|
|
|
# Allow system to talk to usb device
|
|
allow system_server usb_device:chr_file rw_file_perms;
|
|
allow system_server usb_device:dir r_dir_perms;
|
|
|
|
# Read and delete files under /dev/fscklogs.
|
|
r_dir_file(system_server, fscklogs)
|
|
allow system_server fscklogs:dir { write remove_name add_name };
|
|
allow system_server fscklogs:file rename;
|
|
|
|
# logd access, system_server inherit logd write socket
|
|
# (urge is to deprecate this long term)
|
|
allow system_server zygote:unix_dgram_socket write;
|
|
|
|
# Read from log daemon.
|
|
read_logd(system_server)
|
|
read_runtime_log_tags(system_server)
|
|
|
|
# Be consistent with DAC permissions. Allow system_server to write to
|
|
# /sys/module/lowmemorykiller/parameters/adj
|
|
# /sys/module/lowmemorykiller/parameters/minfree
|
|
allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
|
|
|
|
# Read /sys/fs/pstore/console-ramoops
|
|
# Don't worry about overly broad permissions for now, as there's
|
|
# only one file in /sys/fs/pstore
|
|
allow system_server pstorefs:dir r_dir_perms;
|
|
allow system_server pstorefs:file r_file_perms;
|
|
|
|
# /sys access
|
|
allow system_server sysfs_zram:dir search;
|
|
allow system_server sysfs_zram:file rw_file_perms;
|
|
|
|
add_service(system_server, system_server_service);
|
|
allow system_server audioserver_service:service_manager find;
|
|
allow system_server authorization_service:service_manager find;
|
|
allow system_server batteryproperties_service:service_manager find;
|
|
allow system_server cameraserver_service:service_manager find;
|
|
allow system_server compos_service:service_manager find;
|
|
allow system_server dataloader_manager_service:service_manager find;
|
|
allow system_server dnsresolver_service:service_manager find;
|
|
allow system_server drmserver_service:service_manager find;
|
|
allow system_server dumpstate_service:service_manager find;
|
|
allow system_server fingerprintd_service:service_manager find;
|
|
allow system_server gatekeeper_service:service_manager find;
|
|
allow system_server gpu_service:service_manager find;
|
|
allow system_server gsi_service:service_manager find;
|
|
allow system_server idmap_service:service_manager find;
|
|
allow system_server incident_service:service_manager find;
|
|
allow system_server incremental_service:service_manager find;
|
|
allow system_server installd_service:service_manager find;
|
|
allow system_server iorapd_service:service_manager find;
|
|
allow system_server keystore_maintenance_service:service_manager find;
|
|
allow system_server keystore_metrics_service:service_manager find;
|
|
allow system_server keystore_service:service_manager find;
|
|
allow system_server mdns_service:service_manager find;
|
|
allow system_server mediaserver_service:service_manager find;
|
|
allow system_server mediametrics_service:service_manager find;
|
|
allow system_server mediaextractor_service:service_manager find;
|
|
allow system_server mediadrmserver_service:service_manager find;
|
|
allow system_server mediatuner_service:service_manager find;
|
|
allow system_server netd_service:service_manager find;
|
|
allow system_server nfc_service:service_manager find;
|
|
allow system_server radio_service:service_manager find;
|
|
allow system_server stats_service:service_manager find;
|
|
allow system_server storaged_service:service_manager find;
|
|
allow system_server surfaceflinger_service:service_manager find;
|
|
allow system_server update_engine_service:service_manager find;
|
|
allow system_server vold_service:service_manager find;
|
|
allow system_server wifinl80211_service:service_manager find;
|
|
allow system_server logd_service:service_manager find;
|
|
userdebug_or_eng(`
|
|
allow system_server profcollectd_service:service_manager find;
|
|
')
|
|
|
|
add_service(system_server, batteryproperties_service)
|
|
|
|
allow system_server keystore:keystore_key {
|
|
get_state
|
|
get
|
|
insert
|
|
delete
|
|
exist
|
|
list
|
|
reset
|
|
password
|
|
lock
|
|
unlock
|
|
is_empty
|
|
sign
|
|
verify
|
|
grant
|
|
duplicate
|
|
clear_uid
|
|
add_auth
|
|
user_changed
|
|
};
|
|
|
|
allow system_server keystore:keystore2 {
|
|
add_auth
|
|
change_password
|
|
change_user
|
|
clear_ns
|
|
clear_uid
|
|
get_state
|
|
list
|
|
lock
|
|
migrate_any_key
|
|
pull_metrics
|
|
reset
|
|
unlock
|
|
};
|
|
|
|
allow system_server keystore:keystore2_key {
|
|
delete
|
|
use_dev_id
|
|
grant
|
|
get_info
|
|
rebind
|
|
update
|
|
use
|
|
};
