Lines Matching full:system_server
2 # System Server aka system_server spawned by zygote.
6 typeattribute system_server coredomain;
7 typeattribute system_server mlstrustedsubject;
8 typeattribute system_server remote_provisioning_service_server;
9 typeattribute system_server scheduler_service_server;
10 typeattribute system_server sensor_service_server;
11 typeattribute system_server stats_service_server;
12 typeattribute system_server bpfdomain;
15 tmpfs_domain(system_server)
17 userfaultfd_use(system_server)
20 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
23 type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesock…
25 allow system_server zygote_tmpfs:file { map read };
26 allow system_server appdomain_tmpfs:file { getattr map read write };
29 allow system_server proc_filesystems:file r_file_perms;
32 allow system_server incremental_control_file:file { ioctl r_file_perms };
33 allowxperm system_server incremental_control_file:file ioctl {
44 allowxperm system_server apk_data_file:file ioctl {
59 allowxperm system_server apk_tmp_file:file ioctl {
65 allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
68 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
69 allow system_server sysfs_fs_f2fs:file r_file_perms;
72 allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
75 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
76 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
81 # system_server. It fails to be loaded when the jar is used as a shared library, which is expected.
82 dontaudit system_server apex_art_data_file:file execute;
85 allowxperm system_server dalvikcache_data_file:file ioctl {
92 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
95 allow system_server resourcecache_data_file:file r_file_perms;
96 allow system_server resourcecache_data_file:dir r_dir_perms;
99 allow system_server self:process ptrace;
102 allow system_server zygote:fd use;
103 allow system_server zygote:process sigchld;
106 allow system_server {
116 allow system_server zygote_exec:file r_file_perms;
119 allow system_server zygote:unix_stream_socket { getopt getattr };
122 net_domain(system_server)
123 # in addition to ioctls allowlisted for all domains, also allow system_server
125 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
126 bluetooth_domain(system_server)
128 # Allow setup of tcp keepalive offload. This gives system_server the permission to
132 allow system_server appdomain:tcp_socket ioctl;
136 allow system_server self:global_capability_class_set {
151 allow system_server self:global_capability2_class_set wake_alarm;
154 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
157 allow system_server self:netlink_tcpdiag_socket
161 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
163 allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
166 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
167 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
170 allow system_server config_gz:file { read open };
176 allow system_server self:socket create_socket_perms_no_ioctl;
179 allow system_server self:netlink_route_socket nlmsg_write;
182 allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read …
185 allow system_server appdomain:process { getpgid sigkill signal };
187 allow system_server appdomain:process { signull };
190 allow system_server appdomain:process { getsched setsched };
191 allow system_server audioserver:process { getsched setsched };
192 allow system_server hal_audio:process { getsched setsched };
193 allow system_server hal_bluetooth:process { getsched setsched };
194 allow system_server hal_codec2_server:process { getsched setsched };
195 allow system_server hal_omx_server:process { getsched setsched };
196 allow system_server mediaswcodec:process { getsched setsched };
197 allow system_server cameraserver:process { getsched setsched };
198 allow system_server hal_camera:process { getsched setsched };
199 allow system_server mediaserver:process { getsched setsched };
200 allow system_server bootanim:process { getsched setsched };
202 allow system_server { virtualizationmanager crosvm }:process { getsched setsched };
206 allow system_server kernel:process { getsched setsched };
208 # Allow system_server to write to /proc/<pid>/*
209 allow system_server domain:file w_file_perms;
212 # within system_server to keep track of memory and CPU usage for
215 r_dir_file(system_server, domain)
218 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
221 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
224 allow system_server proc_sysrq:file rw_file_perms;
227 allow system_server stats_config_data_file:dir { open read remove_name search write };
228 allow system_server stats_config_data_file:file unlink;
231 allow system_server odsign_data_file:dir search;
232 allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
233 allow system_server odsign_metrics_file:file { r_file_perms unlink };
237 allow system_server debugfs_wakeup_sources:file r_file_perms;
241 allow system_server sysfs_ion:file r_file_perms;
244 allow system_server sysfs_dma_heap:file r_file_perms;
247 allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
248 allow system_server sysfs_dmabuf_stats:file r_file_perms;
252 allow system_server dmabuf_heap_device:dir r_dir_perms;
255 allow system_server proc_vmstat:file r_file_perms;
258 allow system_server self:packet_socket create_socket_perms_no_ioctl;
261 allow system_server self:tun_socket create_socket_perms_no_ioctl;
264 unix_socket_connect(system_server, lmkd, lmkd)
265 unix_socket_connect(system_server, zygote, zygote)
266 unix_socket_connect(system_server, uncrypt, uncrypt)
268 # Allow system_server to write to statsd.
