1*e4a36f41SAndroid Build Coastguard Worker# 2*e4a36f41SAndroid Build Coastguard Worker# System Server aka system_server spawned by zygote. 3*e4a36f41SAndroid Build Coastguard Worker# Most of the framework services run in this process. 4*e4a36f41SAndroid Build Coastguard Worker# 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server coredomain; 7*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server mlstrustedsubject; 8*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server remote_provisioning_service_server; 9*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server scheduler_service_server; 10*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server sensor_service_server; 11*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server stats_service_server; 12*e4a36f41SAndroid Build Coastguard Workertypeattribute system_server bpfdomain; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Define a type for tmpfs-backed ashmem regions. 15*e4a36f41SAndroid Build Coastguard Workertmpfs_domain(system_server) 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Workeruserfaultfd_use(system_server) 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Create a socket for connections from crash_dump. 20*e4a36f41SAndroid Build Coastguard Workertype_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# Create a socket for connections from zygotes. 23*e4a36f41SAndroid Build Coastguard Workertype_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Workerallow system_server zygote_tmpfs:file { map read }; 26*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain_tmpfs:file { getattr map read write }; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# For Incremental Service to check if incfs is available 29*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_filesystems:file r_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# To create files, get permission to fill blocks, and configure Incremental File System 32*e4a36f41SAndroid Build Coastguard Workerallow system_server incremental_control_file:file { ioctl r_file_perms }; 33*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server incremental_control_file:file ioctl { 34*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_CREATE_FILE 35*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_CREATE_MAPPED_FILE 36*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_PERMIT_FILL 37*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_GET_READ_TIMEOUTS 38*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_SET_READ_TIMEOUTS 39*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_GET_LAST_READ_ERROR 40*e4a36f41SAndroid Build Coastguard Worker}; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# To get signature of an APK installed on Incremental File System, and fill in data 43*e4a36f41SAndroid Build Coastguard Worker# blocks and get the filesystem state 44*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server apk_data_file:file ioctl { 45*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_READ_SIGNATURE 46*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_FILL_BLOCKS 47*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_GET_FILLED_BLOCKS 48*e4a36f41SAndroid Build Coastguard Worker INCFS_IOCTL_GET_BLOCK_COUNT 49*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_GET_FEATURES 50*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_GET_COMPRESS_BLOCKS 51*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_COMPRESS_FILE 52*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_DECOMPRESS_FILE 53*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_RELEASE_COMPRESS_BLOCKS 54*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_RESERVE_COMPRESS_BLOCKS 55*e4a36f41SAndroid Build Coastguard Worker FS_IOC_SETFLAGS 56*e4a36f41SAndroid Build Coastguard Worker FS_IOC_GETFLAGS 57*e4a36f41SAndroid Build Coastguard Worker}; 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server apk_tmp_file:file ioctl { 60*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_RELEASE_COMPRESS_BLOCKS 61*e4a36f41SAndroid Build Coastguard Worker FS_IOC_GETFLAGS 62*e4a36f41SAndroid Build Coastguard Worker}; 63*e4a36f41SAndroid Build Coastguard Worker 64*e4a36f41SAndroid Build Coastguard Worker# For Incremental Service to check incfs metrics 65*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_fs_incfs_metrics:file r_file_perms; 66*e4a36f41SAndroid Build Coastguard Worker 67*e4a36f41SAndroid Build Coastguard Worker# For f2fs-compression support 68*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_fs_f2fs:dir r_dir_perms; 69*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_fs_f2fs:file r_file_perms; 70*e4a36f41SAndroid Build Coastguard Worker 71*e4a36f41SAndroid Build Coastguard Worker# For SdkSandboxManagerService 72*e4a36f41SAndroid Build Coastguard Workerallow system_server sdk_sandbox_system_data_file:dir create_dir_perms; 73*e4a36f41SAndroid Build Coastguard Worker 74*e4a36f41SAndroid Build Coastguard Worker# For art. 75*e4a36f41SAndroid Build Coastguard Workerallow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 76*e4a36f41SAndroid Build Coastguard Workerallow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 77*e4a36f41SAndroid Build Coastguard Worker 78*e4a36f41SAndroid Build Coastguard Worker# Ignore the denial on `system@[email protected]@classes.odex`. 79*e4a36f41SAndroid Build Coastguard Worker# `com.android.location.provider.jar` happens to be both a jar on system server classpath and a 80*e4a36f41SAndroid Build Coastguard Worker# shared library used by a system server app. The odex file is loaded fine by Zygote when it forks 81*e4a36f41SAndroid Build Coastguard Worker# system_server. It fails to be loaded when the jar is used as a shared library, which is expected. 82*e4a36f41SAndroid Build Coastguard Workerdontaudit system_server apex_art_data_file:file execute; 83*e4a36f41SAndroid Build Coastguard Worker 84*e4a36f41SAndroid Build Coastguard Worker# For release odex/vdex compress blocks 85*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server dalvikcache_data_file:file ioctl { 86*e4a36f41SAndroid Build Coastguard Worker F2FS_IOC_RELEASE_COMPRESS_BLOCKS 87*e4a36f41SAndroid Build Coastguard Worker FS_IOC_GETFLAGS 88*e4a36f41SAndroid Build Coastguard Worker}; 89*e4a36f41SAndroid Build Coastguard Worker 90*e4a36f41SAndroid Build Coastguard Worker# When running system server under --invoke-with, we'll try to load the boot image under the 91*e4a36f41SAndroid Build Coastguard Worker# system server domain, following links to the system partition. 92*e4a36f41SAndroid Build Coastguard Workerwith_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 93*e4a36f41SAndroid Build Coastguard Worker 94*e4a36f41SAndroid Build Coastguard Worker# /data/resource-cache 95*e4a36f41SAndroid Build Coastguard Workerallow system_server resourcecache_data_file:file r_file_perms; 96*e4a36f41SAndroid Build Coastguard Workerallow system_server resourcecache_data_file:dir r_dir_perms; 97*e4a36f41SAndroid Build Coastguard Worker 98*e4a36f41SAndroid Build Coastguard Worker# ptrace to processes in the same domain for debugging crashes. 99*e4a36f41SAndroid Build Coastguard Workerallow system_server self:process ptrace; 100*e4a36f41SAndroid Build Coastguard Worker 101*e4a36f41SAndroid Build Coastguard Worker# Child of the zygote. 102*e4a36f41SAndroid Build Coastguard Workerallow system_server zygote:fd use; 103*e4a36f41SAndroid Build Coastguard Workerallow system_server zygote:process sigchld; 104*e4a36f41SAndroid Build Coastguard Worker 105*e4a36f41SAndroid Build Coastguard Worker# May kill zygote (or its child processes) on crashes. 106*e4a36f41SAndroid Build Coastguard Workerallow system_server { 107*e4a36f41SAndroid Build Coastguard Worker app_zygote 108*e4a36f41SAndroid Build Coastguard Worker crash_dump 109*e4a36f41SAndroid Build Coastguard Worker crosvm 110*e4a36f41SAndroid Build Coastguard Worker virtualizationmanager 111*e4a36f41SAndroid Build Coastguard Worker webview_zygote 112*e4a36f41SAndroid Build Coastguard Worker zygote 113*e4a36f41SAndroid Build Coastguard Worker}:process { getpgid sigkill signull }; 114*e4a36f41SAndroid Build Coastguard Worker 115*e4a36f41SAndroid Build Coastguard Worker# Read /system/bin/app_process. 116*e4a36f41SAndroid Build Coastguard Workerallow system_server zygote_exec:file r_file_perms; 117*e4a36f41SAndroid Build Coastguard Worker 118*e4a36f41SAndroid Build Coastguard Worker# Needed to close the zygote socket, which involves getopt / getattr 119*e4a36f41SAndroid Build Coastguard Workerallow system_server zygote:unix_stream_socket { getopt getattr }; 120*e4a36f41SAndroid Build Coastguard Worker 121*e4a36f41SAndroid Build Coastguard Worker# system server gets network and bluetooth permissions. 