platform_system_sepolicy/private/system_server.te
Hung-ying Tyan e4350c1a64 Sepolicy for dynamic_android_service
Dynamic_android service is a proxy running in SystemServer to the
gsi_service daemon. It provides a set of SystemApi's to manage
installation of a new system image to the device while keeping the
original system image intact.

Bug: 122929007
Test: manual; see dynamic_android service start in logcat
Change-Id: Idb9b0475677dad13b7864ca0cf6041dcab04b4e3
2019-01-31 01:30:36 +00:00

1006 lines
39 KiB
Text

#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;
allow system_server webview_zygote:process sigkill;
allow system_server app_zygote:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
# Needed to close the zygote socket, which involves getopt / getattr
allow system_server zygote:unix_stream_socket { getopt getattr };
# system server gets network and bluetooth permissions.
net_domain(system_server)
# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
ipc_lock
kill
net_admin
net_bind_service
net_broadcast
net_raw
sys_boot
sys_nice
sys_ptrace
sys_time
sys_tty_config
};
wakelock_use(system_server)
# Trigger module auto-load.
allow system_server kernel:system module_request;
# Allow alarmtimers to be set
allow system_server self:global_capability2_class_set wake_alarm;
# Create and share netlink_netfilter_sockets for tetheroffload.
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
# libvintf reads the kernel config to verify vendor interface compatibility.
allow system_server config_gz:file { read open };
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
# Allow system_server to write to /proc/<pid>/timerslack_ns
allow system_server appdomain:file w_file_perms;
allow system_server audioserver:file w_file_perms;
allow system_server cameraserver:file w_file_perms;
allow system_server hal_audio_server:file w_file_perms;
allow system_server hal_omx_server:file w_file_perms;
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
# all processes on the device. In addition, /proc/pid files access is needed
# for dumping stack traces of native processes.
r_dir_file(system_server, domain)
# Write /proc/uid_cputime/remove_uid_range.
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
allow system_server stats_data_file:dir { open read remove_name search write };
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs_wakeup_sources:file r_file_perms;
# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
allow system_server stats_data_file:dir { open read remove_name search write };
allow system_server stats_data_file:file unlink;
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms_no_ioctl;
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Allow system_server to write to statsd.
unix_socket_send(system_server, statsdw, statsd)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
allow system_server gpuservice:unix_stream_socket { read write setopt };
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
# Communicate over a socket created by app_zygote.
allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
userdebug_or_eng(`
binder_call(system_server, perfprofd)
')
binder_service(system_server)
# Use HALs
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_input_classifier)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
hal_client_domain(system_server, hal_omx)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant)
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
# Use RenderScript always-passthrough HAL
allow system_server hal_renderscript_hwservice:hwservice_manager find;
allow system_server same_process_hal_file:file { execute read open getattr map };
# Offer HwBinder services
add_hwservice(system_server, fwk_scheduler_hwservice)
add_hwservice(system_server, fwk_sensor_hwservice)
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
# Send signals to trigger ANR traces.
allow system_server {
# This is derived from the list that system server defines as interesting native processes
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
audioserver
cameraserver
drmserver
gpuservice
inputflinger
mediadrmserver
mediaextractor
mediaserver
mediametrics
sdcardd
statsd
surfaceflinger
# This list comes from HAL_INTERFACES_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
}:process { signal };
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
allow system_server audioserver:udp_socket rw_socket_perms;
allow system_server mediaserver:tcp_socket rw_socket_perms;
allow system_server mediaserver:udp_socket rw_socket_perms;
# Use sockets received over binder from various services.
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
# Get file context
allow system_server file_contexts_file:file r_file_perms;
# access for mac_permissions
allow system_server mac_perms_file: file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
allow system_server sysfs_type:dir search;
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
r_dir_file(system_server, sysfs_rtc)
r_dir_file(system_server, sysfs_switch)
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
# TODO: added to match above sysfs rule. Remove me?
allow system_server sysfs_usb:file w_file_perms;
# Access devices.
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
allow system_server usbaccessory_device:chr_file rw_file_perms;
allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;
allow system_server ota_package_file:file create_file_perms;
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
# Access input configuration files in the /vendor directory
r_dir_file(system_server, vendor_keylayout_file)
r_dir_file(system_server, vendor_keychars_file)
r_dir_file(system_server, vendor_idc_file)
# Access /vendor/{app,framework,overlay}
r_dir_file(system_server, vendor_app_file)
r_dir_file(system_server, vendor_framework_file)
r_dir_file(system_server, vendor_overlay_file)
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
allow system_server apk_private_tmp_file:dir create_dir_perms;
allow system_server apk_private_tmp_file:file create_file_perms;
# Manage files within asec containers.
allow system_server asec_apk_file:dir create_dir_perms;
allow system_server asec_apk_file:file create_file_perms;
allow system_server asec_public_file:file create_file_perms;