269 unix_socket_send(system_server, statsdw, statsd)
272 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
274 allow system_server gpuservice:unix_stream_socket { read write setopt };
277 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
280 allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
283 binder_use(system_server)
284 binder_call(system_server, appdomain)
285 binder_call(system_server, artd)
286 binder_call(system_server, binderservicedomain)
287 binder_call(system_server, composd)
288 binder_call(system_server, dexopt_chroot_setup)
289 binder_call(system_server, dumpstate)
290 binder_call(system_server, fingerprintd)
291 binder_call(system_server, gatekeeperd)
292 binder_call(system_server, gpuservice)
293 binder_call(system_server, idmap)
294 binder_call(system_server, installd)
295 binder_call(system_server, incidentd)
296 binder_call(system_server, mmd)
297 binder_call(system_server, netd)
298 binder_call(system_server, ot_daemon)
299 userdebug_or_eng(`binder_call(system_server, profcollectd)')
300 binder_call(system_server, statsd)
301 binder_call(system_server, storaged)
302 binder_call(system_server, update_engine)
303 binder_call(system_server, virtual_camera)
304 binder_call(system_server, vold)
305 binder_call(system_server, logd)
306 binder_call(system_server, wificond)
307 binder_call(system_server, uprobestats)
308 binder_call(system_server, wifi_mainline_supplicant)
309 binder_service(system_server)
312 hal_client_domain(system_server, hal_allocator)
313 hal_client_domain(system_server, hal_audio)
314 hal_client_domain(system_server, hal_authgraph)
315 hal_client_domain(system_server, hal_authsecret)
316 hal_client_domain(system_server, hal_bluetooth)
317 hal_client_domain(system_server, hal_broadcastradio)
318 hal_client_domain(system_server, hal_codec2)
319 hal_client_domain(system_server, hal_configstore)
320 hal_client_domain(system_server, hal_contexthub)
321 hal_client_domain(system_server, hal_face)
322 hal_client_domain(system_server, hal_fingerprint)
323 hal_client_domain(system_server, hal_gnss)
324 hal_client_domain(system_server, hal_graphics_allocator)
325 hal_client_domain(system_server, hal_health)
326 hal_client_domain(system_server, hal_input_classifier)
327 hal_client_domain(system_server, hal_input_processor)
328 hal_client_domain(system_server, hal_ir)
329 hal_client_domain(system_server, hal_keymint)
330 hal_client_domain(system_server, hal_light)
331 hal_client_domain(system_server, hal_mediaquality)
332 hal_client_domain(system_server, hal_memtrack)
333 hal_client_domain(system_server, hal_neuralnetworks)
334 hal_client_domain(system_server, hal_oemlock)
335 hal_client_domain(system_server, hal_omx)
336 hal_client_domain(system_server, hal_power)
337 hal_client_domain(system_server, hal_power_stats)
338 hal_client_domain(system_server, hal_rebootescrow)
339 hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
340 hal_client_domain(system_server, hal_sensors)
341 hal_client_domain(system_server, hal_secretkeeper)
342 hal_client_domain(system_server, hal_tetheroffload)
343 hal_client_domain(system_server, hal_thermal)
344 hal_client_domain(system_server, hal_threadnetwork)
345 hal_client_domain(system_server, hal_tv_cec)
346 hal_client_domain(system_server, hal_tv_hdmi_cec)
347 hal_client_domain(system_server, hal_tv_hdmi_connection)
348 hal_client_domain(system_server, hal_tv_hdmi_earc)
349 hal_client_domain(system_server, hal_tv_input)
350 hal_client_domain(system_server, hal_usb)
351 hal_client_domain(system_server, hal_usb_gadget)
352 hal_client_domain(system_server, hal_uwb)
353 hal_client_domain(system_server, hal_vibrator)
354 hal_client_domain(system_server, hal_vr)
355 hal_client_domain(system_server, hal_weaver)
356 hal_client_domain(system_server, hal_wifi)
357 hal_client_domain(system_server, hal_wifi_hostapd)
358 hal_client_domain(system_server, hal_wifi_supplicant)
362 not_recovery(`hal_client_domain(system_server, hal_bootctl)')
365 allow system_server hal_graphics_composer:fd use;
368 allow system_server hal_renderscript_hwservice:hwservice_manager find;
369 allow system_server same_process_hal_file:file { execute read open getattr map };
372 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
375 allow system_server hwservicemanager:hwservice_manager list;
376 allow system_server servicemanager:service_manager list;
379 allow system_server {
431 allow system_server audioserver:tcp_socket rw_socket_perms;
432 allow system_server audioserver:udp_socket rw_socket_perms;
433 allow system_server mediaserver:tcp_socket rw_socket_perms;
434 allow system_server mediaserver:udp_socket rw_socket_perms;
437 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
438 allow system_server mediadrmserver:udp_socket rw_socket_perms;
442 perfetto_producer(system_server)
445 allow system_server file_contexts_file:file r_file_perms;
447 allow system_server mac_perms_file: file r_file_perms;
449 selinux_check_access(system_server)
451 allow system_server sysfs_type:dir r_dir_perms;
453 r_dir_file(system_server, sysfs_android_usb)
454 allow system_server sysfs_android_usb:file w_file_perms;
456 r_dir_file(system_server, sysfs_extcon)