|
|
|
|
# Allow Wifi module to manage Wi-Fi keys.
|
|
allow system_server wifi_key:keystore2_key {
|
|
delete
|
|
get_info
|
|
rebind
|
|
update
|
|
use
|
|
};
|
|
|
|
# Allow lock_settings service to manage RoR keys.
|
|
allow system_server resume_on_reboot_key:keystore2_key {
|
|
delete
|
|
get_info
|
|
rebind
|
|
update
|
|
use
|
|
};
|
|
|
|
# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
|
|
allow system_server locksettings_key:keystore2_key {
|
|
delete
|
|
get_info
|
|
rebind
|
|
update
|
|
use
|
|
};
|
|
|
|
|
|
# Allow system server to search and write to the persistent factory reset
|
|
# protection partition. This block device does not get wiped in a factory reset.
|
|
allow system_server block_device:dir search;
|
|
allow system_server frp_block_device:blk_file rw_file_perms;
|
|
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
|
|
|
|
# Create new process groups and clean up old cgroups
|
|
allow system_server cgroup:dir { remove_name rmdir };
|
|
allow system_server cgroup_v2:dir create_dir_perms;
|
|
allow system_server cgroup_v2:file { r_file_perms setattr };
|
|
|
|
# /oem access
|
|
r_dir_file(system_server, oemfs)
|
|
|
|
# Allow resolving per-user storage symlinks
|
|
allow system_server { mnt_user_file storage_file }:dir { getattr search };
|
|
allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
|
|
|
|
# Allow statfs() on storage devices, which happens fast enough that
|
|
# we shouldn't be killed during unsafe removal
|
|
allow system_server { sdcard_type fuse }:dir { getattr search };
|
|
|
|
# Traverse into expanded storage
|
|
allow system_server mnt_expand_file:dir r_dir_perms;
|
|
|
|
# Allow system process to relabel the fingerprint directory after mkdir
|
|
# and delete the directory and files when no longer needed
|
|
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
|
|
allow system_server fingerprintd_data_file:file { getattr unlink };
|
|
|
|
userdebug_or_eng(`
|
|
# Allow system server to create and write method traces in /data/misc/trace.
|
|
allow system_server method_trace_data_file:dir w_dir_perms;
|
|
allow system_server method_trace_data_file:file { create w_file_perms };
|
|
|
|
# Allow system server to read dmesg
|
|
allow system_server kernel:system syslog_read;
|
|
|
|
# Allow writing and removing window traces in /data/misc/wmtrace.
|
|
allow system_server wm_trace_data_file:dir rw_dir_perms;
|
|
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
|
|
|
|
# Allow writing and removing accessibility traces in /data/misc/a11ytrace.
|
|
allow system_server accessibility_trace_data_file:dir rw_dir_perms;
|
|
allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
|
|
')
|
|
|
|
# For AppFuse.
|
|
allow system_server vold:fd use;
|
|
allow system_server fuse_device:chr_file { read write ioctl getattr };
|
|
allow system_server app_fuse_file:file { read write getattr };
|
|
|
|
# For configuring sdcardfs
|
|
allow system_server configfs:dir { create_dir_perms };
|
|
allow system_server configfs:file { getattr open create unlink write };
