Lines Matching full:allow
25 allow system_server zygote_tmpfs:file { map read };
26 allow system_server appdomain_tmpfs:file { getattr map read write };
29 allow system_server proc_filesystems:file r_file_perms;
32 allow system_server incremental_control_file:file { ioctl r_file_perms };
65 allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
68 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
69 allow system_server sysfs_fs_f2fs:file r_file_perms;
72 allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
75 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
76 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
92 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
95 allow system_server resourcecache_data_file:file r_file_perms;
96 allow system_server resourcecache_data_file:dir r_dir_perms;
99 allow system_server self:process ptrace;
102 allow system_server zygote:fd use;
103 allow system_server zygote:process sigchld;
106 allow system_server {
116 allow system_server zygote_exec:file r_file_perms;
119 allow system_server zygote:unix_stream_socket { getopt getattr };
123 # in addition to ioctls allowlisted for all domains, also allow system_server
128 # Allow setup of tcp keepalive offload. This gives system_server the permission to
132 allow system_server appdomain:tcp_socket ioctl;
136 allow system_server self:global_capability_class_set {
150 # Allow alarmtimers to be set
151 allow system_server self:global_capability2_class_set wake_alarm;
154 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
157 allow system_server self:netlink_tcpdiag_socket
161 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
163 allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
166 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
167 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
170 allow system_server config_gz:file { read open };
176 allow system_server self:socket create_socket_perms_no_ioctl;
179 allow system_server self:netlink_route_socket nlmsg_write;
182 allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read …
185 allow system_server appdomain:process { getpgid sigkill signal };
187 allow system_server appdomain:process { signull };
190 allow system_server appdomain:process { getsched setsched };
191 allow system_server audioserver:process { getsched setsched };
192 allow system_server hal_audio:process { getsched setsched };
193 allow system_server hal_bluetooth:process { getsched setsched };
194 allow system_server hal_codec2_server:process { getsched setsched };
195 allow system_server hal_omx_server:process { getsched setsched };
196 allow system_server mediaswcodec:process { getsched setsched };
197 allow system_server cameraserver:process { getsched setsched };
198 allow system_server hal_camera:process { getsched setsched };
199 allow system_server mediaserver:process { getsched setsched };
200 allow system_server bootanim:process { getsched setsched };
202 allow system_server { virtualizationmanager crosvm }:process { getsched setsched };
206 allow system_server kernel:process { getsched setsched };
208 # Allow system_server to write to /proc/<pid>/*
209 allow system_server domain:file w_file_perms;
218 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
221 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
224 allow system_server proc_sysrq:file rw_file_perms;
227 allow system_server stats_config_data_file:dir { open read remove_name search write };
228 allow system_server stats_config_data_file:file unlink;
231 allow system_server odsign_data_file:dir search;
232 allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
233 allow system_server odsign_metrics_file:file { r_file_perms unlink };
237 allow system_server debugfs_wakeup_sources:file r_file_perms;
241 allow system_server sysfs_ion:file r_file_perms;
244 allow system_server sysfs_dma_heap:file r_file_perms;
246 # Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
247 allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
248 allow system_server sysfs_dmabuf_stats:file r_file_perms;
250 # Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
252 allow system_server dmabuf_heap_device:dir r_dir_perms;
254 # Allow reading /proc/vmstat for the oom kill count
255 allow system_server proc_vmstat:file r_file_perms;
258 allow system_server self:packet_socket create_socket_perms_no_ioctl;
261 allow system_server self:tun_socket create_socket_perms_no_ioctl;
268 # Allow system_server to write to statsd.
