1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server scheduler_service_server; 9typeattribute system_server sensor_service_server; 10typeattribute system_server stats_service_server; 11typeattribute system_server bpfdomain; 12 13# Define a type for tmpfs-backed ashmem regions. 14tmpfs_domain(system_server) 15 16userfaultfd_use(system_server) 17 18# Create a socket for connections from crash_dump. 19type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 20 21# Create a socket for connections from zygotes. 22type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 23 24allow system_server zygote_tmpfs:file { map read }; 25allow system_server appdomain_tmpfs:file { getattr map read write }; 26 27# For Incremental Service to check if incfs is available 28allow system_server proc_filesystems:file r_file_perms; 29 30# To create files, get permission to fill blocks, and configure Incremental File System 31allow system_server incremental_control_file:file { ioctl r_file_perms }; 32allowxperm system_server incremental_control_file:file ioctl { 33 INCFS_IOCTL_CREATE_FILE 34 INCFS_IOCTL_CREATE_MAPPED_FILE 35 INCFS_IOCTL_PERMIT_FILL 36 INCFS_IOCTL_GET_READ_TIMEOUTS 37 INCFS_IOCTL_SET_READ_TIMEOUTS 38 INCFS_IOCTL_GET_LAST_READ_ERROR 39}; 40 41# To get signature of an APK installed on Incremental File System, and fill in data 42# blocks and get the filesystem state 43allowxperm system_server apk_data_file:file ioctl { 44 INCFS_IOCTL_READ_SIGNATURE 45 INCFS_IOCTL_FILL_BLOCKS 46 INCFS_IOCTL_GET_FILLED_BLOCKS 47 INCFS_IOCTL_GET_BLOCK_COUNT 48 F2FS_IOC_GET_FEATURES 49 F2FS_IOC_GET_COMPRESS_BLOCKS 50 F2FS_IOC_COMPRESS_FILE 51 F2FS_IOC_DECOMPRESS_FILE 52 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 53 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 54 FS_IOC_SETFLAGS 55 FS_IOC_GETFLAGS 56}; 57 58allowxperm system_server apk_tmp_file:file ioctl { 59 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 60 FS_IOC_GETFLAGS 61}; 62 63# For Incremental Service to check incfs metrics 64allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 65 66# For f2fs-compression support 67allow system_server sysfs_fs_f2fs:dir r_dir_perms; 68allow system_server sysfs_fs_f2fs:file r_file_perms; 69 70# For SdkSandboxManagerService 71allow system_server sdk_sandbox_system_data_file:dir create_dir_perms; 72 73# For art. 74allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 75allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 76 77# Ignore the denial on `system@[email protected]@classes.odex`. 78# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a 79# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks 80# system_server. It fails to be loaded when the jar is used as a shared library, which is expected. 81dontaudit system_server apex_art_data_file:file execute; 82 83# For release odex/vdex compress blocks 84allowxperm system_server dalvikcache_data_file:file ioctl { 85 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 86 FS_IOC_GETFLAGS 87}; 88 89# When running system server under --invoke-with, we'll try to load the boot image under the 90# system server domain, following links to the system partition. 91with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 92 93# /data/resource-cache 94allow system_server resourcecache_data_file:file r_file_perms; 95allow system_server resourcecache_data_file:dir r_dir_perms; 96 97# ptrace to processes in the same domain for debugging crashes. 98allow system_server self:process ptrace; 99 100# Child of the zygote. 101allow system_server zygote:fd use; 102allow system_server zygote:process sigchld; 103 104# May kill zygote on crashes. 105allow system_server { 106 app_zygote 107 crash_dump 108 webview_zygote 109 zygote 110}:process { getpgid sigkill signull }; 111 112# Read /system/bin/app_process. 113allow system_server zygote_exec:file r_file_perms; 114 115# Needed to close the zygote socket, which involves getopt / getattr 116allow system_server zygote:unix_stream_socket { getopt getattr }; 117 118# system server gets network and bluetooth permissions. 119net_domain(system_server) 120# in addition to ioctls allowlisted for all domains, also allow system_server 121# to use privileged ioctls commands. Needed to set up VPNs. 122allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 123bluetooth_domain(system_server) 124 125# Allow setup of tcp keepalive offload. This gives system_server the permission to 126# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 127# be granted individually, except for a small set of safe values allowlisted in 128# public/domain.te. 129allow system_server appdomain:tcp_socket ioctl; 130 131# These are the capabilities assigned by the zygote to the 132# system server. 133allow system_server self:global_capability_class_set { 134 ipc_lock 135 kill 136 net_admin 137 net_bind_service 138 net_broadcast 139 net_raw 140 sys_boot 141 sys_nice 142 sys_ptrace 143 sys_time 144 sys_tty_config 145}; 146 147# Trigger module auto-load. 148allow system_server kernel:system module_request; 149 150# Allow alarmtimers to be set 151allow system_server self:global_capability2_class_set wake_alarm; 152 153# Create and share netlink_netfilter_sockets for tetheroffload. 154allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 155 156# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 157allow system_server self:netlink_tcpdiag_socket 158 { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 159 160# Use netlink uevent sockets. 161allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 162 163allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl; 164 165# Use generic netlink sockets. 166allow system_server self:netlink_socket create_socket_perms_no_ioctl; 167allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 168 169# libvintf reads the kernel config to verify vendor interface compatibility. 170allow system_server config_gz:file { read open }; 171 172# Use generic "sockets" where the address family is not known 173# to the kernel. The ioctl permission is specifically omitted here, but may 174# be added to device specific policy along with the ioctl commands to be 175# allowlisted. 176allow system_server self:socket create_socket_perms_no_ioctl; 177 178# Set and get routes directly via netlink. 179allow system_server self:netlink_route_socket nlmsg_write; 180 181# Use XFRM (IPsec) netlink sockets 182allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 183 184# Kill apps. 185allow system_server appdomain:process { getpgid sigkill signal }; 186# signull allowed for kill(pid, 0) existence test. 187allow system_server appdomain:process { signull }; 188 189# Set scheduling info for apps. 190allow system_server appdomain:process { getsched setsched }; 191allow system_server audioserver:process { getsched setsched }; 192allow system_server hal_audio:process { getsched setsched }; 193allow system_server hal_bluetooth:process { getsched setsched }; 194allow system_server hal_codec2_server:process { getsched setsched }; 195allow system_server hal_omx_server:process { getsched setsched }; 196allow system_server mediaswcodec:process { getsched setsched }; 197allow system_server cameraserver:process { getsched setsched }; 198allow system_server hal_camera:process { getsched setsched }; 199allow system_server mediaserver:process { getsched setsched }; 200allow system_server bootanim:process { getsched setsched }; 201 202# Set scheduling info for psi monitor thread. 