122*e4a36f41SAndroid Build Coastguard Workernet_domain(system_server) 123*e4a36f41SAndroid Build Coastguard Worker# in addition to ioctls allowlisted for all domains, also allow system_server 124*e4a36f41SAndroid Build Coastguard Worker# to use privileged ioctls commands. Needed to set up VPNs. 125*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 126*e4a36f41SAndroid Build Coastguard Workerbluetooth_domain(system_server) 127*e4a36f41SAndroid Build Coastguard Worker 128*e4a36f41SAndroid Build Coastguard Worker# Allow setup of tcp keepalive offload. This gives system_server the permission to 129*e4a36f41SAndroid Build Coastguard Worker# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 130*e4a36f41SAndroid Build Coastguard Worker# be granted individually, except for a small set of safe values allowlisted in 131*e4a36f41SAndroid Build Coastguard Worker# public/domain.te. 132*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain:tcp_socket ioctl; 133*e4a36f41SAndroid Build Coastguard Worker 134*e4a36f41SAndroid Build Coastguard Worker# These are the capabilities assigned by the zygote to the 135*e4a36f41SAndroid Build Coastguard Worker# system server. 136*e4a36f41SAndroid Build Coastguard Workerallow system_server self:global_capability_class_set { 137*e4a36f41SAndroid Build Coastguard Worker ipc_lock 138*e4a36f41SAndroid Build Coastguard Worker kill 139*e4a36f41SAndroid Build Coastguard Worker net_admin 140*e4a36f41SAndroid Build Coastguard Worker net_bind_service 141*e4a36f41SAndroid Build Coastguard Worker net_broadcast 142*e4a36f41SAndroid Build Coastguard Worker net_raw 143*e4a36f41SAndroid Build Coastguard Worker sys_boot 144*e4a36f41SAndroid Build Coastguard Worker sys_nice 145*e4a36f41SAndroid Build Coastguard Worker sys_ptrace 146*e4a36f41SAndroid Build Coastguard Worker sys_time 147*e4a36f41SAndroid Build Coastguard Worker sys_tty_config 148*e4a36f41SAndroid Build Coastguard Worker}; 149*e4a36f41SAndroid Build Coastguard Worker 150*e4a36f41SAndroid Build Coastguard Worker# Allow alarmtimers to be set 151*e4a36f41SAndroid Build Coastguard Workerallow system_server self:global_capability2_class_set wake_alarm; 152*e4a36f41SAndroid Build Coastguard Worker 153*e4a36f41SAndroid Build Coastguard Worker# Create and share netlink_netfilter_sockets for tetheroffload. 154*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 155*e4a36f41SAndroid Build Coastguard Worker 156*e4a36f41SAndroid Build Coastguard Worker# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 157*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_tcpdiag_socket 158*e4a36f41SAndroid Build Coastguard Worker { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; 159*e4a36f41SAndroid Build Coastguard Worker 160*e4a36f41SAndroid Build Coastguard Worker# Use netlink uevent sockets. 161*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 162*e4a36f41SAndroid Build Coastguard Worker 163*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl; 164*e4a36f41SAndroid Build Coastguard Worker 165*e4a36f41SAndroid Build Coastguard Worker# Use generic netlink sockets. 166*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_socket create_socket_perms_no_ioctl; 167*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 168*e4a36f41SAndroid Build Coastguard Worker 169*e4a36f41SAndroid Build Coastguard Worker# libvintf reads the kernel config to verify vendor interface compatibility. 170*e4a36f41SAndroid Build Coastguard Workerallow system_server config_gz:file { read open }; 171*e4a36f41SAndroid Build Coastguard Worker 172*e4a36f41SAndroid Build Coastguard Worker# Use generic "sockets" where the address family is not known 173*e4a36f41SAndroid Build Coastguard Worker# to the kernel. The ioctl permission is specifically omitted here, but may 174*e4a36f41SAndroid Build Coastguard Worker# be added to device specific policy along with the ioctl commands to be 175*e4a36f41SAndroid Build Coastguard Worker# allowlisted. 176*e4a36f41SAndroid Build Coastguard Workerallow system_server self:socket create_socket_perms_no_ioctl; 177*e4a36f41SAndroid Build Coastguard Worker 178*e4a36f41SAndroid Build Coastguard Worker# Set and get routes directly via netlink. 179*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_route_socket nlmsg_write; 180*e4a36f41SAndroid Build Coastguard Worker 181*e4a36f41SAndroid Build Coastguard Worker# Use XFRM (IPsec) netlink sockets 182*e4a36f41SAndroid Build Coastguard Workerallow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; 183*e4a36f41SAndroid Build Coastguard Worker 184*e4a36f41SAndroid Build Coastguard Worker# Kill apps. 185*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain:process { getpgid sigkill signal }; 186*e4a36f41SAndroid Build Coastguard Worker# signull allowed for kill(pid, 0) existence test. 187*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain:process { signull }; 188*e4a36f41SAndroid Build Coastguard Worker 189*e4a36f41SAndroid Build Coastguard Worker# Set scheduling info for apps. 190*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain:process { getsched setsched }; 191*e4a36f41SAndroid Build Coastguard Workerallow system_server audioserver:process { getsched setsched }; 192*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_audio:process { getsched setsched }; 193*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_bluetooth:process { getsched setsched }; 194*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_codec2_server:process { getsched setsched }; 195*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_omx_server:process { getsched setsched }; 196*e4a36f41SAndroid Build Coastguard Workerallow system_server mediaswcodec:process { getsched setsched }; 197*e4a36f41SAndroid Build Coastguard Workerallow system_server cameraserver:process { getsched setsched }; 198*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_camera:process { getsched setsched }; 199*e4a36f41SAndroid Build Coastguard Workerallow system_server mediaserver:process { getsched setsched }; 200*e4a36f41SAndroid Build Coastguard Workerallow system_server bootanim:process { getsched setsched }; 201*e4a36f41SAndroid Build Coastguard Worker# Set scheduling info for VMs (b/375058190) 202*e4a36f41SAndroid Build Coastguard Workerallow system_server { virtualizationmanager crosvm }:process { getsched setsched }; 203*e4a36f41SAndroid Build Coastguard Worker 204*e4a36f41SAndroid Build Coastguard Worker# Set scheduling info for psi monitor thread. 205*e4a36f41SAndroid Build Coastguard Worker# TODO: delete this line b/131761776 206*e4a36f41SAndroid Build Coastguard Workerallow system_server kernel:process { getsched setsched }; 207*e4a36f41SAndroid Build Coastguard Worker 208*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to write to /proc/<pid>/* 209*e4a36f41SAndroid Build Coastguard Workerallow system_server domain:file w_file_perms; 210*e4a36f41SAndroid Build Coastguard Worker 211*e4a36f41SAndroid Build Coastguard Worker# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 212*e4a36f41SAndroid Build Coastguard Worker# within system_server to keep track of memory and CPU usage for 213*e4a36f41SAndroid Build Coastguard Worker# all processes on the device. In addition, /proc/pid files access is needed 214*e4a36f41SAndroid Build Coastguard Worker# for dumping stack traces of native processes. 215*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, domain) 216*e4a36f41SAndroid Build Coastguard Worker 217*e4a36f41SAndroid Build Coastguard Worker# Write /proc/uid_cputime/remove_uid_range. 218*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 219*e4a36f41SAndroid Build Coastguard Worker 220*e4a36f41SAndroid Build Coastguard Worker# Write /proc/uid_procstat/set. 221*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 222*e4a36f41SAndroid Build Coastguard Worker 223*e4a36f41SAndroid Build Coastguard Worker# Write to /proc/sysrq-trigger. 224*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_sysrq:file rw_file_perms; 225*e4a36f41SAndroid Build Coastguard Worker 226*e4a36f41SAndroid Build Coastguard Worker# Delete /data/misc/stats-service/ directories. 227*e4a36f41SAndroid Build Coastguard Workerallow system_server stats_config_data_file:dir { open read remove_name search write }; 228*e4a36f41SAndroid Build Coastguard Workerallow system_server stats_config_data_file:file unlink; 229*e4a36f41SAndroid Build Coastguard Worker 230*e4a36f41SAndroid Build Coastguard Worker# Read metric file & upload to statsd 231*e4a36f41SAndroid Build Coastguard Workerallow system_server odsign_data_file:dir search; 232*e4a36f41SAndroid Build Coastguard Workerallow system_server odsign_metrics_file:dir { r_dir_perms write remove_name }; 233*e4a36f41SAndroid Build Coastguard Workerallow system_server odsign_metrics_file:file { r_file_perms unlink }; 234*e4a36f41SAndroid Build Coastguard Worker 235*e4a36f41SAndroid Build Coastguard Worker# Read /sys/kernel/debug/wakeup_sources. 