272 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
274 allow system_server gpuservice:unix_stream_socket { read write setopt };
277 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
280 allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
365 allow system_server hal_graphics_composer:fd use;
368 allow system_server hal_renderscript_hwservice:hwservice_manager find;
369 allow system_server same_process_hal_file:file { execute read open getattr map };
375 allow system_server hwservicemanager:hwservice_manager list;
376 allow system_server servicemanager:service_manager list;
379 allow system_server {
431 allow system_server audioserver:tcp_socket rw_socket_perms;
432 allow system_server audioserver:udp_socket rw_socket_perms;
433 allow system_server mediaserver:tcp_socket rw_socket_perms;
434 allow system_server mediaserver:udp_socket rw_socket_perms;
437 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
438 allow system_server mediadrmserver:udp_socket rw_socket_perms;
445 allow system_server file_contexts_file:file r_file_perms;
447 allow system_server mac_perms_file: file r_file_perms;
451 allow system_server sysfs_type:dir r_dir_perms;
454 allow system_server sysfs_android_usb:file w_file_perms;
459 allow system_server sysfs_ipv4:file w_file_perms;
464 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
465 allow system_server sysfs_power:dir search;
466 allow system_server sysfs_power:file rw_file_perms;
467 allow system_server sysfs_thermal:dir search;
468 allow system_server sysfs_thermal:file r_file_perms;
469 allow system_server sysfs_uhid:dir r_dir_perms;
470 allow system_server sysfs_uhid:file rw_file_perms;
473 allow system_server sysfs_vibrator:file { write append };
476 allow system_server sysfs_usb:file w_file_perms;
479 allow system_server device:dir r_dir_perms;
480 allow system_server mdns_socket:sock_file rw_file_perms;
481 allow system_server gpu_device:chr_file rw_file_perms;
482 allow system_server gpu_device:dir r_dir_perms;
483 allow system_server sysfs_gpu:file r_file_perms;
484 allow system_server input_device:dir r_dir_perms;
485 allow system_server input_device:chr_file rw_file_perms;
486 allow system_server tty_device:chr_file rw_file_perms;
487 allow system_server usbaccessory_device:chr_file rw_file_perms;
488 allow system_server video_device:dir r_dir_perms;
489 allow system_server video_device:chr_file rw_file_perms;
490 allow system_server adbd_socket:sock_file rw_file_perms;
491 allow system_server rtc_device:chr_file rw_file_perms;
492 allow system_server audio_device:dir r_dir_perms;
493 allow system_server uhid_device:chr_file rw_file_perms;
494 allow system_server hidraw_device:dir r_dir_perms;
495 allow system_server hidraw_device:chr_file rw_file_perms;
498 allow system_server audio_device:chr_file rw_file_perms;
501 allow system_server tun_device:chr_file rw_file_perms;
505 allow system_server ota_package_file:dir rw_dir_perms;
506 allow system_server ota_package_file:file create_file_perms;
509 allow system_server system_data_file:dir create_dir_perms;
510 allow system_server system_data_file:notdevfile_class_set create_file_perms;
511 allow system_server packages_list_file:file create_file_perms;
512 allow system_server game_mode_intervention_list_file:file create_file_perms;
513 allow system_server keychain_data_file:dir create_dir_perms;
514 allow system_server keychain_data_file:file create_file_perms;
515 allow system_server keychain_data_file:lnk_file create_file_perms;
517 # Read the user parent directories like /data/user. Don't allow write access,
519 allow system_server system_userdir_file:dir r_dir_perms;
522 allow system_server apk_data_file:dir create_dir_perms;
523 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
524 allow system_server apk_tmp_file:dir create_dir_perms;
525 allow system_server apk_tmp_file:file create_file_perms;
528 allow system_server apk_metadata_file:dir create_dir_perms;
529 allow system_server apk_metadata_file:file create_file_perms;
543 allow system_server apk_private_data_file:dir create_dir_perms;
544 allow system_server apk_private_data_file:file create_file_perms;
545 allow system_server apk_private_tmp_file:dir create_dir_perms;
546 allow system_server apk_private_tmp_file:file create_file_perms;
549 allow system_server asec_apk_file:dir create_dir_perms;
550 allow system_server asec_apk_file:file create_file_perms;
551 allow system_server asec_public_file:file create_file_perms;
559 allow system_server anr_data_file:dir create_dir_perms;
560 allow system_server anr_data_file:file create_file_perms;
565 # Allow system_server to connect and write to the tombstoned java trace socket in
566 # order to dump its traces. Also allow the system server to write its traces to
569 allow system_server tombstoned:fd use;
570 allow system_server dumpstate:fifo_file append;
571 allow system_server incidentd:fifo_file append;
574 allow system_server su:fifo_file append;
577 # Allow system_server to read pipes from incidentd (used to deliver incident reports
579 allow system_server incidentd:fifo_file read;
583 allow system_server incident_data_file:file read;
586 allow system_server prereboot_data_file:dir rw_dir_perms;
587 allow system_server prereboot_data_file:file create_file_perms;
589 # Allow tracing proxy service to read traces. Only the fd is sent over
591 allow system_server perfetto_traces_data_file:file { read getattr };
592 allow system_server perfetto:fd use;
594 # Allow system_server to exec the perfetto cmdline client and pass it a trace config
596 allow system_server perfetto:fifo_file { read write };
598 # Allow system server to manage perfetto traces for ProfilingService.