# Manage /data/anr.
#
# TODO: Some of these permissions can be withdrawn once we've switched to the
# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
# the system_server should never need to create a new anr_data_file:file or write
# to one, but it will still need to read and append to existing files.
allow system_server anr_data_file:dir create_dir_perms;
allow system_server anr_data_file:file create_file_perms;
# New stack dumping scheme : request an output FD from tombstoned via a unix
# domain socket.
#
# Allow system_server to connect and write to the tombstoned java trace socket in
# order to dump its traces. Also allow the system server to write its traces to
# dumpstate during bugreport capture and incidentd during incident collection.
unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
allow system_server tombstoned:fd use;
allow system_server dumpstate:fifo_file append;
allow system_server incidentd:fifo_file append;
# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
userdebug_or_eng(`
allow system_server su:fifo_file append;
')
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
# binder.
allow system_server perfetto_traces_data_file:file read;
allow system_server perfetto:fd use;
# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
userdebug_or_eng(`
allow system_server perfprofd_data_file:file { getattr read };
allow system_server perfprofd:fd use;
')
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
# Write to /data/system/dropbox
allow system_server dropbox_data_file:dir create_dir_perms;
allow system_server dropbox_data_file:file create_file_perms;
# Write to /data/system/heapdump
allow system_server heapdump_data_file:dir rw_dir_perms;
allow system_server heapdump_data_file:file create_file_perms;
# Manage /data/misc/adb.
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
# Manage /data/misc/network_watchlist
allow system_server network_watchlist_data_file:dir create_dir_perms;
allow system_server network_watchlist_data_file:file create_file_perms;
# Manage /data/misc/sms.
# TODO: Split into a separate type?
allow system_server radio_data_file:dir create_dir_perms;
allow system_server radio_data_file:file create_file_perms;
# Manage /data/misc/systemkeys.
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;
# Manage /data/misc/textclassifier.
allow system_server textclassifier_data_file:dir create_dir_perms;
allow system_server textclassifier_data_file:file create_file_perms;
# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
allow system_server vpn_data_file:file create_file_perms;
# Manage /data/misc/wifi.
allow system_server wifi_data_file:dir create_dir_perms;
allow system_server wifi_data_file:file create_file_perms;
# Manage /data/misc/zoneinfo.
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;
# Manage /data/staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
allow system_server {
system_app_data_file
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
app_data_file
privapp_data_file
}:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
# Read pkg.apk file before it has been relabeled by vold.
allow system_server unlabeled:file r_file_perms;
# Populate com.android.providers.settings/databases/settings.db.
allow system_server system_app_data_file:dir create_dir_perms;
allow system_server system_app_data_file:file create_file_perms;
# Receive and use open app data files passed over binder IPC.
# Types extracted from seapp_contexts type= fields.
allow system_server {
system_app_data_file
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
app_data_file
privapp_data_file
}:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
# Receive and use open /data/media files passed over binder IPC.
# Also used for measuring disk usage.
allow system_server media_rw_data_file:file { getattr read write append };
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { rw_file_perms rename unlink };
# Backup of wallpaper imagery uses temporary hard links to avoid data churn
allow system_server { system_data_file wallpaper_file }:file link;
# ShortcutManager icons
allow system_server system_data_file:dir relabelfrom;
allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
allow system_server shortcut_manager_icons:file create_file_perms;
# Manage ringtones.
allow system_server ringtone_file:dir { create_dir_perms relabelto };
allow system_server ringtone_file:file create_file_perms;
# Relabel icon file.
allow system_server icon_file:file relabelto;
allow system_server icon_file:file { rw_file_perms unlink };
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
# server_configurable_flags_data_file is used for storing server configurable flags which
# have been reset during current booting. system_server needs to read the data to perform related
# disaster recovery actions.
allow system_server server_configurable_flags_data_file:dir r_dir_perms;
allow system_server server_configurable_flags_data_file:file r_file_perms;
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, exported_system_prop)
set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
set_prop(system_server, system_radio_prop)
set_prop(system_server, exported_system_radio_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
set_prop(system_server, exported_overlay_prop)
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
get_prop(system_server, system_boot_reason_prop)
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
# Read device's serial number from system properties
get_prop(system_server, serialno_prop)
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
# Audio service in system server can read exported audio properties,
# such as camera shutter enforcement
get_prop(system_server, exported_audio_prop)