203# TODO: delete this line b/131761776 204allow system_server kernel:process { getsched setsched }; 205 206# Allow system_server to write to /proc/<pid>/* 207allow system_server domain:file w_file_perms; 208 209# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 210# within system_server to keep track of memory and CPU usage for 211# all processes on the device. In addition, /proc/pid files access is needed 212# for dumping stack traces of native processes. 213r_dir_file(system_server, domain) 214 215# Write /proc/uid_cputime/remove_uid_range. 216allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 217 218# Write /proc/uid_procstat/set. 219allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 220 221# Write to /proc/sysrq-trigger. 222allow system_server proc_sysrq:file rw_file_perms; 223 224# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. 225allow system_server stats_data_file:dir { open read remove_name search write }; 226allow system_server stats_data_file:file unlink; 227 228# Read metric file & upload to statsd 229allow system_server odsign_data_file:dir search; 230allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name }; 231allow system_server odsign_metrics_file:file { r_file_perms unlink }; 232 233# Read /sys/kernel/debug/wakeup_sources. 234no_debugfs_restriction(` 235 allow system_server debugfs_wakeup_sources:file r_file_perms; 236') 237 238# Read /sys/kernel/ion/*. 239allow system_server sysfs_ion:file r_file_perms; 240 241# Read /sys/kernel/dma_heap/*. 242allow system_server sysfs_dma_heap:file r_file_perms; 243 244# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 245allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 246allow system_server sysfs_dmabuf_stats:file r_file_perms; 247 248# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 249# for dumpsys meminfo 250allow system_server dmabuf_heap_device:dir r_dir_perms; 251 252# Allow reading /proc/vmstat for the oom kill count 253allow system_server proc_vmstat:file r_file_perms; 254 255# The DhcpClient and WifiWatchdog use packet_sockets 256allow system_server self:packet_socket create_socket_perms_no_ioctl; 257 258# 3rd party VPN clients require a tun_socket to be created 259allow system_server self:tun_socket create_socket_perms_no_ioctl; 260 261# Talk to init and various daemons via sockets. 262unix_socket_connect(system_server, lmkd, lmkd) 263unix_socket_connect(system_server, mtpd, mtp) 264unix_socket_connect(system_server, zygote, zygote) 265unix_socket_connect(system_server, racoon, racoon) 266unix_socket_connect(system_server, uncrypt, uncrypt) 267 268# Allow system_server to write to statsd. 269unix_socket_send(system_server, statsdw, statsd) 270 271# Communicate over a socket created by surfaceflinger. 272allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 273 274allow system_server gpuservice:unix_stream_socket { read write setopt }; 275 276# Communicate over a socket created by webview_zygote. 277allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 278 279# Communicate over a socket created by app_zygote. 280allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 281 282# Perform Binder IPC. 283binder_use(system_server) 284binder_call(system_server, appdomain) 285binder_call(system_server, binderservicedomain) 286binder_call(system_server, composd) 287binder_call(system_server, dumpstate) 288binder_call(system_server, fingerprintd) 289binder_call(system_server, gatekeeperd) 290binder_call(system_server, gpuservice) 291binder_call(system_server, idmap) 292binder_call(system_server, installd) 293binder_call(system_server, incidentd) 294binder_call(system_server, iorapd) 295binder_call(system_server, netd) 296userdebug_or_eng(`binder_call(system_server, profcollectd)') 297binder_call(system_server, statsd) 298binder_call(system_server, storaged) 299binder_call(system_server, update_engine) 300binder_call(system_server, vold) 301binder_call(system_server, logd) 302binder_call(system_server, wificond) 303binder_call(system_server, wpantund) 304binder_service(system_server) 305 306# Use HALs 307hal_client_domain(system_server, hal_allocator) 308hal_client_domain(system_server, hal_audio) 309hal_client_domain(system_server, hal_authsecret) 310hal_client_domain(system_server, hal_broadcastradio) 311hal_client_domain(system_server, hal_codec2) 312hal_client_domain(system_server, hal_configstore) 313hal_client_domain(system_server, hal_contexthub) 314hal_client_domain(system_server, hal_face) 315hal_client_domain(system_server, hal_fingerprint) 316hal_client_domain(system_server, hal_gnss) 317hal_client_domain(system_server, hal_graphics_allocator) 318hal_client_domain(system_server, hal_health) 319hal_client_domain(system_server, hal_input_classifier) 320hal_client_domain(system_server, hal_input_processor) 321hal_client_domain(system_server, hal_ir) 322hal_client_domain(system_server, hal_light) 323hal_client_domain(system_server, hal_memtrack) 324hal_client_domain(system_server, hal_neuralnetworks) 325hal_client_domain(system_server, hal_oemlock) 326hal_client_domain(system_server, hal_omx) 327hal_client_domain(system_server, hal_power) 328hal_client_domain(system_server, hal_power_stats) 329hal_client_domain(system_server, hal_rebootescrow) 330hal_client_domain(system_server, hal_sensors) 331hal_client_domain(system_server, hal_tetheroffload) 332hal_client_domain(system_server, hal_thermal) 333hal_client_domain(system_server, hal_tv_cec) 334hal_client_domain(system_server, hal_tv_input) 335hal_client_domain(system_server, hal_usb) 336hal_client_domain(system_server, hal_usb_gadget) 337hal_client_domain(system_server, hal_uwb) 338hal_client_domain(system_server, hal_vibrator) 339hal_client_domain(system_server, hal_vr) 340hal_client_domain(system_server, hal_weaver) 341hal_client_domain(system_server, hal_wifi) 342hal_client_domain(system_server, hal_wifi_hostapd) 343hal_client_domain(system_server, hal_wifi_supplicant) 344# The bootctl is a pass through HAL mode under recovery mode. So we skip the 345# permission for recovery in order not to give system server the access to 346# the low level block devices. 347not_recovery(`hal_client_domain(system_server, hal_bootctl)') 348 349# Talk with graphics composer fences 350allow system_server hal_graphics_composer:fd use; 351 352# Use RenderScript always-passthrough HAL 353allow system_server hal_renderscript_hwservice:hwservice_manager find; 354allow system_server same_process_hal_file:file { execute read open getattr map }; 355 356# Talk to tombstoned to get ANR traces. 357unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 358 359# List HAL interfaces to get ANR traces. 360allow system_server hwservicemanager:hwservice_manager list; 361allow system_server servicemanager:service_manager list; 362 363# Send signals to trigger ANR traces. 364allow system_server { 365 # This is derived from the list that system server defines as interesting native processes 366 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 367 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 368 audioserver 369 cameraserver 370 drmserver 371 gpuservice 372 inputflinger 373 keystore 374 mediadrmserver 375 mediaextractor 376 mediametrics 377 mediaserver 378 mediaswcodec 379 mediatranscoding 380 mediatuner 381 netd 382 sdcardd 383 statsd 384 surfaceflinger 385 vold 386 387 # This list comes from HAL_INTERFACES_OF_INTEREST in 388 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 389 hal_audio_server 390 hal_bluetooth_server 391 hal_camera_server 392 hal_codec2_server 393 hal_face_server 394 hal_fingerprint_server 395 hal_gnss_server 396 hal_graphics_allocator_server 397 hal_graphics_composer_server 398 hal_health_server 399 hal_input_processor_server 400 hal_light_server 401 hal_neuralnetworks_server 402 hal_omx_server 403 hal_power_server 404 hal_power_stats_server 405 hal_sensors_server 406 hal_vibrator_server 407 hal_vr_server 408 system_suspend_server 409}:process { signal }; 410 411# Use sockets received over binder from various services. 