599 allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
600 allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
601 allow system_server perfetto_traces_data_file:dir search;
603 # Allow system server to exec the trace redactor cmdline client and kill the process for
606 allow system_server trace_redactor:process signal;
608 # Allow system server to kill perfetto processes for ProfilingService.
609 allow system_server perfetto:process signal;
612 allow system_server backup_data_file:dir create_dir_perms;
613 allow system_server backup_data_file:file create_file_perms;
616 allow system_server dropbox_data_file:dir create_dir_perms;
617 allow system_server dropbox_data_file:file create_file_perms;
620 allow system_server heapdump_data_file:dir rw_dir_perms;
621 allow system_server heapdump_data_file:file create_file_perms;
624 allow system_server adb_keys_file:dir create_dir_perms;
625 allow system_server adb_keys_file:file create_file_perms;
628 allow system_server appcompat_data_file:dir rw_dir_perms;
629 allow system_server appcompat_data_file:file create_file_perms;
633 allow system_server connectivityblob_data_file:dir create_dir_perms;
634 allow system_server connectivityblob_data_file:file create_file_perms;
637 allow system_server emergency_data_file:dir create_dir_perms;
638 allow system_server emergency_data_file:file create_file_perms;
641 allow system_server network_watchlist_data_file:dir create_dir_perms;
642 allow system_server network_watchlist_data_file:file create_file_perms;
646 allow system_server radio_data_file:dir create_dir_perms;
647 allow system_server radio_data_file:file create_file_perms;
650 allow system_server systemkeys_data_file:dir create_dir_perms;
651 allow system_server systemkeys_data_file:file create_file_perms;
654 allow system_server textclassifier_data_file:dir create_dir_perms;
655 allow system_server textclassifier_data_file:file create_file_perms;
658 allow system_server tombstone_data_file:dir rw_dir_perms;
659 allow system_server tombstone_data_file:file create_file_perms;
662 allow system_server vpn_data_file:dir create_dir_perms;
663 allow system_server vpn_data_file:file create_file_perms;
666 allow system_server wifi_data_file:dir create_dir_perms;
667 allow system_server wifi_data_file:file create_file_perms;
670 allow system_server staging_data_file:dir create_dir_perms;
671 allow system_server staging_data_file:file create_file_perms;
674 allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
677 allow system_server app_data_file_type:dir { getattr read search };
681 allow system_server unlabeled:dir r_dir_perms;
683 allow system_server unlabeled:file r_file_perms;
686 allow system_server system_app_data_file:dir create_dir_perms;
687 allow system_server system_app_data_file:file create_file_perms;
690 allow system_server app_data_file_type:file { getattr read write append map };
693 allow system_server media_rw_data_file:dir { search getattr open read };
697 allow system_server media_rw_data_file:file { getattr read write append };
701 allow system_server system_server:process setfscreate;
704 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
705 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
706 # Allow PackageManager to:
710 allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
713 allow system_server system_data_file:file relabelfrom;
714 allow system_server wallpaper_file:file relabelto;
715 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
718 allow system_server { system_data_file wallpaper_file }:file link;
721 allow system_server system_data_file:dir relabelfrom;
722 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
723 allow system_server shortcut_manager_icons:file create_file_perms;
726 allow system_server ringtone_file:dir { create_dir_perms relabelto };
727 allow system_server ringtone_file:file create_file_perms;
730 allow system_server icon_file:file relabelto;
731 allow system_server icon_file:file { rw_file_perms unlink };
734 allow system_server system_data_file:dir relabelfrom;
739 allow system_server server_configurable_flags_data_file:dir r_dir_perms;
740 allow system_server server_configurable_flags_data_file:file r_file_perms;
826 # Allow system server to read pm.16kb.app_compat.disabled
829 # Allow query ART device config properties
907 # Allow the heap dump ART plugin to the count of sessions waiting for OOME
910 # Allow the sensor service (running in the system service) to read sensor
914 # Allow system server to determine if system services are enabled
918 allow system_server system_ndebug_socket:sock_file create_file_perms;
921 allow system_server system_unsolzygote_socket:sock_file create_file_perms;