|
|
|
|
# Connect to adbd and use a socket transferred from it.
|
|
# Used for e.g. jdwp.
|
|
allow system_server adbd:unix_stream_socket connectto;
|
|
allow system_server adbd:fd use;
|
|
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
|
|
|
|
# Read service.adb.tls.port, persist.adb.wifi. properties
|
|
get_prop(system_server, adbd_prop)
|
|
|
|
# Set persist.adb.tls_server.enable property
|
|
set_prop(system_server, system_adbd_prop)
|
|
|
|
# Allow invoking tools like "timeout"
|
|
allow system_server toolbox_exec:file rx_file_perms;
|
|
|
|
# Allow system process to setup and measure fs-verity
|
|
allowxperm system_server apk_data_file:file ioctl {
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
};
|
|
|
|
allowxperm system_server system_file:file ioctl {
|
|
FS_IOC_MEASURE_VERITY
|
|
};
|
|
|
|
# Postinstall
|
|
#
|
|
# For OTA dexopt, allow calls coming from postinstall.
|
|
binder_call(system_server, postinstall)
|
|
|
|
allow system_server postinstall:fifo_file write;
|
|
allow system_server update_engine:fd use;
|
|
allow system_server update_engine:fifo_file write;
|
|
|
|
# Access to /data/preloads
|
|
allow system_server preloads_data_file:file { r_file_perms unlink };
|
|
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
|
allow system_server preloads_media_file:file { r_file_perms unlink };
|
|
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
|
|
|
r_dir_file(system_server, cgroup)
|
|
r_dir_file(system_server, cgroup_v2)
|
|
allow system_server ion_device:chr_file r_file_perms;
|
|
|
|
# Access to /dev/dma_heap/system
|
|
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
|
|
# Access to /dev/dma_heap/system-secure
|
|
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
|
|
|
|
r_dir_file(system_server, proc_asound)
|
|
r_dir_file(system_server, proc_net_type)
|
|
r_dir_file(system_server, proc_qtaguid_stat)
|
|
allow system_server {
|
|
proc_cmdline
|
|
proc_loadavg
|
|
proc_locks
|
|
proc_meminfo
|
|
proc_pagetypeinfo
|
|
proc_pipe_conf
|
|
proc_stat
|
|
proc_uid_cputime_showstat
|
|
proc_uid_io_stats
|
|
proc_uid_time_in_state
|
|
proc_uid_concurrent_active_time
|
|
proc_uid_concurrent_policy_time
|
|
proc_version
|
|
proc_vmallocinfo
|
|
}:file r_file_perms;
|
|
|
|
allow system_server proc_uid_time_in_state:dir r_dir_perms;
|
|
allow system_server proc_uid_cpupower:file r_file_perms;
|
|
|
|
r_dir_file(system_server, rootfs)
|
|
|
|
# Allow WifiService to start, stop, and read wifi-specific trace events.
|
|
allow system_server debugfs_tracing_instances:dir search;
|
|
allow system_server debugfs_wifi_tracing:dir search;
|
|
allow system_server debugfs_wifi_tracing:file rw_file_perms;
|
|
|
|
# Allow BootReceiver to watch trace error_report events.
|
|
allow system_server debugfs_bootreceiver_tracing:dir search;
|
|
allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
|
|
|
|
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
|
|
allow system_server debugfs_tracing:file r_file_perms;
|
|
|
|
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
|
|
# asanwrapper.
|
|
with_asan(`
|
|
allow system_server shell_exec:file rx_file_perms;
|
|
allow system_server asanwrapper_exec:file rx_file_perms;
|
|
allow system_server zygote_exec:file rx_file_perms;
|
|
')
|
|
|
|
# allow system_server to read the eBPF maps that stores the traffic stats information and update
|
|
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
|
|
# time in state accounting
|
|
allow system_server fs_bpf:file { read write };
|
|
allow system_server bpfloader:bpf { map_read map_write prog_run };
|
|
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
|
|
allow system_server self:key_socket create;
|
|
|
|
# Allow system_server to start clatd in its own domain and kill it.
|
|
domain_auto_trans(system_server, clatd_exec, clatd)
|
|
allow system_server clatd:process signal;