236*e4a36f41SAndroid Build Coastguard Workerno_debugfs_restriction(` 237*e4a36f41SAndroid Build Coastguard Worker allow system_server debugfs_wakeup_sources:file r_file_perms; 238*e4a36f41SAndroid Build Coastguard Worker') 239*e4a36f41SAndroid Build Coastguard Worker 240*e4a36f41SAndroid Build Coastguard Worker# Read /sys/kernel/ion/*. 241*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_ion:file r_file_perms; 242*e4a36f41SAndroid Build Coastguard Worker 243*e4a36f41SAndroid Build Coastguard Worker# Read /sys/kernel/dma_heap/*. 244*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_dma_heap:file r_file_perms; 245*e4a36f41SAndroid Build Coastguard Worker 246*e4a36f41SAndroid Build Coastguard Worker# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 247*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_dmabuf_stats:dir r_dir_perms; 248*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_dmabuf_stats:file r_file_perms; 249*e4a36f41SAndroid Build Coastguard Worker 250*e4a36f41SAndroid Build Coastguard Worker# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 251*e4a36f41SAndroid Build Coastguard Worker# for dumpsys meminfo 252*e4a36f41SAndroid Build Coastguard Workerallow system_server dmabuf_heap_device:dir r_dir_perms; 253*e4a36f41SAndroid Build Coastguard Worker 254*e4a36f41SAndroid Build Coastguard Worker# Allow reading /proc/vmstat for the oom kill count 255*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_vmstat:file r_file_perms; 256*e4a36f41SAndroid Build Coastguard Worker 257*e4a36f41SAndroid Build Coastguard Worker# The DhcpClient and WifiWatchdog use packet_sockets 258*e4a36f41SAndroid Build Coastguard Workerallow system_server self:packet_socket create_socket_perms_no_ioctl; 259*e4a36f41SAndroid Build Coastguard Worker 260*e4a36f41SAndroid Build Coastguard Worker# 3rd party VPN clients require a tun_socket to be created 261*e4a36f41SAndroid Build Coastguard Workerallow system_server self:tun_socket create_socket_perms_no_ioctl; 262*e4a36f41SAndroid Build Coastguard Worker 263*e4a36f41SAndroid Build Coastguard Worker# Talk to init and various daemons via sockets. 264*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, lmkd, lmkd) 265*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, zygote, zygote) 266*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, uncrypt, uncrypt) 267*e4a36f41SAndroid Build Coastguard Worker 268*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to write to statsd. 269*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(system_server, statsdw, statsd) 270*e4a36f41SAndroid Build Coastguard Worker 271*e4a36f41SAndroid Build Coastguard Worker# Communicate over a socket created by surfaceflinger. 272*e4a36f41SAndroid Build Coastguard Workerallow system_server surfaceflinger:unix_stream_socket { read write setopt }; 273*e4a36f41SAndroid Build Coastguard Worker 274*e4a36f41SAndroid Build Coastguard Workerallow system_server gpuservice:unix_stream_socket { read write setopt }; 275*e4a36f41SAndroid Build Coastguard Worker 276*e4a36f41SAndroid Build Coastguard Worker# Communicate over a socket created by webview_zygote. 277*e4a36f41SAndroid Build Coastguard Workerallow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 278*e4a36f41SAndroid Build Coastguard Worker 279*e4a36f41SAndroid Build Coastguard Worker# Communicate over a socket created by app_zygote. 280*e4a36f41SAndroid Build Coastguard Workerallow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 281*e4a36f41SAndroid Build Coastguard Worker 282*e4a36f41SAndroid Build Coastguard Worker# Perform Binder IPC. 283*e4a36f41SAndroid Build Coastguard Workerbinder_use(system_server) 284*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, appdomain) 285*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, artd) 286*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, binderservicedomain) 287*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, composd) 288*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, dexopt_chroot_setup) 289*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, dumpstate) 290*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, fingerprintd) 291*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, gatekeeperd) 292*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, gpuservice) 293*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, idmap) 294*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, installd) 295*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, incidentd) 296*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, mmd) 297*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, netd) 298*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, ot_daemon) 299*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`binder_call(system_server, profcollectd)') 300*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, statsd) 301*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, storaged) 302*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, update_engine) 303*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, virtual_camera) 304*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, vold) 305*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, logd) 306*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, wificond) 307*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, uprobestats) 308*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, wifi_mainline_supplicant) 309*e4a36f41SAndroid Build Coastguard Workerbinder_service(system_server) 310*e4a36f41SAndroid Build Coastguard Worker 311*e4a36f41SAndroid Build Coastguard Worker# Use HALs 312*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_allocator) 313*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_audio) 314*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_authgraph) 315*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_authsecret) 316*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_bluetooth) 317*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_broadcastradio) 318*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_codec2) 319*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_configstore) 320*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_contexthub) 321*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_face) 322*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_fingerprint) 323*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_gnss) 324*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_graphics_allocator) 325*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_health) 326*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_input_classifier) 327*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_input_processor) 328*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_ir) 329*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_keymint) 330*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_light) 331*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_mediaquality) 332*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_memtrack) 333*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_neuralnetworks) 334*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_oemlock) 335*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_omx) 336*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_power) 337*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_power_stats) 338*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_rebootescrow) 339*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf) 340*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_sensors) 341*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_secretkeeper) 342*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_tetheroffload) 343*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_thermal) 344*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_threadnetwork) 345*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_tv_cec) 346*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_tv_hdmi_cec) 347*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_tv_hdmi_connection) 348*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_tv_hdmi_earc) 349*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_tv_input) 350*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_usb) 351*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_usb_gadget) 352*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_uwb) 353*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_vibrator) 354*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_vr) 355*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_weaver) 356*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_wifi) 357*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_wifi_hostapd) 358*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(system_server, hal_wifi_supplicant) 359*e4a36f41SAndroid Build Coastguard Worker# The bootctl is a pass through HAL mode under recovery mode. So we skip the 360*e4a36f41SAndroid Build Coastguard Worker# permission for recovery in order not to give system server the access to 361*e4a36f41SAndroid Build Coastguard Worker# the low level block devices. 