924 allow system_server cache_file:lnk_file r_file_perms;
925 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
926 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
927 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
929 allow system_server system_file:dir r_dir_perms;
930 allow system_server system_file:lnk_file r_file_perms;
933 allow system_server system_file:file lock;
937 allow system_server gps_control:file rw_file_perms;
939 # Allow system_server to use app-created sockets and pipes.
940 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown…
941 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
944 allow system_server cache_backup_file:dir rw_dir_perms;
945 allow system_server cache_backup_file:file create_file_perms;
947 allow system_server cache_private_backup_file:dir create_dir_perms;
948 allow system_server cache_private_backup_file:file create_file_perms;
950 # Allow system to talk to usb device
951 allow system_server usb_device:chr_file rw_file_perms;
952 allow system_server usb_device:dir r_dir_perms;
956 allow system_server fscklogs:dir { write remove_name add_name };
957 allow system_server fscklogs:file rename;
961 allow system_server zygote:unix_dgram_socket write;
967 # Be consistent with DAC permissions. Allow system_server to write to
970 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
975 allow system_server pstorefs:dir r_dir_perms;
976 allow system_server pstorefs:file r_file_perms;
979 allow system_server sysfs_zram:dir search;
980 allow system_server sysfs_zram:file rw_file_perms;
983 allow system_server kernel:security read_policy;
986 allow system_server artd_service:service_manager find;
987 allow system_server artd_pre_reboot_service:service_manager find;
988 allow system_server audioserver_service:service_manager find;
989 allow system_server authorization_service:service_manager find;
990 allow system_server batteryproperties_service:service_manager find;
991 allow system_server cameraserver_service:service_manager find;
992 allow system_server compos_service:service_manager find;
993 allow system_server dataloader_manager_service:service_manager find;
994 allow system_server dexopt_chroot_setup_service:service_manager find;
995 allow system_server dnsresolver_service:service_manager find;
996 allow system_server drmserver_service:service_manager find;
997 allow system_server dumpstate_service:service_manager find;
998 allow system_server fingerprintd_service:service_manager find;
999 allow system_server gatekeeper_service:service_manager find;
1000 allow system_server gpu_service:service_manager find;
1001 allow system_server gsi_service:service_manager find;
1002 allow system_server idmap_service:service_manager find;
1003 allow system_server incident_service:service_manager find;
1004 allow system_server incremental_service:service_manager find;
1005 allow system_server installd_service:service_manager find;
1006 allow system_server keystore_maintenance_service:service_manager find;
1007 allow system_server keystore_metrics_service:service_manager find;
1008 allow system_server keystore_service:service_manager find;
1009 allow system_server mdns_service:service_manager find;
1010 allow system_server mediaserver_service:service_manager find;
1011 allow system_server mediametrics_service:service_manager find;
1012 allow system_server mediaextractor_service:service_manager find;
1013 allow system_server mediadrmserver_service:service_manager find;
1014 allow system_server mediatuner_service:service_manager find;
1015 allow system_server mmd_service:service_manager find;
1016 allow system_server netd_service:service_manager find;
1017 allow system_server nfc_service:service_manager find;
1018 allow system_server ot_daemon_service:service_manager find;
1019 allow system_server radio_service:service_manager find;
1020 allow system_server stats_service:service_manager find;
1021 allow system_server storaged_service:service_manager find;
1022 allow system_server surfaceflinger_service:service_manager find;
1023 allow system_server update_engine_service:service_manager find;
1024 allow system_server virtual_camera_service:service_manager find;
1026 allow system_server virtualization_maintenance_service:service_manager find;
1028 allow system_server vold_service:service_manager find;
1029 allow system_server wifinl80211_service:service_manager find;
1030 allow system_server logd_service:service_manager find;
1032 allow system_server profcollectd_service:service_manager find;
1034 allow system_server wifi_mainline_supplicant_service:service_manager find;
1038 allow system_server keystore:keystore2 {
1052 allow system_server keystore:keystore2_key {
1062 # Allow Wifi module to manage Wi-Fi keys.