412allow system_server audioserver:tcp_socket rw_socket_perms; 413allow system_server audioserver:udp_socket rw_socket_perms; 414allow system_server mediaserver:tcp_socket rw_socket_perms; 415allow system_server mediaserver:udp_socket rw_socket_perms; 416 417# Use sockets received over binder from various services. 418allow system_server mediadrmserver:tcp_socket rw_socket_perms; 419allow system_server mediadrmserver:udp_socket rw_socket_perms; 420 421# Allow writing performance tracing data to the Perfetto traced daemon. This 422# requires connecting to its producer socket and obtaining a (per-process) 423# tmpfs fd. 424perfetto_producer(system_server) 425 426# Allow performance profiling by the platform itself. 427can_profile_heap(system_server) 428can_profile_perf(system_server) 429 430# Get file context 431allow system_server file_contexts_file:file r_file_perms; 432# access for mac_permissions 433allow system_server mac_perms_file: file r_file_perms; 434# Check SELinux permissions. 435selinux_check_access(system_server) 436 437allow system_server sysfs_type:dir r_dir_perms; 438 439r_dir_file(system_server, sysfs_android_usb) 440allow system_server sysfs_android_usb:file w_file_perms; 441 442r_dir_file(system_server, sysfs_extcon) 443 444r_dir_file(system_server, sysfs_ipv4) 445allow system_server sysfs_ipv4:file w_file_perms; 446 447r_dir_file(system_server, sysfs_rtc) 448r_dir_file(system_server, sysfs_switch) 449 450allow system_server sysfs_nfc_power_writable:file rw_file_perms; 451allow system_server sysfs_power:dir search; 452allow system_server sysfs_power:file rw_file_perms; 453allow system_server sysfs_thermal:dir search; 454allow system_server sysfs_thermal:file r_file_perms; 455allow system_server sysfs_uhid:dir r_dir_perms; 456allow system_server sysfs_uhid:file rw_file_perms; 457 458# TODO: Remove when HALs are forced into separate processes 459allow system_server sysfs_vibrator:file { write append }; 460 461# TODO: added to match above sysfs rule. Remove me? 462allow system_server sysfs_usb:file w_file_perms; 463 464# Access devices. 465allow system_server device:dir r_dir_perms; 466allow system_server mdns_socket:sock_file rw_file_perms; 467allow system_server gpu_device:chr_file rw_file_perms; 468allow system_server gpu_device:dir r_dir_perms; 469allow system_server sysfs_gpu:file r_file_perms; 470allow system_server input_device:dir r_dir_perms; 471allow system_server input_device:chr_file rw_file_perms; 472allow system_server tty_device:chr_file rw_file_perms; 473allow system_server usbaccessory_device:chr_file rw_file_perms; 474allow system_server video_device:dir r_dir_perms; 475allow system_server video_device:chr_file rw_file_perms; 476allow system_server adbd_socket:sock_file rw_file_perms; 477allow system_server rtc_device:chr_file rw_file_perms; 478allow system_server audio_device:dir r_dir_perms; 479allow system_server uhid_device:chr_file rw_file_perms; 480 481# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 482allow system_server audio_device:chr_file rw_file_perms; 483 484# tun device used for 3rd party vpn apps and test network manager 485allow system_server tun_device:chr_file rw_file_perms; 486allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER }; 487 488# Manage data/ota_package 489allow system_server ota_package_file:dir rw_dir_perms; 490allow system_server ota_package_file:file create_file_perms; 491 492# Manage system data files. 493allow system_server system_data_file:dir create_dir_perms; 494allow system_server system_data_file:notdevfile_class_set create_file_perms; 495allow system_server packages_list_file:file create_file_perms; 496allow system_server game_mode_intervention_list_file:file create_file_perms; 497allow system_server keychain_data_file:dir create_dir_perms; 498allow system_server keychain_data_file:file create_file_perms; 499allow system_server keychain_data_file:lnk_file create_file_perms; 500 501# Manage /data/app. 502allow system_server apk_data_file:dir create_dir_perms; 503allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 504allow system_server apk_tmp_file:dir create_dir_perms; 505allow system_server apk_tmp_file:file create_file_perms; 506 507# Access input configuration files in the /vendor directory 508r_dir_file(system_server, vendor_keylayout_file) 509r_dir_file(system_server, vendor_keychars_file) 510r_dir_file(system_server, vendor_idc_file) 511 512# Access /vendor/{app,framework,overlay} 513r_dir_file(system_server, vendor_app_file) 514r_dir_file(system_server, vendor_framework_file) 515r_dir_file(system_server, vendor_overlay_file) 516 517# Manage /data/app-private. 518allow system_server apk_private_data_file:dir create_dir_perms; 519allow system_server apk_private_data_file:file create_file_perms; 520allow system_server apk_private_tmp_file:dir create_dir_perms; 521allow system_server apk_private_tmp_file:file create_file_perms; 522 523# Manage files within asec containers. 524allow system_server asec_apk_file:dir create_dir_perms; 525allow system_server asec_apk_file:file create_file_perms; 526allow system_server asec_public_file:file create_file_perms; 527 528# Manage /data/anr. 529# 530# TODO: Some of these permissions can be withdrawn once we've switched to the 531# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 532# the system_server should never need to create a new anr_data_file:file or write 533# to one, but it will still need to read and append to existing files. 534allow system_server anr_data_file:dir create_dir_perms; 535allow system_server anr_data_file:file create_file_perms; 536 537# New stack dumping scheme : request an output FD from tombstoned via a unix 538# domain socket. 539# 540# Allow system_server to connect and write to the tombstoned java trace socket in 541# order to dump its traces. Also allow the system server to write its traces to 542# dumpstate during bugreport capture and incidentd during incident collection. 543unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 544allow system_server tombstoned:fd use; 545allow system_server dumpstate:fifo_file append; 546allow system_server incidentd:fifo_file append; 547# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 548userdebug_or_eng(` 549 allow system_server su:fifo_file append; 550') 551 552# Allow system_server to read pipes from incidentd (used to deliver incident reports 553# to dropbox) 554allow system_server incidentd:fifo_file read; 555 556# Read /data/misc/incidents - only read. The fd will be sent over binder, 557# with no DAC access to it, for dropbox to read. 558allow system_server incident_data_file:file read; 559 560# Manage /data/misc/prereboot. 561allow system_server prereboot_data_file:dir rw_dir_perms; 562allow system_server prereboot_data_file:file create_file_perms; 563 564# Allow tracing proxy service to read traces. Only the fd is sent over 565# binder. 566allow system_server perfetto_traces_data_file:file { read getattr }; 567allow system_server perfetto:fd use; 568 569# Manage /data/backup. 