362*e4a36f41SAndroid Build Coastguard Workernot_recovery(`hal_client_domain(system_server, hal_bootctl)') 363*e4a36f41SAndroid Build Coastguard Worker 364*e4a36f41SAndroid Build Coastguard Worker# Talk with graphics composer fences 365*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_graphics_composer:fd use; 366*e4a36f41SAndroid Build Coastguard Worker 367*e4a36f41SAndroid Build Coastguard Worker# Use RenderScript always-passthrough HAL 368*e4a36f41SAndroid Build Coastguard Workerallow system_server hal_renderscript_hwservice:hwservice_manager find; 369*e4a36f41SAndroid Build Coastguard Workerallow system_server same_process_hal_file:file { execute read open getattr map }; 370*e4a36f41SAndroid Build Coastguard Worker 371*e4a36f41SAndroid Build Coastguard Worker# Talk to tombstoned to get ANR traces. 372*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, tombstoned_intercept, tombstoned) 373*e4a36f41SAndroid Build Coastguard Worker 374*e4a36f41SAndroid Build Coastguard Worker# List HAL interfaces to get ANR traces. 375*e4a36f41SAndroid Build Coastguard Workerallow system_server hwservicemanager:hwservice_manager list; 376*e4a36f41SAndroid Build Coastguard Workerallow system_server servicemanager:service_manager list; 377*e4a36f41SAndroid Build Coastguard Worker 378*e4a36f41SAndroid Build Coastguard Worker# Send signals to trigger ANR traces. 379*e4a36f41SAndroid Build Coastguard Workerallow system_server { 380*e4a36f41SAndroid Build Coastguard Worker # This is derived from the list that system server defines as interesting native processes 381*e4a36f41SAndroid Build Coastguard Worker # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 382*e4a36f41SAndroid Build Coastguard Worker # frameworks/base/services/core/java/com/android/server/Watchdog.java. 383*e4a36f41SAndroid Build Coastguard Worker artd 384*e4a36f41SAndroid Build Coastguard Worker audioserver 385*e4a36f41SAndroid Build Coastguard Worker cameraserver 386*e4a36f41SAndroid Build Coastguard Worker drmserver 387*e4a36f41SAndroid Build Coastguard Worker gpuservice 388*e4a36f41SAndroid Build Coastguard Worker inputflinger 389*e4a36f41SAndroid Build Coastguard Worker keystore 390*e4a36f41SAndroid Build Coastguard Worker mediadrmserver 391*e4a36f41SAndroid Build Coastguard Worker mediaextractor 392*e4a36f41SAndroid Build Coastguard Worker mediametrics 393*e4a36f41SAndroid Build Coastguard Worker mediaserver 394*e4a36f41SAndroid Build Coastguard Worker mediaswcodec 395*e4a36f41SAndroid Build Coastguard Worker mediatranscoding 396*e4a36f41SAndroid Build Coastguard Worker mediatuner 397*e4a36f41SAndroid Build Coastguard Worker mmd 398*e4a36f41SAndroid Build Coastguard Worker netd 399*e4a36f41SAndroid Build Coastguard Worker sdcardd 400*e4a36f41SAndroid Build Coastguard Worker servicemanager 401*e4a36f41SAndroid Build Coastguard Worker statsd 402*e4a36f41SAndroid Build Coastguard Worker surfaceflinger 403*e4a36f41SAndroid Build Coastguard Worker vold 404*e4a36f41SAndroid Build Coastguard Worker 405*e4a36f41SAndroid Build Coastguard Worker # This list comes from HAL_INTERFACES_OF_INTEREST in 406*e4a36f41SAndroid Build Coastguard Worker # frameworks/base/services/core/java/com/android/server/Watchdog.java. 407*e4a36f41SAndroid Build Coastguard Worker hal_audio_server 408*e4a36f41SAndroid Build Coastguard Worker hal_bluetooth_server 409*e4a36f41SAndroid Build Coastguard Worker hal_camera_server 410*e4a36f41SAndroid Build Coastguard Worker hal_codec2_server 411*e4a36f41SAndroid Build Coastguard Worker hal_drm_server 412*e4a36f41SAndroid Build Coastguard Worker hal_face_server 413*e4a36f41SAndroid Build Coastguard Worker hal_fingerprint_server 414*e4a36f41SAndroid Build Coastguard Worker hal_gnss_server 415*e4a36f41SAndroid Build Coastguard Worker hal_graphics_allocator_server 416*e4a36f41SAndroid Build Coastguard Worker hal_graphics_composer_server 417*e4a36f41SAndroid Build Coastguard Worker hal_health_server 418*e4a36f41SAndroid Build Coastguard Worker hal_input_processor_server 419*e4a36f41SAndroid Build Coastguard Worker hal_light_server 420*e4a36f41SAndroid Build Coastguard Worker hal_neuralnetworks_server 421*e4a36f41SAndroid Build Coastguard Worker hal_omx_server 422*e4a36f41SAndroid Build Coastguard Worker hal_power_server 423*e4a36f41SAndroid Build Coastguard Worker hal_power_stats_server 424*e4a36f41SAndroid Build Coastguard Worker hal_sensors_server 425*e4a36f41SAndroid Build Coastguard Worker hal_vibrator_server 426*e4a36f41SAndroid Build Coastguard Worker hal_vr_server 427*e4a36f41SAndroid Build Coastguard Worker system_suspend_server 428*e4a36f41SAndroid Build Coastguard Worker}:process { signal }; 429*e4a36f41SAndroid Build Coastguard Worker 430*e4a36f41SAndroid Build Coastguard Worker# Use sockets received over binder from various services. 431*e4a36f41SAndroid Build Coastguard Workerallow system_server audioserver:tcp_socket rw_socket_perms; 432*e4a36f41SAndroid Build Coastguard Workerallow system_server audioserver:udp_socket rw_socket_perms; 433*e4a36f41SAndroid Build Coastguard Workerallow system_server mediaserver:tcp_socket rw_socket_perms; 434*e4a36f41SAndroid Build Coastguard Workerallow system_server mediaserver:udp_socket rw_socket_perms; 435*e4a36f41SAndroid Build Coastguard Worker 436*e4a36f41SAndroid Build Coastguard Worker# Use sockets received over binder from various services. 437*e4a36f41SAndroid Build Coastguard Workerallow system_server mediadrmserver:tcp_socket rw_socket_perms; 438*e4a36f41SAndroid Build Coastguard Workerallow system_server mediadrmserver:udp_socket rw_socket_perms; 439*e4a36f41SAndroid Build Coastguard Worker 440*e4a36f41SAndroid Build Coastguard Worker# Write trace data to the Perfetto traced daemon. This requires connecting to 441*e4a36f41SAndroid Build Coastguard Worker# its producer socket and obtaining a (per-process) tmpfs fd. 442*e4a36f41SAndroid Build Coastguard Workerperfetto_producer(system_server) 443*e4a36f41SAndroid Build Coastguard Worker 444*e4a36f41SAndroid Build Coastguard Worker# Get file context 445*e4a36f41SAndroid Build Coastguard Workerallow system_server file_contexts_file:file r_file_perms; 446*e4a36f41SAndroid Build Coastguard Worker# access for mac_permissions 447*e4a36f41SAndroid Build Coastguard Workerallow system_server mac_perms_file: file r_file_perms; 448*e4a36f41SAndroid Build Coastguard Worker# Check SELinux permissions. 449*e4a36f41SAndroid Build Coastguard Workerselinux_check_access(system_server) 450*e4a36f41SAndroid Build Coastguard Worker 451*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_type:dir r_dir_perms; 452*e4a36f41SAndroid Build Coastguard Worker 453*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, sysfs_android_usb) 454*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_android_usb:file w_file_perms; 455*e4a36f41SAndroid Build Coastguard Worker 456*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, sysfs_extcon) 457*e4a36f41SAndroid Build Coastguard Worker 458*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, sysfs_ipv4) 459*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_ipv4:file w_file_perms; 460*e4a36f41SAndroid Build Coastguard Worker 461*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, sysfs_rtc) 462*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, sysfs_switch) 463*e4a36f41SAndroid Build Coastguard Worker 464*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_nfc_power_writable:file rw_file_perms; 465*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_power:dir search; 466*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_power:file rw_file_perms; 467*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_thermal:dir search; 468*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_thermal:file r_file_perms; 469*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_uhid:dir r_dir_perms; 470*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_uhid:file rw_file_perms; 471*e4a36f41SAndroid Build Coastguard Worker 472*e4a36f41SAndroid Build Coastguard Worker# TODO: Remove when HALs are forced into separate processes 473*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_vibrator:file { write append }; 474*e4a36f41SAndroid Build Coastguard Worker 475*e4a36f41SAndroid Build Coastguard Worker# TODO: added to match above sysfs rule. Remove me? 476*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_usb:file w_file_perms; 477*e4a36f41SAndroid Build Coastguard Worker 478*e4a36f41SAndroid Build Coastguard Worker# Access devices. 