1063 allow system_server wifi_key:keystore2_key {
1071 # Allow lock_settings service to manage RoR keys.
1072 allow system_server resume_on_reboot_key:keystore2_key {
1080 # Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
1081 allow system_server locksettings_key:keystore2_key {
1090 # Allow system server to search and write to the persistent factory reset
1092 allow system_server block_device:dir search;
1093 allow system_server frp_block_device:blk_file rw_file_perms;
1097 allow system_server cgroup:dir create_dir_perms;
1098 allow system_server cgroup:file setattr;
1099 allow system_server cgroup_v2:dir create_dir_perms;
1100 allow system_server cgroup_v2:file { r_file_perms setattr };
1105 # Allow resolving per-user storage symlinks
1106 allow system_server { mnt_user_file storage_file }:dir { getattr search };
1107 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
1109 # Allow statfs() on storage devices, which happens fast enough that
1111 allow system_server { sdcard_type fuse }:dir { getattr search };
1114 allow system_server mnt_expand_file:dir r_dir_perms;
1116 # Allow system process to relabel the fingerprint directory after mkdir
1118 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
1119 allow system_server fingerprintd_data_file:file { getattr unlink };
1122 # Allow system server to create and write method traces in /data/misc/trace.
1123 allow system_server method_trace_data_file:dir w_dir_perms;
1124 allow system_server method_trace_data_file:file { create w_file_perms };
1126 # Allow system server to read dmesg
1127 allow system_server kernel:system syslog_read;
1129 # Allow writing and removing window traces in /data/misc/wmtrace.
1130 allow system_server wm_trace_data_file:dir rw_dir_perms;
1131 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
1133 # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
1134 allow system_server accessibility_trace_data_file:dir rw_dir_perms;
1135 …allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perm…
1139 allow system_server vold:fd use;
1140 allow system_server fuse_device:chr_file { read write ioctl getattr };
1141 allow system_server app_fuse_file:file { read write getattr };
1144 allow system_server configfs:dir { create_dir_perms };
1145 allow system_server configfs:file { getattr open create unlink write };
1149 allow system_server adbd_common:unix_stream_socket connectto;
1150 allow system_server adbd_common:fd use;
1151 allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
1162 # Allow invoking tools like "timeout"
1163 allow system_server toolbox_exec:file rx_file_perms;
1165 # Allow system process to setup fs-verity
1168 # Allow system process to measure fs-verity for apps, including those being installed
1174 # For OTA dexopt, allow calls coming from postinstall.
1177 allow system_server postinstall:fifo_file write;
1178 allow system_server update_engine:fd use;
1179 allow system_server update_engine:fifo_file write;
1182 allow system_server preloads_data_file:file { r_file_perms unlink };
1183 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
1184 allow system_server preloads_media_file:file { r_file_perms unlink };
1185 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
1189 allow system_server ion_device:chr_file r_file_perms;
1192 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
1194 allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
1199 allow system_server {
1216 allow system_server proc_uid_time_in_state:dir r_dir_perms;
1217 allow system_server proc_uid_cpupower:file r_file_perms;
1221 # Allow WifiService to start, stop, and read wifi-specific trace events.