458 r_dir_file(system_server, sysfs_ipv4)
459 allow system_server sysfs_ipv4:file w_file_perms;
461 r_dir_file(system_server, sysfs_rtc)
462 r_dir_file(system_server, sysfs_switch)
464 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
465 allow system_server sysfs_power:dir search;
466 allow system_server sysfs_power:file rw_file_perms;
467 allow system_server sysfs_thermal:dir search;
468 allow system_server sysfs_thermal:file r_file_perms;
469 allow system_server sysfs_uhid:dir r_dir_perms;
470 allow system_server sysfs_uhid:file rw_file_perms;
473 allow system_server sysfs_vibrator:file { write append };
476 allow system_server sysfs_usb:file w_file_perms;
479 allow system_server device:dir r_dir_perms;
480 allow system_server mdns_socket:sock_file rw_file_perms;
481 allow system_server gpu_device:chr_file rw_file_perms;
482 allow system_server gpu_device:dir r_dir_perms;
483 allow system_server sysfs_gpu:file r_file_perms;
484 allow system_server input_device:dir r_dir_perms;
485 allow system_server input_device:chr_file rw_file_perms;
486 allow system_server tty_device:chr_file rw_file_perms;
487 allow system_server usbaccessory_device:chr_file rw_file_perms;
488 allow system_server video_device:dir r_dir_perms;
489 allow system_server video_device:chr_file rw_file_perms;
490 allow system_server adbd_socket:sock_file rw_file_perms;
491 allow system_server rtc_device:chr_file rw_file_perms;
492 allow system_server audio_device:dir r_dir_perms;
493 allow system_server uhid_device:chr_file rw_file_perms;
494 allow system_server hidraw_device:dir r_dir_perms;
495 allow system_server hidraw_device:chr_file rw_file_perms;
498 allow system_server audio_device:chr_file rw_file_perms;
501 allow system_server tun_device:chr_file rw_file_perms;
502 allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
505 allow system_server ota_package_file:dir rw_dir_perms;
506 allow system_server ota_package_file:file create_file_perms;
509 allow system_server system_data_file:dir create_dir_perms;
510 allow system_server system_data_file:notdevfile_class_set create_file_perms;
511 allow system_server packages_list_file:file create_file_perms;
512 allow system_server game_mode_intervention_list_file:file create_file_perms;
513 allow system_server keychain_data_file:dir create_dir_perms;
514 allow system_server keychain_data_file:file create_file_perms;
515 allow system_server keychain_data_file:lnk_file create_file_perms;
519 allow system_server system_userdir_file:dir r_dir_perms;
522 allow system_server apk_data_file:dir create_dir_perms;
523 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
524 allow system_server apk_tmp_file:dir create_dir_perms;
525 allow system_server apk_tmp_file:file create_file_perms;
528 allow system_server apk_metadata_file:dir create_dir_perms;
529 allow system_server apk_metadata_file:file create_file_perms;
532 r_dir_file(system_server, vendor_keylayout_file)
533 r_dir_file(system_server, vendor_keychars_file)
534 r_dir_file(system_server, vendor_idc_file)
535 get_prop(system_server, input_device_config_prop)
538 r_dir_file(system_server, vendor_app_file)
539 r_dir_file(system_server, vendor_framework_file)
540 r_dir_file(system_server, vendor_overlay_file)
543 allow system_server apk_private_data_file:dir create_dir_perms;
544 allow system_server apk_private_data_file:file create_file_perms;
545 allow system_server apk_private_tmp_file:dir create_dir_perms;
546 allow system_server apk_private_tmp_file:file create_file_perms;
549 allow system_server asec_apk_file:dir create_dir_perms;
550 allow system_server asec_apk_file:file create_file_perms;
551 allow system_server asec_public_file:file create_file_perms;
557 # the system_server should never need to create a new anr_data_file:file or write
559 allow system_server anr_data_file:dir create_dir_perms;
560 allow system_server anr_data_file:file create_file_perms;
565 # Allow system_server to connect and write to the tombstoned java trace socket in
568 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
569 allow system_server tombstoned:fd use;
570 allow system_server dumpstate:fifo_file append;
571 allow system_server incidentd:fifo_file append;
572 # Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
574 allow system_server su:fifo_file append;
577 # Allow system_server to read pipes from incidentd (used to deliver incident reports
579 allow system_server incidentd:fifo_file read;
583 allow system_server incident_data_file:file read;
586 allow system_server prereboot_data_file:dir rw_dir_perms;
587 allow system_server prereboot_data_file:file create_file_perms;
591 allow system_server perfetto_traces_data_file:file { read getattr };
592 allow system_server perfetto:fd use;
594 # Allow system_server to exec the perfetto cmdline client and pass it a trace config
595 domain_auto_trans(system_server, perfetto_exec, perfetto);
596 allow system_server perfetto:fifo_file { read write };
599 allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
600 allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
601 allow system_server perfetto_traces_data_file:dir search;
605 domain_auto_trans(system_server, trace_redactor_exec, trace_redactor);