570allow system_server backup_data_file:dir create_dir_perms; 571allow system_server backup_data_file:file create_file_perms; 572 573# Write to /data/system/dropbox 574allow system_server dropbox_data_file:dir create_dir_perms; 575allow system_server dropbox_data_file:file create_file_perms; 576 577# Write to /data/system/heapdump 578allow system_server heapdump_data_file:dir rw_dir_perms; 579allow system_server heapdump_data_file:file create_file_perms; 580 581# Manage /data/misc/adb. 582allow system_server adb_keys_file:dir create_dir_perms; 583allow system_server adb_keys_file:file create_file_perms; 584 585# Manage /data/misc/appcompat. 586allow system_server appcompat_data_file:dir rw_dir_perms; 587allow system_server appcompat_data_file:file create_file_perms; 588 589# Manage /data/misc/emergencynumberdb 590allow system_server emergency_data_file:dir create_dir_perms; 591allow system_server emergency_data_file:file create_file_perms; 592 593# Manage /data/misc/network_watchlist 594allow system_server network_watchlist_data_file:dir create_dir_perms; 595allow system_server network_watchlist_data_file:file create_file_perms; 596 597# Manage /data/misc/sms. 598# TODO: Split into a separate type? 599allow system_server radio_data_file:dir create_dir_perms; 600allow system_server radio_data_file:file create_file_perms; 601 602# Manage /data/misc/systemkeys. 603allow system_server systemkeys_data_file:dir create_dir_perms; 604allow system_server systemkeys_data_file:file create_file_perms; 605 606# Manage /data/misc/textclassifier. 607allow system_server textclassifier_data_file:dir create_dir_perms; 608allow system_server textclassifier_data_file:file create_file_perms; 609 610# Access /data/tombstones. 611allow system_server tombstone_data_file:dir r_dir_perms; 612allow system_server tombstone_data_file:file r_file_perms; 613 614# Allow write access to be able to truncate tombstones. 615allow system_server tombstone_data_file:file write; 616 617# Manage /data/misc/vpn. 618allow system_server vpn_data_file:dir create_dir_perms; 619allow system_server vpn_data_file:file create_file_perms; 620 621# Manage /data/misc/wifi. 622allow system_server wifi_data_file:dir create_dir_perms; 623allow system_server wifi_data_file:file create_file_perms; 624 625# Manage /data/misc/zoneinfo. 626allow system_server zoneinfo_data_file:dir create_dir_perms; 627allow system_server zoneinfo_data_file:file create_file_perms; 628 629# Manage /data/app-staging. 630allow system_server staging_data_file:dir create_dir_perms; 631allow system_server staging_data_file:file create_file_perms; 632 633# Manage /data/rollback. 634allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 635 636# Walk /data/data subdirectories. 637allow system_server app_data_file_type:dir { getattr read search }; 638 639# Also permit for unlabeled /data/data subdirectories and 640# for unlabeled asec containers on upgrades from 4.2. 641allow system_server unlabeled:dir r_dir_perms; 642# Read pkg.apk file before it has been relabeled by vold. 643allow system_server unlabeled:file r_file_perms; 644 645# Populate com.android.providers.settings/databases/settings.db. 646allow system_server system_app_data_file:dir create_dir_perms; 647allow system_server system_app_data_file:file create_file_perms; 648 649# Receive and use open app data files passed over binder IPC. 650allow system_server app_data_file_type:file { getattr read write append map }; 651 652# Access to /data/media for measuring disk usage. 653allow system_server media_rw_data_file:dir { search getattr open read }; 654 655# Receive and use open /data/media files passed over binder IPC. 656# Also used for measuring disk usage. 657allow system_server media_rw_data_file:file { getattr read write append }; 658 659# System server needs to setfscreate to packages_list_file when writing 660# /data/system/packages.list 661allow system_server system_server:process setfscreate; 662 663# Relabel apk files. 664allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 665allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 666# Allow PackageManager to: 667# 1. rename file from /data/app-staging folder to /data/app 668# 2. relabel files (linked to /data/rollback) under /data/app-staging 669# during staged apk/apex install. 670allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 671 672# Relabel wallpaper. 673allow system_server system_data_file:file relabelfrom; 674allow system_server wallpaper_file:file relabelto; 675allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 676 677# Backup of wallpaper imagery uses temporary hard links to avoid data churn 678allow system_server { system_data_file wallpaper_file }:file link; 679 680# ShortcutManager icons 681allow system_server system_data_file:dir relabelfrom; 682allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 683allow system_server shortcut_manager_icons:file create_file_perms; 684 685# Manage ringtones. 686allow system_server ringtone_file:dir { create_dir_perms relabelto }; 687allow system_server ringtone_file:file create_file_perms; 688 689# Relabel icon file. 690allow system_server icon_file:file relabelto; 691allow system_server icon_file:file { rw_file_perms unlink }; 692 693# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 694allow system_server system_data_file:dir relabelfrom; 695 696# server_configurable_flags_data_file is used for storing server configurable flags which 697# have been reset during current booting. system_server needs to read the data to perform related 698# disaster recovery actions. 699allow system_server server_configurable_flags_data_file:dir r_dir_perms; 700allow system_server server_configurable_flags_data_file:file r_file_perms; 701 702# Property Service write 703set_prop(system_server, system_prop) 704set_prop(system_server, bootanim_system_prop) 705set_prop(system_server, bluetooth_prop) 706set_prop(system_server, exported_system_prop) 707set_prop(system_server, exported3_system_prop) 708set_prop(system_server, safemode_prop) 709set_prop(system_server, theme_prop) 710set_prop(system_server, dhcp_prop) 711set_prop(system_server, net_connectivity_prop) 712set_prop(system_server, net_radio_prop) 713set_prop(system_server, net_dns_prop) 714set_prop(system_server, usb_control_prop) 715set_prop(system_server, usb_prop) 716set_prop(system_server, debug_prop) 717set_prop(system_server, powerctl_prop) 718set_prop(system_server, fingerprint_prop) 719set_prop(system_server, device_logging_prop) 720set_prop(system_server, dumpstate_options_prop) 721set_prop(system_server, overlay_prop) 722set_prop(system_server, exported_overlay_prop) 723set_prop(system_server, pm_prop) 724set_prop(system_server, exported_pm_prop) 725set_prop(system_server, socket_hook_prop) 726set_prop(system_server, audio_prop) 727set_prop(system_server, boot_status_prop) 728set_prop(system_server, surfaceflinger_color_prop) 729set_prop(system_server, provisioned_prop) 730set_prop(system_server, retaildemo_prop) 731set_prop(system_server, dmesgd_start_prop) 732userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 733userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)') 734 735# ctl interface 736set_prop(system_server, ctl_default_prop) 737set_prop(system_server, ctl_bugreport_prop) 738set_prop(system_server, ctl_gsid_prop) 739 740# cppreopt property 741set_prop(system_server, cppreopt_prop) 742 743# server configurable flags properties 744set_prop(system_server, device_config_input_native_boot_prop) 745set_prop(system_server, device_config_netd_native_prop) 746set_prop(system_server, device_config_nnapi_native_prop) 747set_prop(system_server, device_config_activity_manager_native_boot_prop) 748set_prop(system_server, device_config_runtime_native_boot_prop) 