platform_system_sepolicy/system_server.te
Stephen Smalley af47ebb67a Label /dev/fscklogs and allow system_server access to it.
Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc:  denied  { getattr } for  pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc:  denied  { open } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc:  denied  { write } for  pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { remove_name } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { unlink } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-11 11:52:24 -08:00

219 lines
7.6 KiB
Text

#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain, mlstrustedsubject;
permissive system_server;
# Dalvik Compiler JIT Mapping.
allow system_server self:process execmem;
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
allow system_server zygote_tmpfs:file read;
# system server gets network and bluetooth permissions.
net_domain(system_server)
bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
kill
net_admin
net_bind_service
net_broadcast
net_raw
sys_boot
sys_module
sys_nice
sys_resource
sys_time
sys_tty_config
};
# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;
# Trigger module auto-load.
allow system_server kernel:system module_request;
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket *;
# Kill apps.
allow system_server appdomain:process { sigkill signal };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
# Read /proc data for apps.
allow system_server appdomain:dir r_dir_perms;
allow system_server appdomain:{ file lnk_file } rw_file_perms;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
# WifiWatchdog uses a packet_socket
allow system_server self:packet_socket *;
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create;
# Notify init of death.
allow system_server init:process sigchld;
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, property, init)
unix_socket_connect(system_server, qemud, qemud)
unix_socket_connect(system_server, installd, installd)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, keystore, keystore)
unix_socket_connect(system_server, gps, gpsd)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC.
tmpfs_domain(system_server)
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
binder_call(system_server, healthd)
binder_service(system_server)
# Read /proc/pid files for Binder clients.
r_dir_file(system_server, appdomain)
r_dir_file(system_server, mediaserver)
allow system_server appdomain:process getattr;
allow system_server mediaserver:process getattr;
# Check SELinux permissions.
selinux_check_access(system_server)
# XXX Label sysfs files with a specific type?
allow system_server sysfs:file rw_file_perms;
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
# Access devices.
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server alarm_device:chr_file rw_file_perms;
allow system_server graphics_device:dir search;
allow system_server graphics_device:chr_file rw_file_perms;
allow system_server iio_device:chr_file rw_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
allow system_server urandom_device:chr_file rw_file_perms;
allow system_server usbaccessory_device:chr_file rw_file_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server qemu_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
# Manage data files.
allow system_server data_file_type:dir create_dir_perms;
allow system_server data_file_type:notdevfile_class_set create_file_perms;
# Read /file_contexts and /data/security/file_contexts
security_access_policy(system_server)
# Relabel apk files.
relabelto_domain(system_server)
allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file rw_file_perms;
# Relabel /data/anr.
allow system_server system_data_file:dir relabelfrom;
allow system_server anr_data_file:dir relabelto;
# Property Service write
allow system_server system_prop:property_service set;
allow system_server radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;
# ctl interface
allow system_server ctl_default_prop:property_service set;
# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
allow system_server system_wpa_socket:sock_file create_file_perms;
# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Specify any arguments to zygote.
allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
# Manage cache files.
allow system_server cache_file:dir { relabelfrom create_dir_perms };
allow system_server cache_file:file { relabelfrom create_file_perms };
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
# Allow reading of /proc/pid data for other domains.
# XXX dontaudit candidate
allow system_server domain:dir r_dir_perms;
allow system_server domain:file r_file_perms;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file rw_file_perms;
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets.
allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;
# connect to vpn tunnel
allow system_server mtp:unix_stream_socket { connectto };
# BackupManagerService lets PMS create a data backup file
allow system_server cache_backup_file:file create_file_perms;
# Relabel /data/backup
allow system_server backup_data_file:dir { relabelto relabelfrom };
# Relabel /cache/.*\.{data|restore}
allow system_server cache_backup_file:file { relabelto relabelfrom };
# LocalTransport creates and relabels /cache/backup
allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
# Allow system to talk to usb device
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
# Allow system to talk to sensors
allow system_server sensors_device:chr_file rw_file_perms;
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
# Access to wake locks
allow system_server sysfs_wake_lock:file rw_file_perms;
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
allow system_server fscklogs:file unlink;