606 allow system_server trace_redactor:process signal;
609 allow system_server perfetto:process signal;
612 allow system_server backup_data_file:dir create_dir_perms;
613 allow system_server backup_data_file:file create_file_perms;
616 allow system_server dropbox_data_file:dir create_dir_perms;
617 allow system_server dropbox_data_file:file create_file_perms;
620 allow system_server heapdump_data_file:dir rw_dir_perms;
621 allow system_server heapdump_data_file:file create_file_perms;
624 allow system_server adb_keys_file:dir create_dir_perms;
625 allow system_server adb_keys_file:file create_file_perms;
628 allow system_server appcompat_data_file:dir rw_dir_perms;
629 allow system_server appcompat_data_file:file create_file_perms;
633 allow system_server connectivityblob_data_file:dir create_dir_perms;
634 allow system_server connectivityblob_data_file:file create_file_perms;
637 allow system_server emergency_data_file:dir create_dir_perms;
638 allow system_server emergency_data_file:file create_file_perms;
641 allow system_server network_watchlist_data_file:dir create_dir_perms;
642 allow system_server network_watchlist_data_file:file create_file_perms;
646 allow system_server radio_data_file:dir create_dir_perms;
647 allow system_server radio_data_file:file create_file_perms;
650 allow system_server systemkeys_data_file:dir create_dir_perms;
651 allow system_server systemkeys_data_file:file create_file_perms;
654 allow system_server textclassifier_data_file:dir create_dir_perms;
655 allow system_server textclassifier_data_file:file create_file_perms;
658 allow system_server tombstone_data_file:dir rw_dir_perms;
659 allow system_server tombstone_data_file:file create_file_perms;
662 allow system_server vpn_data_file:dir create_dir_perms;
663 allow system_server vpn_data_file:file create_file_perms;
666 allow system_server wifi_data_file:dir create_dir_perms;
667 allow system_server wifi_data_file:file create_file_perms;
670 allow system_server staging_data_file:dir create_dir_perms;
671 allow system_server staging_data_file:file create_file_perms;
674 allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
677 allow system_server app_data_file_type:dir { getattr read search };
681 allow system_server unlabeled:dir r_dir_perms;
683 allow system_server unlabeled:file r_file_perms;
686 allow system_server system_app_data_file:dir create_dir_perms;
687 allow system_server system_app_data_file:file create_file_perms;
690 allow system_server app_data_file_type:file { getattr read write append map };
693 allow system_server media_rw_data_file:dir { search getattr open read };
697 allow system_server media_rw_data_file:file { getattr read write append };
701 allow system_server system_server:process setfscreate;
704 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
705 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
710 allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
713 allow system_server system_data_file:file relabelfrom;
714 allow system_server wallpaper_file:file relabelto;
715 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
718 allow system_server { system_data_file wallpaper_file }:file link;
721 allow system_server system_data_file:dir relabelfrom;
722 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
723 allow system_server shortcut_manager_icons:file create_file_perms;
726 allow system_server ringtone_file:dir { create_dir_perms relabelto };
727 allow system_server ringtone_file:file create_file_perms;
730 allow system_server icon_file:file relabelto;
731 allow system_server icon_file:file { rw_file_perms unlink };
734 allow system_server system_data_file:dir relabelfrom;
737 # have been reset during current booting. system_server needs to read the data to perform related
739 allow system_server server_configurable_flags_data_file:dir r_dir_perms;
740 allow system_server server_configurable_flags_data_file:file r_file_perms;
743 set_prop(system_server, system_prop)
744 set_prop(system_server, bootanim_system_prop)
745 set_prop(system_server, bluetooth_prop)
746 set_prop(system_server, exported_system_prop)
747 set_prop(system_server, exported3_system_prop)
748 set_prop(system_server, safemode_prop)
749 set_prop(system_server, theme_prop)
750 set_prop(system_server, dhcp_prop)
751 set_prop(system_server, net_connectivity_prop)
752 set_prop(system_server, net_radio_prop)
753 set_prop(system_server, net_dns_prop)
754 set_prop(system_server, usb_control_prop)
755 set_prop(system_server, usb_prop)
756 set_prop(system_server, debug_prop)
757 set_prop(system_server, powerctl_prop)
758 set_prop(system_server, fingerprint_prop)
759 set_prop(system_server, device_logging_prop)
760 set_prop(system_server, dumpstate_options_prop)
761 set_prop(system_server, overlay_prop)
762 set_prop(system_server, exported_overlay_prop)
763 set_prop(system_server, pm_prop)
764 set_prop(system_server, exported_pm_prop)
765 set_prop(system_server, socket_hook_prop)
766 set_prop(system_server, audio_prop)
767 set_prop(system_server, boot_status_prop)
768 set_prop(system_server, surfaceflinger_color_prop)
769 set_prop(system_server, provisioned_prop)
770 set_prop(system_server, retaildemo_prop)