749set_prop(system_server, device_config_runtime_native_prop) 750set_prop(system_server, device_config_lmkd_native_prop) 751set_prop(system_server, device_config_media_native_prop) 752set_prop(system_server, device_config_mglru_native_prop) 753set_prop(system_server, device_config_profcollect_native_boot_prop) 754set_prop(system_server, device_config_statsd_native_prop) 755set_prop(system_server, device_config_statsd_native_boot_prop) 756set_prop(system_server, device_config_storage_native_boot_prop) 757set_prop(system_server, device_config_swcodec_native_prop) 758set_prop(system_server, device_config_sys_traced_prop) 759set_prop(system_server, device_config_window_manager_native_boot_prop) 760set_prop(system_server, device_config_configuration_prop) 761set_prop(system_server, device_config_connectivity_prop) 762set_prop(system_server, device_config_surface_flinger_native_boot_prop) 763set_prop(system_server, device_config_vendor_system_native_prop) 764set_prop(system_server, device_config_vendor_system_native_boot_prop) 765set_prop(system_server, device_config_virtualization_framework_native_prop) 766set_prop(system_server, smart_idle_maint_enabled_prop) 767 768# Allow query ART device config properties 769get_prop(system_server, device_config_runtime_native_boot_prop) 770get_prop(system_server, device_config_runtime_native_prop) 771 772# BootReceiver to read ro.boot.bootreason 773get_prop(system_server, bootloader_boot_reason_prop) 774# PowerManager to read sys.boot.reason 775get_prop(system_server, system_boot_reason_prop) 776 777# Collect metrics on boot time created by init 778get_prop(system_server, boottime_prop) 779 780# Read device's serial number from system properties 781get_prop(system_server, serialno_prop) 782 783# Read/write the property which keeps track of whether this is the first start of system_server 784set_prop(system_server, firstboot_prop) 785 786# Audio service in system server can read audio config properties, 787# such as camera shutter enforcement 788get_prop(system_server, audio_config_prop) 789 790# system server reads this property to keep track of whether server configurable flags have been 791# reset during current boot. 792get_prop(system_server, device_config_reset_performed_prop) 793 794# Read/write the property that enables Test Harness Mode 795set_prop(system_server, test_harness_prop) 796 797# Read gsid.image_running. 798get_prop(system_server, gsid_prop) 799 800# Read the property that mocks an OTA 801get_prop(system_server, mock_ota_prop) 802 803# Read the property as feature flag for protecting apks with fs-verity. 804get_prop(system_server, apk_verity_prop) 805 806# Read wifi.interface 807get_prop(system_server, wifi_prop) 808 809# Read the vendor property that indicates if Incremental features is enabled 810get_prop(system_server, incremental_prop) 811 812# Read ro.zram. properties 813get_prop(system_server, zram_config_prop) 814 815# Read/write persist.sys.zram_enabled 816set_prop(system_server, zram_control_prop) 817 818# Read/write persist.sys.dalvik.vm.lib.2 819set_prop(system_server, dalvik_runtime_prop) 820 821# Read ro.control_privapp_permissions and ro.cp_system_other_odex 822get_prop(system_server, packagemanager_config_prop) 823 824# Read the net.464xlat.cellular.enabled property (written by init). 825get_prop(system_server, net_464xlat_fromvendor_prop) 826 827# Read hypervisor capabilities ro.boot.hypervisor.* 828get_prop(system_server, hypervisor_prop) 829 830# Read persist.wm.debug. properties 831get_prop(system_server, persist_wm_debug_prop) 832 833# Allow the heap dump ART plugin to the count of sessions waiting for OOME 834get_prop(system_server, traced_oome_heap_session_count_prop) 835 836# Create a socket for connections from debuggerd. 837allow system_server system_ndebug_socket:sock_file create_file_perms; 838 839# Create a socket for connections from zygotes. 840allow system_server system_unsolzygote_socket:sock_file create_file_perms; 841 842# Manage cache files. 843allow system_server cache_file:lnk_file r_file_perms; 844allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 845allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 846allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 847 848allow system_server system_file:dir r_dir_perms; 849allow system_server system_file:lnk_file r_file_perms; 850 851# ART locks profile files. 852allow system_server system_file:file lock; 853 854# LocationManager(e.g, GPS) needs to read and write 855# to uart driver and ctrl proc entry 856allow system_server gps_control:file rw_file_perms; 857 858# Allow system_server to use app-created sockets and pipes. 859allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 860allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 861 862# BackupManagerService needs to manipulate backup data files 863allow system_server cache_backup_file:dir rw_dir_perms; 864allow system_server cache_backup_file:file create_file_perms; 865# LocalTransport works inside /cache/backup 866allow system_server cache_private_backup_file:dir create_dir_perms; 867allow system_server cache_private_backup_file:file create_file_perms; 868 869# Allow system to talk to usb device 870allow system_server usb_device:chr_file rw_file_perms; 871allow system_server usb_device:dir r_dir_perms; 872 873# Read and delete files under /dev/fscklogs. 874r_dir_file(system_server, fscklogs) 875allow system_server fscklogs:dir { write remove_name }; 876allow system_server fscklogs:file unlink; 877 878# logd access, system_server inherit logd write socket 879# (urge is to deprecate this long term) 880allow system_server zygote:unix_dgram_socket write; 881 882# Read from log daemon. 883read_logd(system_server) 884read_runtime_log_tags(system_server) 885 886# Be consistent with DAC permissions. Allow system_server to write to 887# /sys/module/lowmemorykiller/parameters/adj 888# /sys/module/lowmemorykiller/parameters/minfree 889allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 890 891# Read /sys/fs/pstore/console-ramoops 892# Don't worry about overly broad permissions for now, as there's 893# only one file in /sys/fs/pstore 894allow system_server pstorefs:dir r_dir_perms; 895allow system_server pstorefs:file r_file_perms; 896 897# /sys access 898allow system_server sysfs_zram:dir search; 899allow system_server sysfs_zram:file rw_file_perms; 900 901add_service(system_server, system_server_service); 902allow system_server audioserver_service:service_manager find; 903allow system_server authorization_service:service_manager find; 904allow system_server batteryproperties_service:service_manager find; 905allow system_server cameraserver_service:service_manager find; 906allow system_server compos_service:service_manager find; 907allow system_server dataloader_manager_service:service_manager find; 908allow system_server dnsresolver_service:service_manager find; 909allow system_server drmserver_service:service_manager find; 910allow system_server dumpstate_service:service_manager find; 911allow system_server fingerprintd_service:service_manager find; 912allow system_server gatekeeper_service:service_manager find; 913allow system_server gpu_service:service_manager find; 914allow system_server gsi_service:service_manager find; 915allow system_server idmap_service:service_manager find; 916allow system_server incident_service:service_manager find; 917allow system_server incremental_service:service_manager find; 918allow system_server installd_service:service_manager find; 919allow system_server