# system server reads this property to keep track of whether server configurable flags have been
# reset during current boot.
get_prop(system_server, device_config_reset_performed_prop)
# Read/write the property that enables Test Harness Mode
set_prop(system_server, test_harness_prop)
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
allow system_server system_file:dir r_dir_perms;
allow system_server system_file:lnk_file r_file_perms;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
# LocalTransport works inside /cache/backup
allow system_server cache_private_backup_file:dir create_dir_perms;
allow system_server cache_private_backup_file:file create_file_perms;
# Allow system to talk to usb device
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
allow system_server fscklogs:file unlink;
# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
allow system_server zygote:unix_dgram_socket write;
# Read from log daemon.
read_logd(system_server)
read_runtime_log_tags(system_server)
# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
# /sys/module/lowmemorykiller/parameters/minfree
allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
# /sys access
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file r_file_perms;
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
allow system_server gsi_service:service_manager find;
allow system_server hal_fingerprint_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
userdebug_or_eng(`
allow system_server perfprofd_service:service_manager find;
')
add_service(system_server, batteryproperties_service)
allow system_server keystore:keystore_key {
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
add_auth
user_changed
};
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
# Allow resolving per-user storage symlinks
allow system_server { mnt_user_file storage_file }:dir { getattr search };
allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
allow system_server sdcard_type:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
# Allow system process to relabel the fingerprint directory after mkdir
# and delete the directory and files when no longer needed
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
allow system_server fingerprintd_data_file:file { getattr unlink };
# Allow system process to read network MAC address
allow system_server sysfs_mac_address:file r_file_perms;
userdebug_or_eng(`
# Allow system server to create and write method traces in /data/misc/trace.
allow system_server method_trace_data_file:dir w_dir_perms;
allow system_server method_trace_data_file:file { create w_file_perms };
# Allow system server to read dmesg
allow system_server kernel:system syslog_read;
# Allow writing and removing window traces in /data/misc/wmtrace.
allow system_server wm_trace_data_file:dir rw_dir_perms;
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
')
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
allow system_server configfs:file { getattr open create unlink write };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
allow system_server adbd:unix_stream_socket connectto;
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup and measure fs-verity
allowxperm system_server apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
# Allow system process to access the keyring.
allow system_server kernel:key search;
userdebug_or_eng(`
allow system_server su:key search;
')
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
binder_call(system_server, postinstall)
allow system_server postinstall:fifo_file write;
allow system_server update_engine:fd use;
allow system_server update_engine:fifo_file write;
# Access to /data/preloads
allow system_server preloads_data_file:file { r_file_perms unlink };
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
allow system_server preloads_media_file:file { r_file_perms unlink };
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_loadavg
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
proc_stat
proc_uid_cputime_showstat
proc_uid_io_stats
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
proc_version
proc_vmallocinfo
}:file r_file_perms;
allow system_server proc_uid_time_in_state:dir r_dir_perms;
allow system_server proc_uid_cpupower:file r_file_perms;
r_dir_file(system_server, rootfs)
# Allow WifiService to start, stop, and read wifi-specific trace events.
allow system_server debugfs_tracing_instances:dir search;
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
with_asan(`
allow system_server shell_exec:file rx_file_perms;
allow system_server asanwrapper_exec:file rx_file_perms;
allow system_server zygote_exec:file rx_file_perms;
')
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow system_server self:key_socket create;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
# As such it needs to be able create files but it should never read from them.
allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
allow system_server profman_dump_data_file:dir w_dir_perms;
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
')
userdebug_or_eng(`
# Allow system server to notify mediaextractor of the plugin update.
allow system_server mediaextractor_update_service:service_manager find;
')
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
###
### Neverallow rules
###
### system_server should NEVER do any of this
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
neverallow system_server sdcard_type:dir { open read write };
neverallow system_server sdcard_type:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
neverallow system_server {
bluetooth_data_file
nfc_data_file
shell_data_file
app_data_file
privapp_data_file
}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
neverallow system_server {
file_type
-toolbox_exec
-logcat_exec
with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than
# transitioning to the crash_dump domain when a crash occurs.
neverallow system_server { domain -crash_dump }:process transition;
neverallow system_server *:process dyntransition;
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain
-init
-system_server
-flags_health_check
} {
device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_runtime_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
# want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute or load executable shared libraries
# in /data. Executable files in /data are a persistence vector.
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
neverallow system_server data_file_type:file no_x_file_perms;
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
# in the section titled "A Short ROP Chain" for why.
neverallow system_server self:process execmem;
neverallow system_server ashmem_device:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
# Resources handed off by system_server_startup
allow system_server system_server_startup:fd use;
allow system_server system_server_startup_tmpfs:file { read write map };
allow system_server system_server_startup:unix_dgram_socket write;
# Allow system server to communicate to apexd
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
allow system_server apex_data_file:dir search;
allow system_server apex_data_file:file r_file_perms;
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;