771 set_prop(system_server, dmesgd_start_prop)
772 set_prop(system_server, locale_prop)
773 set_prop(system_server, timezone_metadata_prop)
774 set_prop(system_server, timezone_prop)
775 set_prop(system_server, crashrecovery_prop)
776 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
777 userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
780 set_prop(system_server, ctl_default_prop)
781 set_prop(system_server, ctl_bugreport_prop)
782 set_prop(system_server, ctl_gsid_prop)
783 set_prop(system_server, ctl_artd_pre_reboot_prop)
786 set_prop(system_server, cppreopt_prop)
789 set_prop(system_server, device_config_core_experiments_team_internal_prop)
790 set_prop(system_server, device_config_edgetpu_native_prop)
791 set_prop(system_server, device_config_input_native_boot_prop)
792 set_prop(system_server, device_config_netd_native_prop)
793 set_prop(system_server, device_config_nnapi_native_prop)
794 set_prop(system_server, device_config_activity_manager_native_boot_prop)
795 set_prop(system_server, device_config_runtime_native_boot_prop)
796 set_prop(system_server, device_config_runtime_native_prop)
797 set_prop(system_server, device_config_lmkd_native_prop)
798 set_prop(system_server, device_config_media_native_prop)
799 set_prop(system_server, device_config_camera_native_prop)
800 set_prop(system_server, device_config_mglru_native_prop)
801 set_prop(system_server, device_config_profcollect_native_boot_prop)
802 set_prop(system_server, device_config_statsd_native_prop)
803 set_prop(system_server, device_config_statsd_native_boot_prop)
804 set_prop(system_server, device_config_storage_native_boot_prop)
805 set_prop(system_server, device_config_swcodec_native_prop)
806 set_prop(system_server, device_config_sys_traced_prop)
807 set_prop(system_server, device_config_window_manager_native_boot_prop)
808 set_prop(system_server, device_config_configuration_prop)
809 set_prop(system_server, device_config_connectivity_prop)
810 set_prop(system_server, device_config_surface_flinger_native_boot_prop)
811 set_prop(system_server, device_config_aconfig_flags_prop)
812 set_prop(system_server, device_config_vendor_system_native_prop)
813 set_prop(system_server, device_config_vendor_system_native_boot_prop)
814 set_prop(system_server, device_config_virtualization_framework_native_prop)
815 set_prop(system_server, device_config_memory_safety_native_boot_prop)
816 set_prop(system_server, device_config_memory_safety_native_prop)
817 set_prop(system_server, device_config_remote_key_provisioning_native_prop)
818 set_prop(system_server, device_config_tethering_u_or_later_native_prop)
819 set_prop(system_server, device_config_mmd_native_prop)
820 set_prop(system_server, smart_idle_maint_enabled_prop)
821 set_prop(system_server, arm64_memtag_prop)
824 set_prop(system_server, next_boot_prop)
827 get_prop(system_server, pm_16kb_app_compat_prop)
830 get_prop(system_server, device_config_runtime_native_boot_prop)
831 get_prop(system_server, device_config_runtime_native_prop)
834 get_prop(system_server, bootloader_boot_reason_prop)
836 get_prop(system_server, system_boot_reason_prop)
839 get_prop(system_server, boottime_prop)
842 get_prop(system_server, serialno_prop)
844 # Read/write the property which keeps track of whether this is the first start of system_server
845 set_prop(system_server, firstboot_prop)
849 get_prop(system_server, audio_config_prop)
852 get_prop(system_server, media_config_prop)
856 get_prop(system_server, device_config_reset_performed_prop)
859 set_prop(system_server, test_harness_prop)
862 get_prop(system_server, gsid_prop)
865 get_prop(system_server, mock_ota_prop)
868 get_prop(system_server, apk_verity_prop)
871 get_prop(system_server, wifi_prop)
874 get_prop(system_server, incremental_prop)
877 get_prop(system_server, zram_config_prop)
880 set_prop(system_server, zram_control_prop)
883 set_prop(system_server, dalvik_runtime_prop)
886 get_prop(system_server, packagemanager_config_prop)
889 get_prop(system_server, net_464xlat_fromvendor_prop)
892 get_prop(system_server, hypervisor_prop)
895 get_prop(system_server, persist_wm_debug_prop)
898 get_prop(system_server, persist_sysui_builder_extras_prop)
900 get_prop(system_server, persist_sysui_ranking_update_prop)
903 get_prop(system_server, tuner_config_prop)
905 set_prop(system_server, tuner_server_ctl_prop)
908 get_prop(system_server, traced_oome_heap_session_count_prop)
912 get_prop(system_server, sensors_config_prop)
915 get_prop(system_server, system_service_enable_prop)
918 allow system_server system_ndebug_socket:sock_file create_file_perms;
921 allow system_server system_unsolzygote_socket:sock_file create_file_perms;
924 allow system_server cache_file:lnk_file r_file_perms;
925 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
926 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
927 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
929 allow system_server system_file:dir r_dir_perms;
930 allow system_server system_file:lnk_file r_file_perms;
933 allow system_server system_file:file lock;
937 allow system_server gps_control:file rw_file_perms;
939 # Allow system_server to use app-created sockets and pipes.