iorapd_service:service_manager find; 920allow system_server keystore_maintenance_service:service_manager find; 921allow system_server keystore_metrics_service:service_manager find; 922allow system_server keystore_service:service_manager find; 923allow system_server mdns_service:service_manager find; 924allow system_server mediaserver_service:service_manager find; 925allow system_server mediametrics_service:service_manager find; 926allow system_server mediaextractor_service:service_manager find; 927allow system_server mediadrmserver_service:service_manager find; 928allow system_server mediatuner_service:service_manager find; 929allow system_server netd_service:service_manager find; 930allow system_server nfc_service:service_manager find; 931allow system_server radio_service:service_manager find; 932allow system_server stats_service:service_manager find; 933allow system_server storaged_service:service_manager find; 934allow system_server surfaceflinger_service:service_manager find; 935allow system_server update_engine_service:service_manager find; 936allow system_server vold_service:service_manager find; 937allow system_server wifinl80211_service:service_manager find; 938allow system_server logd_service:service_manager find; 939userdebug_or_eng(` 940 allow system_server profcollectd_service:service_manager find; 941') 942 943add_service(system_server, batteryproperties_service) 944 945allow system_server keystore:keystore_key { 946 get_state 947 get 948 insert 949 delete 950 exist 951 list 952 reset 953 password 954 lock 955 unlock 956 is_empty 957 sign 958 verify 959 grant 960 duplicate 961 clear_uid 962 add_auth 963 user_changed 964}; 965 966allow system_server keystore:keystore2 { 967 add_auth 968 change_password 969 change_user 970 clear_ns 971 clear_uid 972 get_state 973 lock 974 pull_metrics 975 reset 976 unlock 977}; 978 979allow system_server keystore:keystore2_key { 980 delete 981 use_dev_id 982 grant 983 get_info 984 rebind 985 update 986 use 987}; 988 989# Allow Wifi module to manage Wi-Fi keys. 990allow system_server wifi_key:keystore2_key { 991 delete 992 get_info 993 rebind 994 update 995 use 996}; 997 998# Allow lock_settings service to manage RoR keys. 999allow system_server resume_on_reboot_key:keystore2_key { 1000 delete 1001 get_info 1002 rebind 1003 update 1004 use 1005}; 1006 1007# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 1008allow system_server locksettings_key:keystore2_key { 1009 delete 1010 get_info 1011 rebind 1012 update 1013 use 1014}; 1015 1016 1017# Allow system server to search and write to the persistent factory reset 1018# protection partition. This block device does not get wiped in a factory reset. 1019allow system_server block_device:dir search; 1020allow system_server frp_block_device:blk_file rw_file_perms; 1021allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 1022 1023# Create new process groups and clean up old cgroups 1024allow system_server cgroup:dir { remove_name rmdir }; 1025allow system_server cgroup_v2:dir create_dir_perms; 1026allow system_server cgroup_v2:file { r_file_perms setattr }; 1027 1028# /oem access 1029r_dir_file(system_server, oemfs) 1030 1031# Allow resolving per-user storage symlinks 1032allow system_server { mnt_user_file storage_file }:dir { getattr search }; 1033allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 1034 1035# Allow statfs() on storage devices, which happens fast enough that 1036# we shouldn't be killed during unsafe removal 1037allow system_server { sdcard_type fuse }:dir { getattr search }; 1038 1039# Traverse into expanded storage 1040allow system_server mnt_expand_file:dir r_dir_perms; 1041 1042# Allow system process to relabel the fingerprint directory after mkdir 1043# and delete the directory and files when no longer needed 1044allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 1045allow system_server fingerprintd_data_file:file { getattr unlink }; 1046 1047userdebug_or_eng(` 1048 # Allow system server to create and write method traces in /data/misc/trace. 1049 allow system_server method_trace_data_file:dir w_dir_perms; 1050 allow system_server method_trace_data_file:file { create w_file_perms }; 1051 1052 # Allow system server to read dmesg 1053 allow system_server kernel:system syslog_read; 1054 1055 # Allow writing and removing window traces in /data/misc/wmtrace. 1056 allow system_server wm_trace_data_file:dir rw_dir_perms; 1057 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1058 1059 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 1060 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 1061 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1062') 1063 1064# For AppFuse. 1065allow system_server vold:fd use; 1066allow system_server fuse_device:chr_file { read write ioctl getattr }; 1067allow system_server app_fuse_file:file { read write getattr }; 1068 1069# For configuring sdcardfs 1070allow system_server configfs:dir { create_dir_perms }; 1071allow system_server configfs:file { getattr open create unlink write }; 1072 1073# Connect to adbd and use a socket transferred from it. 1074# Used for e.g. jdwp. 1075allow system_server adbd:unix_stream_socket connectto; 1076allow system_server adbd:fd use; 1077allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1078 1079# Read service.adb.tls.port, persist.adb.wifi. properties 1080get_prop(system_server, adbd_prop) 1081 1082# Set persist.adb.tls_server.enable property 1083set_prop(system_server, system_adbd_prop) 1084 1085# Allow invoking tools like "timeout" 1086allow system_server toolbox_exec:file rx_file_perms; 1087 1088# Allow system process to setup and measure fs-verity 1089allowxperm system_server apk_data_file:file ioctl { 1090 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 1091}; 1092 1093# Postinstall 1094# 1095# For OTA dexopt, allow calls coming from postinstall. 1096binder_call(system_server, postinstall) 1097 1098allow system_server postinstall:fifo_file write; 1099allow system_server update_engine:fd use; 1100allow system_server update_engine:fifo_file write; 1101 1102# Access to /data/preloads 1103allow system_server preloads_data_file:file { r_file_perms unlink }; 1104allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1105allow system_server preloads_media_file:file { r_file_perms unlink }; 1106allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1107 1108r_dir_file(system_server, cgroup) 1109r_dir_file(system_server, cgroup_v2) 1110allow system_server ion_device:chr_file r_file_perms; 1111 1112# Access to /dev/dma_heap/system 1113allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1114# Access to /dev/dma_heap/system-secure 1115allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1116 1117r_dir_file(system_server, proc_asound) 1118r_dir_file(system_server, proc_net_type) 1119r_dir_file(system_server, proc_qtaguid_stat) 1120allow system_server { 1121 proc_cmdline 1122 proc_loadavg 1123 proc_locks 1124 proc_meminfo 1125 proc_pagetypeinfo 1126 proc_pipe_conf 1127 proc_stat 1128 proc_uid_cputime_showstat 1129 proc_uid_io_stats 1130 proc_uid_time_in_state 1131 proc_uid_concurrent_active_time 1132 proc_uid_concurrent_policy_time 1133 proc_version 1134 proc_vmallocinfo 1135}:file r_file_perms; 1136 1137allow system_server proc_uid_time_in_state:dir r_dir_perms; 1138allow system_server proc_uid_cpupower:file r_file_perms; 1139 1140r_dir_file(system_server, rootfs) 1141 1142# Allow WifiService to start, stop, and read wifi-specific trace events. 