479*e4a36f41SAndroid Build Coastguard Workerallow system_server device:dir r_dir_perms; 480*e4a36f41SAndroid Build Coastguard Workerallow system_server mdns_socket:sock_file rw_file_perms; 481*e4a36f41SAndroid Build Coastguard Workerallow system_server gpu_device:chr_file rw_file_perms; 482*e4a36f41SAndroid Build Coastguard Workerallow system_server gpu_device:dir r_dir_perms; 483*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_gpu:file r_file_perms; 484*e4a36f41SAndroid Build Coastguard Workerallow system_server input_device:dir r_dir_perms; 485*e4a36f41SAndroid Build Coastguard Workerallow system_server input_device:chr_file rw_file_perms; 486*e4a36f41SAndroid Build Coastguard Workerallow system_server tty_device:chr_file rw_file_perms; 487*e4a36f41SAndroid Build Coastguard Workerallow system_server usbaccessory_device:chr_file rw_file_perms; 488*e4a36f41SAndroid Build Coastguard Workerallow system_server video_device:dir r_dir_perms; 489*e4a36f41SAndroid Build Coastguard Workerallow system_server video_device:chr_file rw_file_perms; 490*e4a36f41SAndroid Build Coastguard Workerallow system_server adbd_socket:sock_file rw_file_perms; 491*e4a36f41SAndroid Build Coastguard Workerallow system_server rtc_device:chr_file rw_file_perms; 492*e4a36f41SAndroid Build Coastguard Workerallow system_server audio_device:dir r_dir_perms; 493*e4a36f41SAndroid Build Coastguard Workerallow system_server uhid_device:chr_file rw_file_perms; 494*e4a36f41SAndroid Build Coastguard Workerallow system_server hidraw_device:dir r_dir_perms; 495*e4a36f41SAndroid Build Coastguard Workerallow system_server hidraw_device:chr_file rw_file_perms; 496*e4a36f41SAndroid Build Coastguard Worker 497*e4a36f41SAndroid Build Coastguard Worker# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 498*e4a36f41SAndroid Build Coastguard Workerallow system_server audio_device:chr_file rw_file_perms; 499*e4a36f41SAndroid Build Coastguard Worker 500*e4a36f41SAndroid Build Coastguard Worker# tun device used for 3rd party vpn apps and test network manager 501*e4a36f41SAndroid Build Coastguard Workerallow system_server tun_device:chr_file rw_file_perms; 502*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER }; 503*e4a36f41SAndroid Build Coastguard Worker 504*e4a36f41SAndroid Build Coastguard Worker# Manage data/ota_package 505*e4a36f41SAndroid Build Coastguard Workerallow system_server ota_package_file:dir rw_dir_perms; 506*e4a36f41SAndroid Build Coastguard Workerallow system_server ota_package_file:file create_file_perms; 507*e4a36f41SAndroid Build Coastguard Worker 508*e4a36f41SAndroid Build Coastguard Worker# Manage system data files. 509*e4a36f41SAndroid Build Coastguard Workerallow system_server system_data_file:dir create_dir_perms; 510*e4a36f41SAndroid Build Coastguard Workerallow system_server system_data_file:notdevfile_class_set create_file_perms; 511*e4a36f41SAndroid Build Coastguard Workerallow system_server packages_list_file:file create_file_perms; 512*e4a36f41SAndroid Build Coastguard Workerallow system_server game_mode_intervention_list_file:file create_file_perms; 513*e4a36f41SAndroid Build Coastguard Workerallow system_server keychain_data_file:dir create_dir_perms; 514*e4a36f41SAndroid Build Coastguard Workerallow system_server keychain_data_file:file create_file_perms; 515*e4a36f41SAndroid Build Coastguard Workerallow system_server keychain_data_file:lnk_file create_file_perms; 516*e4a36f41SAndroid Build Coastguard Worker 517*e4a36f41SAndroid Build Coastguard Worker# Read the user parent directories like /data/user. Don't allow write access, 518*e4a36f41SAndroid Build Coastguard Worker# as vold is responsible for creating and deleting the subdirectories. 519*e4a36f41SAndroid Build Coastguard Workerallow system_server system_userdir_file:dir r_dir_perms; 520*e4a36f41SAndroid Build Coastguard Worker 521*e4a36f41SAndroid Build Coastguard Worker# Manage /data/app. 522*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_data_file:dir create_dir_perms; 523*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 524*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_tmp_file:dir create_dir_perms; 525*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_tmp_file:file create_file_perms; 526*e4a36f41SAndroid Build Coastguard Worker 527*e4a36f41SAndroid Build Coastguard Worker# Manage /data/app-metadata 528*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_metadata_file:dir create_dir_perms; 529*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_metadata_file:file create_file_perms; 530*e4a36f41SAndroid Build Coastguard Worker 531*e4a36f41SAndroid Build Coastguard Worker# Access input configuration files in the /vendor directory 532*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, vendor_keylayout_file) 533*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, vendor_keychars_file) 534*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, vendor_idc_file) 535*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, input_device_config_prop) 536*e4a36f41SAndroid Build Coastguard Worker 537*e4a36f41SAndroid Build Coastguard Worker# Access /vendor/{app,framework,overlay} 538*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, vendor_app_file) 539*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, vendor_framework_file) 540*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, vendor_overlay_file) 541*e4a36f41SAndroid Build Coastguard Worker 542*e4a36f41SAndroid Build Coastguard Worker# Manage /data/app-private. 543*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_private_data_file:dir create_dir_perms; 544*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_private_data_file:file create_file_perms; 545*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_private_tmp_file:dir create_dir_perms; 546*e4a36f41SAndroid Build Coastguard Workerallow system_server apk_private_tmp_file:file create_file_perms; 547*e4a36f41SAndroid Build Coastguard Worker 548*e4a36f41SAndroid Build Coastguard Worker# Manage files within asec containers. 549*e4a36f41SAndroid Build Coastguard Workerallow system_server asec_apk_file:dir create_dir_perms; 550*e4a36f41SAndroid Build Coastguard Workerallow system_server asec_apk_file:file create_file_perms; 551*e4a36f41SAndroid Build Coastguard Workerallow system_server asec_public_file:file create_file_perms; 552*e4a36f41SAndroid Build Coastguard Worker 553*e4a36f41SAndroid Build Coastguard Worker# Manage /data/anr. 554*e4a36f41SAndroid Build Coastguard Worker# 555*e4a36f41SAndroid Build Coastguard Worker# TODO: Some of these permissions can be withdrawn once we've switched to the 556*e4a36f41SAndroid Build Coastguard Worker# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 557*e4a36f41SAndroid Build Coastguard Worker# the system_server should never need to create a new anr_data_file:file or write 558*e4a36f41SAndroid Build Coastguard Worker# to one, but it will still need to read and append to existing files. 559*e4a36f41SAndroid Build Coastguard Workerallow system_server anr_data_file:dir create_dir_perms; 560*e4a36f41SAndroid Build Coastguard Workerallow system_server anr_data_file:file create_file_perms; 561*e4a36f41SAndroid Build Coastguard Worker 562*e4a36f41SAndroid Build Coastguard Worker# New stack dumping scheme : request an output FD from tombstoned via a unix 563*e4a36f41SAndroid Build Coastguard Worker# domain socket. 564*e4a36f41SAndroid Build Coastguard Worker# 565*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to connect and write to the tombstoned java trace socket in 566*e4a36f41SAndroid Build Coastguard Worker# order to dump its traces. Also allow the system server to write its traces to 567*e4a36f41SAndroid Build Coastguard Worker# dumpstate during bugreport capture and incidentd during incident collection. 