940 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown…
941 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
944 allow system_server cache_backup_file:dir rw_dir_perms;
945 allow system_server cache_backup_file:file create_file_perms;
947 allow system_server cache_private_backup_file:dir create_dir_perms;
948 allow system_server cache_private_backup_file:file create_file_perms;
951 allow system_server usb_device:chr_file rw_file_perms;
952 allow system_server usb_device:dir r_dir_perms;
955 r_dir_file(system_server, fscklogs)
956 allow system_server fscklogs:dir { write remove_name add_name };
957 allow system_server fscklogs:file rename;
959 # logd access, system_server inherit logd write socket
961 allow system_server zygote:unix_dgram_socket write;
964 read_logd(system_server)
965 read_runtime_log_tags(system_server)
967 # Be consistent with DAC permissions. Allow system_server to write to
970 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
975 allow system_server pstorefs:dir r_dir_perms;
976 allow system_server pstorefs:file r_file_perms;
979 allow system_server sysfs_zram:dir search;
980 allow system_server sysfs_zram:file rw_file_perms;
983 allow system_server kernel:security read_policy;
985 add_service(system_server, system_server_service);
986 allow system_server artd_service:service_manager find;
987 allow system_server artd_pre_reboot_service:service_manager find;
988 allow system_server audioserver_service:service_manager find;
989 allow system_server authorization_service:service_manager find;
990 allow system_server batteryproperties_service:service_manager find;
991 allow system_server cameraserver_service:service_manager find;
992 allow system_server compos_service:service_manager find;
993 allow system_server dataloader_manager_service:service_manager find;
994 allow system_server dexopt_chroot_setup_service:service_manager find;
995 allow system_server dnsresolver_service:service_manager find;
996 allow system_server drmserver_service:service_manager find;
997 allow system_server dumpstate_service:service_manager find;
998 allow system_server fingerprintd_service:service_manager find;
999 allow system_server gatekeeper_service:service_manager find;
1000 allow system_server gpu_service:service_manager find;
1001 allow system_server gsi_service:service_manager find;
1002 allow system_server idmap_service:service_manager find;
1003 allow system_server incident_service:service_manager find;
1004 allow system_server incremental_service:service_manager find;
1005 allow system_server installd_service:service_manager find;
1006 allow system_server keystore_maintenance_service:service_manager find;
1007 allow system_server keystore_metrics_service:service_manager find;
1008 allow system_server keystore_service:service_manager find;
1009 allow system_server mdns_service:service_manager find;
1010 allow system_server mediaserver_service:service_manager find;
1011 allow system_server mediametrics_service:service_manager find;
1012 allow system_server mediaextractor_service:service_manager find;
1013 allow system_server mediadrmserver_service:service_manager find;
1014 allow system_server mediatuner_service:service_manager find;
1015 allow system_server mmd_service:service_manager find;
1016 allow system_server netd_service:service_manager find;
1017 allow system_server nfc_service:service_manager find;
1018 allow system_server ot_daemon_service:service_manager find;
1019 allow system_server radio_service:service_manager find;
1020 allow system_server stats_service:service_manager find;
1021 allow system_server storaged_service:service_manager find;
1022 allow system_server surfaceflinger_service:service_manager find;
1023 allow system_server update_engine_service:service_manager find;
1024 allow system_server virtual_camera_service:service_manager find;
1026 allow system_server virtualization_maintenance_service:service_manager find;
1028 allow system_server vold_service:service_manager find;
1029 allow system_server wifinl80211_service:service_manager find;
1030 allow system_server logd_service:service_manager find;
1032 allow system_server profcollectd_service:service_manager find;
1034 allow system_server wifi_mainline_supplicant_service:service_manager find;
1036 add_service(system_server, batteryproperties_service)
1038 allow system_server keystore:keystore2 {
1052 allow system_server keystore:keystore2_key {
1063 allow system_server wifi_key:keystore2_key {
1072 allow system_server resume_on_reboot_key:keystore2_key {
1081 allow system_server locksettings_key:keystore2_key {
1092 allow system_server block_device:dir search;
1093 allow system_server frp_block_device:blk_file rw_file_perms;
1094 allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
1097 allow system_server cgroup:dir create_dir_perms;
1098 allow system_server cgroup:file setattr;
1099 allow system_server cgroup_v2:dir create_dir_perms;
1100 allow system_server cgroup_v2:file { r_file_perms setattr };
1103 r_dir_file(system_server, oemfs)
1106 allow system_server { mnt_user_file storage_file }:dir { getattr search };
1107 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
1111 allow system_server { sdcard_type fuse }:dir { getattr search };
1114 allow system_server mnt_expand_file:dir r_dir_perms;
1118 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
1119 allow system_server fingerprintd_data_file:file { getattr unlink };
1123 allow system_server method_trace_data_file:dir w_dir_perms;
1124 allow system_server method_trace_data_file:file { create w_file_perms };
1127 allow system_server kernel:system syslog_read;
1130 allow system_server wm_trace_data_file:dir rw_dir_perms;
1131 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
1134 allow system_server accessibility_trace_data_file:dir rw_dir_perms;
1135 …allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perm…
1139 allow system_server vold:fd use;
1140 allow system_server fuse_device:chr_file { read write ioctl getattr };
1141 allow system_server app_fuse_file:file { read write getattr };
1144 allow system_server configfs:dir { create_dir_perms };
1145 allow system_server configfs:file { getattr open create unlink write };
1149 allow system_server adbd_common:unix_stream_socket connectto;
1150 allow system_server adbd_common:fd use;
1151 allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
1154 get_prop(system_server, adbd_prop)
1157 set_prop(system_server, system_adbd_prop)
1160 set_prop(system_server, adbd_tradeinmode_prop)
1163 allow system_server toolbox_exec:file rx_file_perms;
1166 allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file…
1169 allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
1170 allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
1175 binder_call(system_server, postinstall)
1177 allow system_server postinstall:fifo_file write;
1178 allow system_server update_engine:fd use;
1179 allow system_server update_engine:fifo_file write;
1182 allow system_server preloads_data_file:file { r_file_perms unlink };
1183 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
1184 allow system_server preloads_media_file:file { r_file_perms unlink };
1185 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
1187 r_dir_file(system_server, cgroup)
1188 r_dir_file(system_server, cgroup_v2)
1189 allow system_server ion_device:chr_file r_file_perms;
1192 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
1194 allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
1196 r_dir_file(system_server, proc_asound)
1197 r_dir_file(system_server, proc_net_type)
1198 r_dir_file(system_server, proc_qtaguid_stat)
1199 allow system_server {
1216 allow system_server proc_uid_time_in_state:dir r_dir_perms;
1217 allow system_server proc_uid_cpupower:file r_file_perms;
1219 r_dir_file(system_server, rootfs)
1222 allow system_server debugfs_tracing_instances:dir search;
1223 allow system_server debugfs_wifi_tracing:dir search;
1224 allow system_server debugfs_wifi_tracing:file rw_file_perms;
1227 allow system_server debugfs_bootreceiver_tracing:dir search;
1228 allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
1230 # Allow system_server to read tracepoint ids in order to attach BPF programs to them.