1143allow system_server debugfs_tracing_instances:dir search; 1144allow system_server debugfs_wifi_tracing:dir search; 1145allow system_server debugfs_wifi_tracing:file rw_file_perms; 1146 1147# Allow BootReceiver to watch trace error_report events. 1148allow system_server debugfs_bootreceiver_tracing:dir search; 1149allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1150 1151# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1152allow system_server debugfs_tracing:file r_file_perms; 1153 1154# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1155# asanwrapper. 1156with_asan(` 1157 allow system_server shell_exec:file rx_file_perms; 1158 allow system_server asanwrapper_exec:file rx_file_perms; 1159 allow system_server zygote_exec:file rx_file_perms; 1160') 1161 1162# allow system_server to read the eBPF maps that stores the traffic stats information and update 1163# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1164# time in state accounting 1165allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 1166allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write }; 1167allow system_server bpfloader:bpf { map_read map_write prog_run }; 1168# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 1169allow system_server self:key_socket create; 1170 1171# Allow system_server to start clatd in its own domain and kill it. 1172domain_auto_trans(system_server, clatd_exec, clatd) 1173allow system_server clatd:process signal; 1174 1175# ART Profiles. 1176# Allow system_server to open profile snapshots for read. 1177# System server never reads the actual content. It passes the descriptor to 1178# to privileged apps which acquire the permissions to inspect the profiles. 1179allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1180allow system_server user_profile_data_file:file { getattr open read }; 1181 1182# System server may dump profile data for debuggable apps in the /data/misc/profman. 1183# As such it needs to be able create files but it should never read from them. 1184allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1185allow system_server profman_dump_data_file:dir w_dir_perms; 1186 1187# On userdebug build we may profile system server. Allow it to write and create its own profile. 1188userdebug_or_eng(` 1189 allow system_server user_profile_data_file:file create_file_perms; 1190') 1191# Allow system server to load JVMTI agents under control of a property. 1192get_prop(system_server,system_jvmti_agent_prop) 1193 1194# UsbDeviceManager uses /dev/usb-ffs 1195allow system_server functionfs:dir search; 1196allow system_server functionfs:file rw_file_perms; 1197 1198# system_server contains time / time zone detection logic so reads the associated properties. 1199get_prop(system_server, time_prop) 1200 1201# system_server reads this property to know it should expect the lmkd sends notification to it 1202# on low memory kills. 1203get_prop(system_server, system_lmk_prop) 1204 1205get_prop(system_server, wifi_config_prop) 1206 1207# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1208allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1209 1210# Watchdog prints debugging log to /dev/kmsg_debug. 1211userdebug_or_eng(` 1212 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1213') 1214# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1215get_prop(system_server, framework_watchdog_config_prop) 1216 1217 1218# Font files are written by system server 1219allow system_server font_data_file:file create_file_perms; 1220allow system_server font_data_file:dir create_dir_perms; 1221# Allow system process to setup fs-verity for font files 1222allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY; 1223 1224# Read qemu.hw.mainkeys property 1225get_prop(system_server, qemu_hw_prop) 1226 1227# Allow system server to read profcollectd reports for upload. 1228userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1229 1230### 1231### Neverallow rules 1232### 1233### system_server should NEVER do any of this 1234 1235# Do not allow opening files from external storage as unsafe ejection 1236# could cause the kernel to kill the system_server. 1237neverallow system_server { sdcard_type fuse }:dir { open read write }; 1238neverallow system_server { sdcard_type fuse }:file rw_file_perms; 1239 1240# system server should never be operating on zygote spawned app data 1241# files directly. Rather, they should always be passed via a 1242# file descriptor. 1243# Exclude those types that system_server needs to open directly. 1244neverallow system_server { 1245 app_data_file_type 1246 -system_app_data_file 1247 -radio_data_file 1248}:file { open create unlink link }; 1249 1250# Forking and execing is inherently dangerous and racy. See, for 1251# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1252# Prevent the addition of new file execs to stop the problem from 1253# getting worse. b/28035297 1254neverallow system_server { 1255 file_type 1256 -toolbox_exec 1257 -logcat_exec 1258 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1259}:file execute_no_trans; 1260 1261# Ensure that system_server doesn't perform any domain transitions other than 1262# transitioning to the crash_dump domain when a crash occurs or fork clatd. 1263neverallow system_server { domain -clatd -crash_dump }:process transition; 1264neverallow system_server *:process dyntransition; 1265 1266# Only allow crash_dump to connect to system_ndebug_socket. 1267neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1268 1269# Only allow zygotes to connect to system_unsolzygote_socket. 1270neverallow { 1271 domain 1272 -init 1273 -system_server 1274 -zygote 1275 -app_zygote 1276 -webview_zygote 1277} system_unsolzygote_socket:sock_file { open write }; 1278 1279# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1280neverallow { 1281 domain 1282 -init 1283 -system_server 1284 -flags_health_check 1285} { 1286 device_config_activity_manager_native_boot_prop 1287 device_config_connectivity_prop 1288 device_config_input_native_boot_prop 1289 device_config_lmkd_native_prop 1290 device_config_netd_native_prop 1291 device_config_nnapi_native_prop 1292 device_config_runtime_native_boot_prop 1293 device_config_runtime_native_prop 1294 device_config_media_native_prop 1295 device_config_mglru_native_prop 1296 device_config_storage_native_boot_prop 1297 device_config_surface_flinger_native_boot_prop 1298 device_config_sys_traced_prop 1299 device_config_swcodec_native_prop 1300 device_config_window_manager_native_boot_prop 1301}:property_service set; 1302 1303# system_server should never be executing dex2oat. This is either 1304# a bug (for example, bug 16317188), or represents an attempt by 1305# system server to dynamically load a dex file, something we do not 1306# want to allow. 1307neverallow system_server dex2oat_exec:file no_x_file_perms; 1308 1309# system_server should never execute or load executable shared libraries 1310# in /data. Executable files in /data are a persistence vector. 1311# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1312neverallow system_server data_file_type:file no_x_file_perms; 1313 1314# The only block device system_server should be writing to is 1315# the frp_block_device. This helps avoid a system_server to root 1316# escalation by writing to raw block devices. 1317# The system_server may need to read from vd_device if it uses 1318# block apexes. 1319neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; 1320neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; 1321 1322# system_server should never use JIT functionality 1323# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1324# in the section titled "A Short ROP Chain" for why. 1325# However, in emulator builds without OpenGL passthrough, we use software 1326# rendering via SwiftShader, which requires JIT support. These builds are 1327# never shipped to users. 