568*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 569*e4a36f41SAndroid Build Coastguard Workerallow system_server tombstoned:fd use; 570*e4a36f41SAndroid Build Coastguard Workerallow system_server dumpstate:fifo_file append; 571*e4a36f41SAndroid Build Coastguard Workerallow system_server incidentd:fifo_file append; 572*e4a36f41SAndroid Build Coastguard Worker# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 573*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 574*e4a36f41SAndroid Build Coastguard Worker allow system_server su:fifo_file append; 575*e4a36f41SAndroid Build Coastguard Worker') 576*e4a36f41SAndroid Build Coastguard Worker 577*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to read pipes from incidentd (used to deliver incident reports 578*e4a36f41SAndroid Build Coastguard Worker# to dropbox) 579*e4a36f41SAndroid Build Coastguard Workerallow system_server incidentd:fifo_file read; 580*e4a36f41SAndroid Build Coastguard Worker 581*e4a36f41SAndroid Build Coastguard Worker# Read /data/misc/incidents - only read. The fd will be sent over binder, 582*e4a36f41SAndroid Build Coastguard Worker# with no DAC access to it, for dropbox to read. 583*e4a36f41SAndroid Build Coastguard Workerallow system_server incident_data_file:file read; 584*e4a36f41SAndroid Build Coastguard Worker 585*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/prereboot. 586*e4a36f41SAndroid Build Coastguard Workerallow system_server prereboot_data_file:dir rw_dir_perms; 587*e4a36f41SAndroid Build Coastguard Workerallow system_server prereboot_data_file:file create_file_perms; 588*e4a36f41SAndroid Build Coastguard Worker 589*e4a36f41SAndroid Build Coastguard Worker# Allow tracing proxy service to read traces. Only the fd is sent over 590*e4a36f41SAndroid Build Coastguard Worker# binder. 591*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto_traces_data_file:file { read getattr }; 592*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto:fd use; 593*e4a36f41SAndroid Build Coastguard Worker 594*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to exec the perfetto cmdline client and pass it a trace config 595*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(system_server, perfetto_exec, perfetto); 596*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto:fifo_file { read write }; 597*e4a36f41SAndroid Build Coastguard Worker 598*e4a36f41SAndroid Build Coastguard Worker# Allow system server to manage perfetto traces for ProfilingService. 599*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms; 600*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto_traces_profiling_data_file:file create_file_perms; 601*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto_traces_data_file:dir search; 602*e4a36f41SAndroid Build Coastguard Worker 603*e4a36f41SAndroid Build Coastguard Worker# Allow system server to exec the trace redactor cmdline client and kill the process for 604*e4a36f41SAndroid Build Coastguard Worker# ProfilingService. 605*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(system_server, trace_redactor_exec, trace_redactor); 606*e4a36f41SAndroid Build Coastguard Workerallow system_server trace_redactor:process signal; 607*e4a36f41SAndroid Build Coastguard Worker 608*e4a36f41SAndroid Build Coastguard Worker# Allow system server to kill perfetto processes for ProfilingService. 609*e4a36f41SAndroid Build Coastguard Workerallow system_server perfetto:process signal; 610*e4a36f41SAndroid Build Coastguard Worker 611*e4a36f41SAndroid Build Coastguard Worker# Manage /data/backup. 612*e4a36f41SAndroid Build Coastguard Workerallow system_server backup_data_file:dir create_dir_perms; 613*e4a36f41SAndroid Build Coastguard Workerallow system_server backup_data_file:file create_file_perms; 614*e4a36f41SAndroid Build Coastguard Worker 615*e4a36f41SAndroid Build Coastguard Worker# Write to /data/system/dropbox 616*e4a36f41SAndroid Build Coastguard Workerallow system_server dropbox_data_file:dir create_dir_perms; 617*e4a36f41SAndroid Build Coastguard Workerallow system_server dropbox_data_file:file create_file_perms; 618*e4a36f41SAndroid Build Coastguard Worker 619*e4a36f41SAndroid Build Coastguard Worker# Write to /data/system/heapdump 620*e4a36f41SAndroid Build Coastguard Workerallow system_server heapdump_data_file:dir rw_dir_perms; 621*e4a36f41SAndroid Build Coastguard Workerallow system_server heapdump_data_file:file create_file_perms; 622*e4a36f41SAndroid Build Coastguard Worker 623*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/adb. 624*e4a36f41SAndroid Build Coastguard Workerallow system_server adb_keys_file:dir create_dir_perms; 625*e4a36f41SAndroid Build Coastguard Workerallow system_server adb_keys_file:file create_file_perms; 626*e4a36f41SAndroid Build Coastguard Worker 627*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/appcompat. 628*e4a36f41SAndroid Build Coastguard Workerallow system_server appcompat_data_file:dir rw_dir_perms; 629*e4a36f41SAndroid Build Coastguard Workerallow system_server appcompat_data_file:file create_file_perms; 630*e4a36f41SAndroid Build Coastguard Worker 631*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/connectivityblobdb. 632*e4a36f41SAndroid Build Coastguard Worker# Specifically, for vpn and wifi to create, read and write to an sqlite database. 633*e4a36f41SAndroid Build Coastguard Workerallow system_server connectivityblob_data_file:dir create_dir_perms; 634*e4a36f41SAndroid Build Coastguard Workerallow system_server connectivityblob_data_file:file create_file_perms; 635*e4a36f41SAndroid Build Coastguard Worker 636*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/emergencynumberdb 637*e4a36f41SAndroid Build Coastguard Workerallow system_server emergency_data_file:dir create_dir_perms; 638*e4a36f41SAndroid Build Coastguard Workerallow system_server emergency_data_file:file create_file_perms; 639*e4a36f41SAndroid Build Coastguard Worker 640*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/network_watchlist 641*e4a36f41SAndroid Build Coastguard Workerallow system_server network_watchlist_data_file:dir create_dir_perms; 642*e4a36f41SAndroid Build Coastguard Workerallow system_server network_watchlist_data_file:file create_file_perms; 643*e4a36f41SAndroid Build Coastguard Worker 644*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/sms. 645*e4a36f41SAndroid Build Coastguard Worker# TODO: Split into a separate type? 646*e4a36f41SAndroid Build Coastguard Workerallow system_server radio_data_file:dir create_dir_perms; 647*e4a36f41SAndroid Build Coastguard Workerallow system_server radio_data_file:file create_file_perms; 648*e4a36f41SAndroid Build Coastguard Worker 649*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/systemkeys. 650*e4a36f41SAndroid Build Coastguard Workerallow system_server systemkeys_data_file:dir create_dir_perms; 651*e4a36f41SAndroid Build Coastguard Workerallow system_server systemkeys_data_file:file create_file_perms; 652*e4a36f41SAndroid Build Coastguard Worker 653*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/textclassifier. 654*e4a36f41SAndroid Build Coastguard Workerallow system_server textclassifier_data_file:dir create_dir_perms; 655*e4a36f41SAndroid Build Coastguard Workerallow system_server textclassifier_data_file:file create_file_perms; 656*e4a36f41SAndroid Build Coastguard Worker 657*e4a36f41SAndroid Build Coastguard Worker# Manage /data/tombstones. 658*e4a36f41SAndroid Build Coastguard Workerallow system_server tombstone_data_file:dir rw_dir_perms; 659*e4a36f41SAndroid Build Coastguard Workerallow system_server tombstone_data_file:file create_file_perms; 660*e4a36f41SAndroid Build Coastguard Worker 661*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/vpn. 662*e4a36f41SAndroid Build Coastguard Workerallow system_server vpn_data_file:dir create_dir_perms; 663*e4a36f41SAndroid Build Coastguard Workerallow system_server vpn_data_file:file create_file_perms; 664*e4a36f41SAndroid Build Coastguard Worker 665*e4a36f41SAndroid Build Coastguard Worker# Manage /data/misc/wifi. 666*e4a36f41SAndroid Build Coastguard Workerallow system_server wifi_data_file:dir create_dir_perms; 667*e4a36f41SAndroid Build Coastguard Workerallow system_server wifi_data_file:file create_file_perms; 668*e4a36f41SAndroid Build Coastguard Worker 669*e4a36f41SAndroid Build Coastguard Worker# Manage /data/app-staging. 670*e4a36f41SAndroid Build Coastguard Workerallow system_server staging_data_file:dir create_dir_perms; 671*e4a36f41SAndroid Build Coastguard Workerallow system_server staging_data_file:file create_file_perms; 672*e4a36f41SAndroid Build Coastguard Worker 673*e4a36f41SAndroid Build Coastguard Worker# Manage /data/rollback. 674*e4a36f41SAndroid Build Coastguard Workerallow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 675*e4a36f41SAndroid Build Coastguard Worker 676*e4a36f41SAndroid Build Coastguard Worker# Walk /data/data subdirectories. 