|
|
|
|
# ART Profiles.
|
|
# Allow system_server to open profile snapshots for read.
|
|
# System server never reads the actual content. It passes the descriptor to
|
|
# to privileged apps which acquire the permissions to inspect the profiles.
|
|
allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
|
|
allow system_server user_profile_data_file:file { getattr open read };
|
|
|
|
# System server may dump profile data for debuggable apps in the /data/misc/profman.
|
|
# As such it needs to be able create files but it should never read from them.
|
|
allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
|
|
allow system_server profman_dump_data_file:dir w_dir_perms;
|
|
|
|
# On userdebug build we may profile system server. Allow it to write and create its own profile.
|
|
userdebug_or_eng(`
|
|
allow system_server user_profile_data_file:file create_file_perms;
|
|
')
|
|
# Allow system server to load JVMTI agents under control of a property.
|
|
get_prop(system_server,system_jvmti_agent_prop)
|
|
|
|
# UsbDeviceManager uses /dev/usb-ffs
|
|
allow system_server functionfs:dir search;
|
|
allow system_server functionfs:file rw_file_perms;
|
|
|
|
# system_server contains time / time zone detection logic so reads the associated properties.
|
|
get_prop(system_server, time_prop)
|
|
|
|
# system_server reads this property to know it should expect the lmkd sends notification to it
|
|
# on low memory kills.
|
|
get_prop(system_server, system_lmk_prop)
|
|
|
|
get_prop(system_server, wifi_config_prop)
|
|
|
|
# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
|
|
allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
|
|
|
|
# Watchdog prints debugging log to /dev/kmsg_debug.
|
|
userdebug_or_eng(`
|
|
allow system_server kmsg_debug_device:chr_file { open append getattr };
|
|
')
|
|
# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
|
|
get_prop(system_server, framework_watchdog_config_prop)
|
|
|
|
|
|
# Font files are written by system server
|
|
allow system_server font_data_file:file create_file_perms;
|
|
allow system_server font_data_file:dir create_dir_perms;
|
|
# Allow system process to setup fs-verity for font files
|
|
allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
|
|
|
|
# Read qemu.hw.mainkeys property
|
|
get_prop(system_server, qemu_hw_prop)
|
|
|
|
# Allow system server to read profcollectd reports for upload.
|
|
userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### system_server should NEVER do any of this
|
|
|
|
# Do not allow opening files from external storage as unsafe ejection
|
|
# could cause the kernel to kill the system_server.
|
|
neverallow system_server { sdcard_type fuse }:dir { open read write };
|
|
neverallow system_server { sdcard_type fuse }:file rw_file_perms;
|
|
|
|
# system server should never be operating on zygote spawned app data
|
|
# files directly. Rather, they should always be passed via a
|
|
# file descriptor.
|
|
# Exclude those types that system_server needs to open directly.
|
|
neverallow system_server {
|
|
app_data_file_type
|
|
-system_app_data_file
|
|
-radio_data_file
|
|
}:file { open create unlink link };
|
|
|
|
# Forking and execing is inherently dangerous and racy. See, for
|
|
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
|
|
# Prevent the addition of new file execs to stop the problem from
|
|
# getting worse. b/28035297
|
|
neverallow system_server {
|
|
file_type
|
|
-toolbox_exec
|
|
-logcat_exec
|
|
with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
|
|
}:file execute_no_trans;
|
|
|
|
# Ensure that system_server doesn't perform any domain transitions other than
|
|
# transitioning to the crash_dump domain when a crash occurs or fork clatd.
|
|
neverallow system_server { domain -clatd -crash_dump }:process transition;
|
|
neverallow system_server *:process dyntransition;