1222 allow system_server debugfs_tracing_instances:dir search;
1223 allow system_server debugfs_wifi_tracing:dir search;
1224 allow system_server debugfs_wifi_tracing:file rw_file_perms;
1226 # Allow BootReceiver to watch trace error_report events.
1227 allow system_server debugfs_bootreceiver_tracing:dir search;
1228 allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
1230 # Allow system_server to read tracepoint ids in order to attach BPF programs to them.
1231 allow system_server debugfs_tracing:file r_file_perms;
1233 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
1236 allow system_server shell_exec:file rx_file_perms;
1237 allow system_server asanwrapper_exec:file rx_file_perms;
1238 allow system_server zygote_exec:file rx_file_perms;
1241 # allow system_server to read the eBPF maps that stores the traffic stats information and update
1244 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
1245 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { get…
1246 allow system_server bpfloader:bpf prog_run;
1247 allow system_server self:bpf map_create;
1248 allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
1250 allow system_server self:key_socket create;
1256 allow system_server fs_bpf_memevents:dir search;
1257 allow system_server fs_bpf_memevents:file { read write };
1259 # Allow system_server to start clatd in its own domain and kill it.
1261 allow system_server clatd:process { sigkill signal };
1264 # Allow system_server to open profile snapshots for read.
1267 allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
1268 allow system_server user_profile_data_file:file { getattr open read };
1273 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
1274 allow system_server profman_dump_data_file:dir rw_dir_perms;
1276 # On userdebug build we may profile system server. Allow it to write and create its own profile.
1278 allow system_server user_profile_data_file:dir w_dir_perms;
1279 allow system_server user_profile_data_file:file create_file_perms;
1281 # Allow system server to load JVMTI agents under control of a property.
1285 allow system_server functionfs:dir search;
1286 allow system_server functionfs:file rw_file_perms;
1289 allow system_server sysfs_type:dir search;
1307 allow system_server kmsg_debug_device:chr_file { open append getattr };
1314 allow system_server font_data_file:file create_file_perms;
1315 allow system_server font_data_file:dir create_dir_perms;
1316 # Allow system process to setup and measure fs-verity for font files
1322 # Allow system server to read profcollectd reports for upload.
1334 # Do not allow opening files from external storage as unsafe ejection
1369 # Only allow crash_dump to connect to system_ndebug_socket.
1372 # Only allow zygotes to connect to system_unsolzygote_socket.
1382 # Only allow init, system_server, flags_health_check to set properties for server configurable flags
1413 # Only allow system_server and init to set tuner_server_ctl_prop
1423 # want to allow.
1446 `allow system_server self:process execmem;',
1454 allow system_server system_server_startup:fd use;
1455 allow system_server system_server_startup_tmpfs:file { read write map };
1456 allow system_server system_server_startup:unix_dgram_socket write;
1458 # Allow system server to communicate to apexd
1459 allow system_server apex_service:service_manager find;
1460 allow system_server apexd:binder call;
1462 # Allow system server to scan /apex for flattened APEXes
1463 allow system_server apex_mnt_dir:dir r_dir_perms;
1465 # Allow system server to read /apex/apex-info-list.xml
1466 allow system_server apex_info_file:file r_file_perms;
1468 # Allow system_server to communicate with tradeinmode.
1471 # Allow system server to communicate to system-suspend's control interface
1472 allow system_server system_suspend_control_internal_service:service_manager find;
1473 allow system_server system_suspend_control_service:service_manager find;
1477 # Allow system server to communicate to system-suspend's wakelock interface
1480 # Allow the system server to read files under /data/apex. The system_server
1484 allow system_server apex_data_file:dir { getattr search };
1485 allow system_server apex_data_file:file r_file_perms;
1487 # Allow the system server to read files under /vendor/apex. This is where
1490 allow system_server vendor_apex_file:dir { getattr search };
1491 allow system_server vendor_apex_file:file r_file_perms;
1493 # Allow the system server to manage relevant apex module data files.