677*e4a36f41SAndroid Build Coastguard Workerallow system_server app_data_file_type:dir { getattr read search }; 678*e4a36f41SAndroid Build Coastguard Worker 679*e4a36f41SAndroid Build Coastguard Worker# Also permit for unlabeled /data/data subdirectories and 680*e4a36f41SAndroid Build Coastguard Worker# for unlabeled asec containers on upgrades from 4.2. 681*e4a36f41SAndroid Build Coastguard Workerallow system_server unlabeled:dir r_dir_perms; 682*e4a36f41SAndroid Build Coastguard Worker# Read pkg.apk file before it has been relabeled by vold. 683*e4a36f41SAndroid Build Coastguard Workerallow system_server unlabeled:file r_file_perms; 684*e4a36f41SAndroid Build Coastguard Worker 685*e4a36f41SAndroid Build Coastguard Worker# Populate com.android.providers.settings/databases/settings.db. 686*e4a36f41SAndroid Build Coastguard Workerallow system_server system_app_data_file:dir create_dir_perms; 687*e4a36f41SAndroid Build Coastguard Workerallow system_server system_app_data_file:file create_file_perms; 688*e4a36f41SAndroid Build Coastguard Worker 689*e4a36f41SAndroid Build Coastguard Worker# Receive and use open app data files passed over binder IPC. 690*e4a36f41SAndroid Build Coastguard Workerallow system_server app_data_file_type:file { getattr read write append map }; 691*e4a36f41SAndroid Build Coastguard Worker 692*e4a36f41SAndroid Build Coastguard Worker# Access to /data/media for measuring disk usage. 693*e4a36f41SAndroid Build Coastguard Workerallow system_server media_rw_data_file:dir { search getattr open read }; 694*e4a36f41SAndroid Build Coastguard Worker 695*e4a36f41SAndroid Build Coastguard Worker# Receive and use open /data/media files passed over binder IPC. 696*e4a36f41SAndroid Build Coastguard Worker# Also used for measuring disk usage. 697*e4a36f41SAndroid Build Coastguard Workerallow system_server media_rw_data_file:file { getattr read write append }; 698*e4a36f41SAndroid Build Coastguard Worker 699*e4a36f41SAndroid Build Coastguard Worker# System server needs to setfscreate to packages_list_file when writing 700*e4a36f41SAndroid Build Coastguard Worker# /data/system/packages.list 701*e4a36f41SAndroid Build Coastguard Workerallow system_server system_server:process setfscreate; 702*e4a36f41SAndroid Build Coastguard Worker 703*e4a36f41SAndroid Build Coastguard Worker# Relabel apk files. 704*e4a36f41SAndroid Build Coastguard Workerallow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 705*e4a36f41SAndroid Build Coastguard Workerallow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 706*e4a36f41SAndroid Build Coastguard Worker# Allow PackageManager to: 707*e4a36f41SAndroid Build Coastguard Worker# 1. rename file from /data/app-staging folder to /data/app 708*e4a36f41SAndroid Build Coastguard Worker# 2. relabel files (linked to /data/rollback) under /data/app-staging 709*e4a36f41SAndroid Build Coastguard Worker# during staged apk/apex install. 710*e4a36f41SAndroid Build Coastguard Workerallow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 711*e4a36f41SAndroid Build Coastguard Worker 712*e4a36f41SAndroid Build Coastguard Worker# Relabel wallpaper. 713*e4a36f41SAndroid Build Coastguard Workerallow system_server system_data_file:file relabelfrom; 714*e4a36f41SAndroid Build Coastguard Workerallow system_server wallpaper_file:file relabelto; 715*e4a36f41SAndroid Build Coastguard Workerallow system_server wallpaper_file:file { rw_file_perms rename unlink }; 716*e4a36f41SAndroid Build Coastguard Worker 717*e4a36f41SAndroid Build Coastguard Worker# Backup of wallpaper imagery uses temporary hard links to avoid data churn 718*e4a36f41SAndroid Build Coastguard Workerallow system_server { system_data_file wallpaper_file }:file link; 719*e4a36f41SAndroid Build Coastguard Worker 720*e4a36f41SAndroid Build Coastguard Worker# ShortcutManager icons 721*e4a36f41SAndroid Build Coastguard Workerallow system_server system_data_file:dir relabelfrom; 722*e4a36f41SAndroid Build Coastguard Workerallow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 723*e4a36f41SAndroid Build Coastguard Workerallow system_server shortcut_manager_icons:file create_file_perms; 724*e4a36f41SAndroid Build Coastguard Worker 725*e4a36f41SAndroid Build Coastguard Worker# Manage ringtones. 726*e4a36f41SAndroid Build Coastguard Workerallow system_server ringtone_file:dir { create_dir_perms relabelto }; 727*e4a36f41SAndroid Build Coastguard Workerallow system_server ringtone_file:file create_file_perms; 728*e4a36f41SAndroid Build Coastguard Worker 729*e4a36f41SAndroid Build Coastguard Worker# Relabel icon file. 730*e4a36f41SAndroid Build Coastguard Workerallow system_server icon_file:file relabelto; 731*e4a36f41SAndroid Build Coastguard Workerallow system_server icon_file:file { rw_file_perms unlink }; 732*e4a36f41SAndroid Build Coastguard Worker 733*e4a36f41SAndroid Build Coastguard Worker# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 734*e4a36f41SAndroid Build Coastguard Workerallow system_server system_data_file:dir relabelfrom; 735*e4a36f41SAndroid Build Coastguard Worker 736*e4a36f41SAndroid Build Coastguard Worker# server_configurable_flags_data_file is used for storing server configurable flags which 737*e4a36f41SAndroid Build Coastguard Worker# have been reset during current booting. system_server needs to read the data to perform related 738*e4a36f41SAndroid Build Coastguard Worker# disaster recovery actions. 739*e4a36f41SAndroid Build Coastguard Workerallow system_server server_configurable_flags_data_file:dir r_dir_perms; 740*e4a36f41SAndroid Build Coastguard Workerallow system_server server_configurable_flags_data_file:file r_file_perms; 741*e4a36f41SAndroid Build Coastguard Worker 742*e4a36f41SAndroid Build Coastguard Worker# Property Service write 743*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, system_prop) 744*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, bootanim_system_prop) 745*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, bluetooth_prop) 746*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, exported_system_prop) 747*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, exported3_system_prop) 748*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, safemode_prop) 749*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, theme_prop) 750*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, dhcp_prop) 751*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, net_connectivity_prop) 752*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, net_radio_prop) 753*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, net_dns_prop) 754*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, usb_control_prop) 755*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, usb_prop) 756*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, debug_prop) 757*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, powerctl_prop) 758*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, fingerprint_prop) 759*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_logging_prop) 760*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, dumpstate_options_prop) 761*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, overlay_prop) 762*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, exported_overlay_prop) 763*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, pm_prop) 764*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, exported_pm_prop) 765*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, socket_hook_prop) 766*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, audio_prop) 767*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, boot_status_prop) 768*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, surfaceflinger_color_prop) 769*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, provisioned_prop) 770*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, retaildemo_prop) 771*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, dmesgd_start_prop) 772*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, locale_prop) 773*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, timezone_metadata_prop) 774*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, timezone_prop) 775*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, crashrecovery_prop) 776*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 777*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)') 778*e4a36f41SAndroid Build Coastguard Worker 779*e4a36f41SAndroid Build Coastguard Worker# ctl interface 780*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, ctl_default_prop) 781*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, ctl_bugreport_prop) 