1231 allow system_server debugfs_tracing:file r_file_perms;
1233 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
1236 allow system_server shell_exec:file rx_file_perms;
1237 allow system_server asanwrapper_exec:file rx_file_perms;
1238 allow system_server zygote_exec:file rx_file_perms;
1241 # allow system_server to read the eBPF maps that stores the traffic stats information and update
1244 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
1245 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { get…
1246 allow system_server bpfloader:bpf prog_run;
1247 allow system_server self:bpf map_create;
1248 allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
1250 allow system_server self:key_socket create;
1253 dontaudit system_server self:key_socket getopt;
1256 allow system_server fs_bpf_memevents:dir search;
1257 allow system_server fs_bpf_memevents:file { read write };
1259 # Allow system_server to start clatd in its own domain and kill it.
1260 domain_auto_trans(system_server, clatd_exec, clatd)
1261 allow system_server clatd:process { sigkill signal };
1264 # Allow system_server to open profile snapshots for read.
1267 allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
1268 allow system_server user_profile_data_file:file { getattr open read };
1273 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
1274 allow system_server profman_dump_data_file:dir rw_dir_perms;
1278 allow system_server user_profile_data_file:dir w_dir_perms;
1279 allow system_server user_profile_data_file:file create_file_perms;
1282 get_prop(system_server,system_jvmti_agent_prop)
1285 allow system_server functionfs:dir search;
1286 allow system_server functionfs:file rw_file_perms;
1289 allow system_server sysfs_type:dir search;
1290 r_dir_file(system_server, sysfs_udc)
1293 # system_server contains time / time zone detection logic so reads the associated properties.
1294 get_prop(system_server, time_prop)
1296 # system_server reads this property to know it should expect the lmkd sends notification to it
1298 get_prop(system_server, system_lmk_prop)
1300 get_prop(system_server, wifi_config_prop)
1303 allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
1307 allow system_server kmsg_debug_device:chr_file { open append getattr };
1310 get_prop(system_server, framework_watchdog_config_prop)
1314 allow system_server font_data_file:file create_file_perms;
1315 allow system_server font_data_file:dir create_dir_perms;
1317 allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
1320 get_prop(system_server, qemu_hw_prop)
1323 userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
1326 get_prop(system_server, power_debug_prop)
1327 set_prop(system_server, power_debug_prop)
1332 ### system_server should NEVER do any of this
1335 # could cause the kernel to kill the system_server.
1336 neverallow system_server { sdcard_type fuse }:dir { open read write };
1337 neverallow system_server { sdcard_type fuse }:file rw_file_perms;
1342 # Exclude those types that system_server needs to open directly.
1343 neverallow system_server {
1353 neverallow system_server {
1360 # Ensure that system_server doesn't perform any domain transitions other than
1363 neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition;
1364 neverallow system_server *:process dyntransition;
1366 # Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
1367 neverallow system_server perfetto_traces_data_file:dir ~search;
1370 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write …
1376 -system_server
1382 # Only allow init, system_server, flags_health_check to set properties for server configurable flags
1386 -system_server
1413 # Only allow system_server and init to set tuner_server_ctl_prop
1416 -system_server
1420 # system_server should never be executing dex2oat. This is either
1424 neverallow system_server dex2oat_exec:file no_x_file_perms;
1426 # system_server should never execute or load executable shared libraries
1429 neverallow system_server data_file_type:file no_x_file_perms;
1431 # The only block device system_server should be writing to is
1432 # the frp_block_device. This helps avoid a system_server to root
1434 # The system_server may need to read from vd_device if it uses
1436 neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
1437 neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
1439 # system_server should never use JIT functionality
1446 `allow system_server self:process execmem;',
1447 `neverallow system_server self:process execmem;')
1448 neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
1451 neverallow system_server system_server_tmpfs:file execute;
1454 allow system_server system_server_startup:fd use;
1455 allow system_server system_server_startup_tmpfs:file { read write map };
1456 allow system_server system_server_startup:unix_dgram_socket write;
1459 allow system_server apex_service:service_manager find;
1460 allow system_server apexd:binder call;
1463 allow system_server apex_mnt_dir:dir r_dir_perms;
1466 allow system_server apex_info_file:file r_file_perms;
1468 # Allow system_server to communicate with tradeinmode.