1494 allow system_server apex_module_data_file:dir { getattr search };
1496 allow system_server apex_system_server_data_file:dir create_dir_perms;
1497 allow system_server apex_system_server_data_file:file create_file_perms;
1498 allow system_server apex_tethering_data_file:dir create_dir_perms;
1499 allow system_server apex_tethering_data_file:file create_file_perms;
1500 allow system_server apex_uwb_data_file:dir create_dir_perms;
1501 allow system_server apex_uwb_data_file:file create_file_perms;
1503 allow system_server {
1509 allow system_server {
1516 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
1518 allow system_server metadata_file:dir search;
1519 allow system_server password_slot_metadata_file:dir rw_dir_perms;
1520 allow system_server password_slot_metadata_file:file create_file_perms;
1522 # Allow TradeInMode service rw access to /metadata/tradeinmode.
1523 allow system_server tradeinmode_metadata_file:dir rw_dir_perms;
1524 allow system_server tradeinmode_metadata_file:file create_file_perms;
1526 allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
1527 allow system_server userspace_reboot_metadata_file:file create_file_perms;
1529 # Allow system server rw access to files in /metadata/staged-install folder
1530 allow system_server staged_install_file:dir rw_dir_perms;
1531 allow system_server staged_install_file:file create_file_perms;
1533 allow system_server watchdog_metadata_file:dir rw_dir_perms;
1534 allow system_server watchdog_metadata_file:file create_file_perms;
1536 # allow system_server write to aconfigd socket
1539 # allow system_server write to aconfigd_mainline socket
1542 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
1543 allow system_server repair_mode_metadata_file:file create_file_perms;
1545 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
1546 allow system_server gsi_persistent_data_file:file create_file_perms;
1548 # Allow system server read and remove files under /data/misc/odrefresh
1549 allow system_server odrefresh_data_file:dir rw_dir_perms;
1550 allow system_server odrefresh_data_file:file { r_file_perms unlink };
1552 # Allow system server r access to /system/bin/surfaceflinger for PinnerService.
1553 allow system_server surfaceflinger_exec:file r_file_perms;
1555 # Allow init to set sysprop used to compute stats about userspace reboot.
1570 allow system_server proc_pressure_mem:file rw_file_perms;
1572 allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
1590 # Allow systemserver to read/write the invalidation property
1595 # Allow system server to attach BPF programs to tracepoints. Deny read permission so that
1597 allow system_server self:perf_event { open write cpu kernel };
1600 # Allow writing files under /data/system/shutdown-checkpoints/
1601 allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
1602 allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
1604 # Do not allow any domain other than init or system server to set the property
1617 # Only allow system server to write uhid sysfs files
1636 # Allow reading /system/etc/font_fallback.xml
1637 allow system_server system_font_fallback_file:file r_file_perms;
1639 # Allow system server to set dynamic ART properties.
1642 # Allow system server to read binderfs
1643 allow system_server binderfs_logs:dir r_dir_perms;
1644 allow system_server binderfs_logs_stats:file r_file_perms;
1648 allow system_server binderfs_logs_transactions:file r_file_perms;
1651 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
1657 # Do not allow any domain other than init and system server to set the property
1666 # Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar
1668 allow system_server pre_reboot_dexopt_file:dir { getattr search };
1670 # Allow system_server to reopen its own memfd.
1673 allow system_server system_server_tmpfs:file open;
1675 # Allow system_server to read from postinstall scripts through STDIN, to check if the
1677 allow system_server postinstall:fifo_file read;
1679 # Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing
1681 allow system_server {
1689 # Do not allow any domain other than init or system server to get or set the property
1693 # Do not allow anything other than system_server and init to touch /metadata/tradeinmode.