|
|
|
|
# Only allow crash_dump to connect to system_ndebug_socket.
|
|
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
|
|
|
|
# Only allow zygotes to connect to system_unsolzygote_socket.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
-zygote
|
|
-app_zygote
|
|
-webview_zygote
|
|
} system_unsolzygote_socket:sock_file { open write };
|
|
|
|
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
-flags_health_check
|
|
} {
|
|
device_config_activity_manager_native_boot_prop
|
|
device_config_connectivity_prop
|
|
device_config_input_native_boot_prop
|
|
device_config_lmkd_native_prop
|
|
device_config_netd_native_prop
|
|
device_config_nnapi_native_prop
|
|
device_config_runtime_native_boot_prop
|
|
device_config_runtime_native_prop
|
|
device_config_media_native_prop
|
|
device_config_mglru_native_prop
|
|
device_config_storage_native_boot_prop
|
|
device_config_surface_flinger_native_boot_prop
|
|
device_config_sys_traced_prop
|
|
device_config_swcodec_native_prop
|
|
device_config_window_manager_native_boot_prop
|
|
}:property_service set;
|
|
|
|
# system_server should never be executing dex2oat. This is either
|
|
# a bug (for example, bug 16317188), or represents an attempt by
|
|
# system server to dynamically load a dex file, something we do not
|
|
# want to allow.
|
|
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
|
|
|
# system_server should never execute or load executable shared libraries
|
|
# in /data. Executable files in /data are a persistence vector.
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
neverallow system_server data_file_type:file no_x_file_perms;
|
|
|
|
# The only block device system_server should be writing to is
|
|
# the frp_block_device. This helps avoid a system_server to root
|
|
# escalation by writing to raw block devices.
|
|
# The system_server may need to read from vd_device if it uses
|
|
# block apexes.
|
|
neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
|
|
neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
|
|
|
|
# system_server should never use JIT functionality
|
|
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
|
|
# in the section titled "A Short ROP Chain" for why.
|
|
# However, in emulator builds without OpenGL passthrough, we use software
|
|
# rendering via SwiftShader, which requires JIT support. These builds are
|
|
# never shipped to users.
|
|
ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
|
|
`allow system_server self:process execmem;',
|
|
`neverallow system_server self:process execmem;')
|
|
neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
|
|
|
|
# TODO: deal with tmpfs_domain pub/priv split properly
|
|
neverallow system_server system_server_tmpfs:file execute;
|
|
|
|
# Resources handed off by system_server_startup
|
|
allow system_server system_server_startup:fd use;
|
|
allow system_server system_server_startup_tmpfs:file { read write map };
|
|
allow system_server system_server_startup:unix_dgram_socket write;
|
|
|
|
# Allow system server to communicate to apexd
|
|
allow system_server apex_service:service_manager find;
|
|
allow system_server apexd:binder call;
|
|
|
|
# Allow system server to scan /apex for flattened APEXes
|
|
allow system_server apex_mnt_dir:dir r_dir_perms;
|
|
|
|
# Allow system server to read /apex/apex-info-list.xml
|
|
allow system_server apex_info_file:file r_file_perms;
|
|
|
|
# Allow system server to communicate to system-suspend's control interface
|
|
allow system_server system_suspend_control_internal_service:service_manager find;
|
|
allow system_server system_suspend_control_service:service_manager find;
|
|
binder_call(system_server, system_suspend)
|
|
binder_call(system_suspend, system_server)
|
|
|
|
# Allow system server to communicate to system-suspend's wakelock interface
|
|
wakelock_use(system_server)
|
|
|
|
# Allow the system server to read files under /data/apex. The system_server
|
|
# needs these privileges to compare file signatures while processing installs.
|
|
#
|
|
# Only apexd is allowed to create new entries or write to any file under /data/apex.
|
|
allow system_server apex_data_file:dir { getattr search };
|
|
allow system_server apex_data_file:file r_file_perms;
|
|
|
|
# Allow the system server to read files under /vendor/apex. This is where
|
|
# vendor APEX packages might be installed and system_server needs to parse
|
|
# these packages to inspect the signatures and other metadata.
|
|
allow system_server vendor_apex_file:dir { getattr search };
|
|
allow system_server vendor_apex_file:file r_file_perms;
|
|
|
|
# Allow the system server to manage relevant apex module data files.
|
|
allow system_server apex_module_data_file:dir { getattr search };