1469 binder_call(system_server, tradeinmode)
1472 allow system_server system_suspend_control_internal_service:service_manager find;
1473 allow system_server system_suspend_control_service:service_manager find;
1474 binder_call(system_server, system_suspend)
1475 binder_call(system_suspend, system_server)
1478 wakelock_use(system_server)
1480 # Allow the system server to read files under /data/apex. The system_server
1484 allow system_server apex_data_file:dir { getattr search };
1485 allow system_server apex_data_file:file r_file_perms;
1488 # vendor APEX packages might be installed and system_server needs to parse
1490 allow system_server vendor_apex_file:dir { getattr search };
1491 allow system_server vendor_apex_file:file r_file_perms;
1494 allow system_server apex_module_data_file:dir { getattr search };
1495 # These are modules where the code runs in system_server, so we need full access.
1496 allow system_server apex_system_server_data_file:dir create_dir_perms;
1497 allow system_server apex_system_server_data_file:file create_file_perms;
1498 allow system_server apex_tethering_data_file:dir create_dir_perms;
1499 allow system_server apex_tethering_data_file:file create_file_perms;
1500 allow system_server apex_uwb_data_file:dir create_dir_perms;
1501 allow system_server apex_uwb_data_file:file create_file_perms;
1503 allow system_server {
1509 allow system_server {
1518 allow system_server metadata_file:dir search;
1519 allow system_server password_slot_metadata_file:dir rw_dir_perms;
1520 allow system_server password_slot_metadata_file:file create_file_perms;
1523 allow system_server tradeinmode_metadata_file:dir rw_dir_perms;
1524 allow system_server tradeinmode_metadata_file:file create_file_perms;
1526 allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
1527 allow system_server userspace_reboot_metadata_file:file create_file_perms;
1530 allow system_server staged_install_file:dir rw_dir_perms;
1531 allow system_server staged_install_file:file create_file_perms;
1533 allow system_server watchdog_metadata_file:dir rw_dir_perms;
1534 allow system_server watchdog_metadata_file:file create_file_perms;
1536 # allow system_server write to aconfigd socket
1537 unix_socket_connect(system_server, aconfigd, aconfigd);
1539 # allow system_server write to aconfigd_mainline socket
1540 unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
1542 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
1543 allow system_server repair_mode_metadata_file:file create_file_perms;
1545 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
1546 allow system_server gsi_persistent_data_file:file create_file_perms;
1549 allow system_server odrefresh_data_file:dir rw_dir_perms;
1550 allow system_server odrefresh_data_file:file { r_file_perms unlink };
1553 allow system_server surfaceflinger_exec:file r_file_perms;
1556 set_prop(system_server, userspace_reboot_log_prop)
1561 -system_server
1570 allow system_server proc_pressure_mem:file rw_file_perms;
1572 allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
1575 neverallow system_server { domain -system_server }:process ptrace;
1579 neverallow system_server system_server:global_capability_class_set sys_resource;
1581 # Only system_server/init should access /metadata/password_slots.
1582 neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
1586 -system_server
1588 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
1591 set_prop(system_server, binder_cache_system_server_prop)
1592 neverallow { domain -system_server -init }
1596 # system_server cannot use this access to read perf event data like process stacks.
1597 allow system_server self:perf_event { open write cpu kernel };
1598 neverallow system_server self:perf_event ~{ open write cpu kernel };
1601 allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
1602 allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
1605 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
1607 neverallow { domain -init -system_server } boot_status_prop:property_service set;
1614 -system_server
1621 -system_server
1627 # can be accessed by system_server only (b/143717177)
1628 # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
1630 neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_F…
1633 neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
1634 neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
1637 allow system_server system_font_fallback_file:file r_file_perms;
1640 set_prop(system_server, dalvik_dynamic_config_prop)
1643 allow system_server binderfs_logs:dir r_dir_perms;
1644 allow system_server binderfs_logs_stats:file r_file_perms;
1648 allow system_server binderfs_logs_transactions:file r_file_perms;
1652 set_prop(system_server, game_manager_config_prop)
1655 get_prop(system_server, threadnetwork_config_prop)
1663 -system_server
1668 allow system_server pre_reboot_dexopt_file:dir { getattr search };
1670 # Allow system_server to reopen its own memfd.
1671 # system_server needs to copy the new service-art.jar to a memfd and reopen it with the path
1673 allow system_server system_server_tmpfs:file open;
1675 # Allow system_server to read from postinstall scripts through STDIN, to check if the
1677 allow system_server postinstall:fifo_file read;
1679 # Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing
1681 allow system_server {
1690 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
1691 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
1693 # Do not allow anything other than system_server and init to touch /metadata/tradeinmode.
1694 neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms;
1700 -system_server