1328ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1329 `allow system_server self:process execmem;', 1330 `neverallow system_server self:process execmem;') 1331neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1332 1333# TODO: deal with tmpfs_domain pub/priv split properly 1334neverallow system_server system_server_tmpfs:file execute; 1335 1336# Resources handed off by system_server_startup 1337allow system_server system_server_startup:fd use; 1338allow system_server system_server_startup_tmpfs:file { read write map }; 1339allow system_server system_server_startup:unix_dgram_socket write; 1340 1341# Allow system server to communicate to apexd 1342allow system_server apex_service:service_manager find; 1343allow system_server apexd:binder call; 1344 1345# Allow system server to scan /apex for flattened APEXes 1346allow system_server apex_mnt_dir:dir r_dir_perms; 1347 1348# Allow system server to read /apex/apex-info-list.xml 1349allow system_server apex_info_file:file r_file_perms; 1350 1351# Allow system server to communicate to system-suspend's control interface 1352allow system_server system_suspend_control_internal_service:service_manager find; 1353allow system_server system_suspend_control_service:service_manager find; 1354binder_call(system_server, system_suspend) 1355binder_call(system_suspend, system_server) 1356 1357# Allow system server to communicate to system-suspend's wakelock interface 1358wakelock_use(system_server) 1359 1360# Allow the system server to read files under /data/apex. The system_server 1361# needs these privileges to compare file signatures while processing installs. 1362# 1363# Only apexd is allowed to create new entries or write to any file under /data/apex. 1364allow system_server apex_data_file:dir { getattr search }; 1365allow system_server apex_data_file:file r_file_perms; 1366 1367# Allow the system server to read files under /vendor/apex. This is where 1368# vendor APEX packages might be installed and system_server needs to parse 1369# these packages to inspect the signatures and other metadata. 1370allow system_server vendor_apex_file:dir { getattr search }; 1371allow system_server vendor_apex_file:file r_file_perms; 1372 1373# Allow the system server to manage relevant apex module data files. 1374allow system_server apex_module_data_file:dir { getattr search }; 1375# These are modules where the code runs in system_server, so we need full access. 1376allow system_server apex_system_server_data_file:dir create_dir_perms; 1377allow system_server apex_system_server_data_file:file create_file_perms; 1378# Legacy labels that we still need to support (b/217581286) 1379allow system_server { 1380 apex_appsearch_data_file 1381 apex_permission_data_file 1382 apex_scheduling_data_file 1383 apex_tethering_data_file 1384 apex_wifi_data_file 1385}:dir create_dir_perms; 1386allow system_server { 1387 apex_appsearch_data_file 1388 apex_permission_data_file 1389 apex_scheduling_data_file 1390 apex_tethering_data_file 1391 apex_wifi_data_file 1392}:file create_file_perms; 1393 1394# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1395# communicate which slots are available for use. 1396allow system_server metadata_file:dir search; 1397allow system_server password_slot_metadata_file:dir rw_dir_perms; 1398allow system_server password_slot_metadata_file:file create_file_perms; 1399 1400allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1401allow system_server userspace_reboot_metadata_file:file create_file_perms; 1402 1403# Allow system server rw access to files in /metadata/staged-install folder 1404allow system_server staged_install_file:dir rw_dir_perms; 1405allow system_server staged_install_file:file create_file_perms; 1406 1407allow system_server watchdog_metadata_file:dir rw_dir_perms; 1408allow system_server watchdog_metadata_file:file create_file_perms; 1409 1410allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1411allow system_server gsi_persistent_data_file:file create_file_perms; 1412 1413# Allow system server read and remove files under /data/misc/odrefresh 1414allow system_server odrefresh_data_file:dir rw_dir_perms; 1415allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1416 1417# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1418allow system_server surfaceflinger_exec:file r_file_perms; 1419 1420# Allow init to set sysprop used to compute stats about userspace reboot. 1421set_prop(system_server, userspace_reboot_log_prop) 1422 1423# JVMTI agent settings are only readable from the system server. 1424neverallow { 1425 domain 1426 -system_server 1427 -dumpstate 1428 -init 1429 -vendor_init 1430} { 1431 system_jvmti_agent_prop 1432}:file no_rw_file_perms; 1433 1434# Read/Write /proc/pressure/memory 1435allow system_server proc_pressure_mem:file rw_file_perms; 1436 1437# dexoptanalyzer is currently used only for secondary dex files which 1438# system_server should never access. 1439neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1440 1441# No ptracing others 1442neverallow system_server { domain -system_server }:process ptrace; 1443 1444# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1445# file read access. However, that is now unnecessary (b/34951864) 1446neverallow system_server system_server:global_capability_class_set sys_resource; 1447 1448# Only system_server/init should access /metadata/password_slots. 1449neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1450neverallow { 1451 domain 1452 -init 1453 -system_server 1454} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1455neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1456 1457# Only system_server/init should access /metadata/userspacereboot. 1458neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; 1459neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms; 1460 1461# Allow systemserver to read/write the invalidation property 1462set_prop(system_server, binder_cache_system_server_prop) 1463neverallow { domain -system_server -init } 1464 binder_cache_system_server_prop:property_service set; 1465 1466# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1467# system_server cannot use this access to read perf event data like process stacks. 1468allow system_server self:perf_event { open write cpu kernel }; 1469neverallow system_server self:perf_event ~{ open write cpu kernel }; 1470 1471# Do not allow any domain other than init or system server to set the property 1472neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1473 1474neverallow { domain -init -system_server } boot_status_prop:property_service set; 1475 1476neverallow { 1477 domain 1478 -init 1479 -vendor_init 1480 -dumpstate 1481 -system_server 1482} wifi_config_prop:file no_rw_file_perms; 1483 1484# Only allow system server to write uhid sysfs files 1485neverallow { 1486 domain 1487 -init 1488 -system_server 1489 -ueventd 1490 -vendor_init 1491} sysfs_uhid:file no_w_file_perms; 1492 1493# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1494# can be accessed by system_server only (b/143717177) 1495# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1496# interface 1497neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1498 1499# Only system server can write the font files. 1500neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1501neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1502