|
|
# These are modules where the code runs in system_server, so we need full access.
|
|
allow system_server apex_system_server_data_file:dir create_dir_perms;
|
|
allow system_server apex_system_server_data_file:file create_file_perms;
|
|
# Legacy labels that we still need to support (b/217581286)
|
|
allow system_server {
|
|
apex_appsearch_data_file
|
|
apex_permission_data_file
|
|
apex_scheduling_data_file
|
|
apex_tethering_data_file
|
|
apex_wifi_data_file
|
|
}:dir create_dir_perms;
|
|
allow system_server {
|
|
apex_appsearch_data_file
|
|
apex_permission_data_file
|
|
apex_scheduling_data_file
|
|
apex_tethering_data_file
|
|
apex_wifi_data_file
|
|
}:file create_file_perms;
|
|
|
|
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
|
|
# communicate which slots are available for use.
|
|
allow system_server metadata_file:dir search;
|
|
allow system_server password_slot_metadata_file:dir rw_dir_perms;
|
|
allow system_server password_slot_metadata_file:file create_file_perms;
|
|
|
|
allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
|
|
allow system_server userspace_reboot_metadata_file:file create_file_perms;
|
|
|
|
# Allow system server rw access to files in /metadata/staged-install folder
|
|
allow system_server staged_install_file:dir rw_dir_perms;
|
|
allow system_server staged_install_file:file create_file_perms;
|
|
|
|
allow system_server watchdog_metadata_file:dir rw_dir_perms;
|
|
allow system_server watchdog_metadata_file:file create_file_perms;
|
|
|
|
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
|
|
allow system_server gsi_persistent_data_file:file create_file_perms;
|
|
|
|
# Allow system server read and remove files under /data/misc/odrefresh
|
|
allow system_server odrefresh_data_file:dir rw_dir_perms;
|
|
allow system_server odrefresh_data_file:file { r_file_perms unlink };
|
|
|
|
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
|
|
allow system_server surfaceflinger_exec:file r_file_perms;
|
|
|
|
# Allow init to set sysprop used to compute stats about userspace reboot.
|
|
set_prop(system_server, userspace_reboot_log_prop)
|
|
|
|
# JVMTI agent settings are only readable from the system server.
|
|
neverallow {
|
|
domain
|
|
-system_server
|
|
-dumpstate
|
|
-init
|
|
-vendor_init
|
|
} {
|
|
system_jvmti_agent_prop
|
|
}:file no_rw_file_perms;
|
|
|
|
# Read/Write /proc/pressure/memory
|
|
allow system_server proc_pressure_mem:file rw_file_perms;
|
|
|
|
# dexoptanalyzer is currently used only for secondary dex files which
|
|
# system_server should never access.
|
|
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
|
|
|
|
# No ptracing others
|
|
neverallow system_server { domain -system_server }:process ptrace;
|
|
|
|
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
|
|
# file read access. However, that is now unnecessary (b/34951864)
|
|
neverallow system_server system_server:global_capability_class_set sys_resource;
|
|
|
|
# Only system_server/init should access /metadata/password_slots.
|
|
neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
|
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
|
|
|
|
# Only system_server/init should access /metadata/userspacereboot.
|
|
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
|
|
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
|
|
|
|
# Allow systemserver to read/write the invalidation property
|
|
set_prop(system_server, binder_cache_system_server_prop)
|
|
neverallow { domain -system_server -init }
|
|
binder_cache_system_server_prop:property_service set;
|
|
|
|
# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
|
|
# system_server cannot use this access to read perf event data like process stacks.
|
|
allow system_server self:perf_event { open write cpu kernel };
|
|
neverallow system_server self:perf_event ~{ open write cpu kernel };
|
|
|
|
# Do not allow any domain other than init or system server to set the property
|
|
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
|
|
|
|
neverallow { domain -init -system_server } boot_status_prop:property_service set;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
-dumpstate
|
|
-system_server
|
|
} wifi_config_prop:file no_rw_file_perms;
|
|
|
|
# Only allow system server to write uhid sysfs files
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-system_server
|
|
-ueventd
|
|
-vendor_init
|
|
} sysfs_uhid:file no_w_file_perms;
|
|
|
|
# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
|
|
# can be accessed by system_server only (b/143717177)
|
|
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
|
|
# interface
|
|
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
|
|
|
|
# Only system server can write the font files.
|
|
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
|
|
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
|