782*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, ctl_gsid_prop) 783*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, ctl_artd_pre_reboot_prop) 784*e4a36f41SAndroid Build Coastguard Worker 785*e4a36f41SAndroid Build Coastguard Worker# cppreopt property 786*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, cppreopt_prop) 787*e4a36f41SAndroid Build Coastguard Worker 788*e4a36f41SAndroid Build Coastguard Worker# server configurable flags properties 789*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_core_experiments_team_internal_prop) 790*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_edgetpu_native_prop) 791*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_input_native_boot_prop) 792*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_netd_native_prop) 793*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_nnapi_native_prop) 794*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_activity_manager_native_boot_prop) 795*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_runtime_native_boot_prop) 796*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_runtime_native_prop) 797*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_lmkd_native_prop) 798*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_media_native_prop) 799*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_camera_native_prop) 800*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_mglru_native_prop) 801*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_profcollect_native_boot_prop) 802*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_statsd_native_prop) 803*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_statsd_native_boot_prop) 804*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_storage_native_boot_prop) 805*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_swcodec_native_prop) 806*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_sys_traced_prop) 807*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_window_manager_native_boot_prop) 808*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_configuration_prop) 809*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_connectivity_prop) 810*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_surface_flinger_native_boot_prop) 811*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_aconfig_flags_prop) 812*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_vendor_system_native_prop) 813*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_vendor_system_native_boot_prop) 814*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_virtualization_framework_native_prop) 815*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_memory_safety_native_boot_prop) 816*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_memory_safety_native_prop) 817*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_remote_key_provisioning_native_prop) 818*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_tethering_u_or_later_native_prop) 819*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, device_config_mmd_native_prop) 820*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, smart_idle_maint_enabled_prop) 821*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, arm64_memtag_prop) 822*e4a36f41SAndroid Build Coastguard Worker 823*e4a36f41SAndroid Build Coastguard Worker# staged flag properties 824*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, next_boot_prop) 825*e4a36f41SAndroid Build Coastguard Worker 826*e4a36f41SAndroid Build Coastguard Worker# Allow system server to read pm.16kb.app_compat.disabled 827*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, pm_16kb_app_compat_prop) 828*e4a36f41SAndroid Build Coastguard Worker 829*e4a36f41SAndroid Build Coastguard Worker# Allow query ART device config properties 830*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, device_config_runtime_native_boot_prop) 831*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, device_config_runtime_native_prop) 832*e4a36f41SAndroid Build Coastguard Worker 833*e4a36f41SAndroid Build Coastguard Worker# BootReceiver to read ro.boot.bootreason 834*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, bootloader_boot_reason_prop) 835*e4a36f41SAndroid Build Coastguard Worker# PowerManager to read sys.boot.reason 836*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, system_boot_reason_prop) 837*e4a36f41SAndroid Build Coastguard Worker 838*e4a36f41SAndroid Build Coastguard Worker# Collect metrics on boot time created by init 839*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, boottime_prop) 840*e4a36f41SAndroid Build Coastguard Worker 841*e4a36f41SAndroid Build Coastguard Worker# Read device's serial number from system properties 842*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, serialno_prop) 843*e4a36f41SAndroid Build Coastguard Worker 844*e4a36f41SAndroid Build Coastguard Worker# Read/write the property which keeps track of whether this is the first start of system_server 845*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, firstboot_prop) 846*e4a36f41SAndroid Build Coastguard Worker 847*e4a36f41SAndroid Build Coastguard Worker# Audio service in system server can read audio config properties, 848*e4a36f41SAndroid Build Coastguard Worker# such as camera shutter enforcement 849*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, audio_config_prop) 850*e4a36f41SAndroid Build Coastguard Worker 851*e4a36f41SAndroid Build Coastguard Worker# StorageManager service reads media config while checking if transcoding is supported. 852*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, media_config_prop) 853*e4a36f41SAndroid Build Coastguard Worker 854*e4a36f41SAndroid Build Coastguard Worker# system server reads this property to keep track of whether server configurable flags have been 855*e4a36f41SAndroid Build Coastguard Worker# reset during current boot. 856*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, device_config_reset_performed_prop) 857*e4a36f41SAndroid Build Coastguard Worker 858*e4a36f41SAndroid Build Coastguard Worker# Read/write the property that enables Test Harness Mode 859*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, test_harness_prop) 860*e4a36f41SAndroid Build Coastguard Worker 861*e4a36f41SAndroid Build Coastguard Worker# Read gsid.image_running. 862*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, gsid_prop) 863*e4a36f41SAndroid Build Coastguard Worker 864*e4a36f41SAndroid Build Coastguard Worker# Read the property that mocks an OTA 865*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, mock_ota_prop) 866*e4a36f41SAndroid Build Coastguard Worker 867*e4a36f41SAndroid Build Coastguard Worker# Read the property as feature flag for protecting apks with fs-verity. 868*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, apk_verity_prop) 869*e4a36f41SAndroid Build Coastguard Worker 870*e4a36f41SAndroid Build Coastguard Worker# Read wifi.interface 871*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, wifi_prop) 872*e4a36f41SAndroid Build Coastguard Worker 873*e4a36f41SAndroid Build Coastguard Worker# Read the vendor property that indicates if Incremental features is enabled 874*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, incremental_prop) 875*e4a36f41SAndroid Build Coastguard Worker 876*e4a36f41SAndroid Build Coastguard Worker# Read ro.zram. properties 877*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, zram_config_prop) 878*e4a36f41SAndroid Build Coastguard Worker 879*e4a36f41SAndroid Build Coastguard Worker# Read/write persist.sys.zram_enabled 880*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, zram_control_prop) 881*e4a36f41SAndroid Build Coastguard Worker 882*e4a36f41SAndroid Build Coastguard Worker# Read/write persist.sys.dalvik.vm.lib.2 883*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, dalvik_runtime_prop) 884*e4a36f41SAndroid Build Coastguard Worker 885*e4a36f41SAndroid Build Coastguard Worker# Read ro.control_privapp_permissions and ro.cp_system_other_odex 886*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, packagemanager_config_prop) 887*e4a36f41SAndroid Build Coastguard Worker 888*e4a36f41SAndroid Build Coastguard Worker# Read the net.464xlat.cellular.enabled property (written by init). 889*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, net_464xlat_fromvendor_prop) 890*e4a36f41SAndroid Build Coastguard Worker 891*e4a36f41SAndroid Build Coastguard Worker# Read hypervisor capabilities ro.boot.hypervisor.* 892*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, hypervisor_prop) 893*e4a36f41SAndroid Build Coastguard Worker 894*e4a36f41SAndroid Build Coastguard Worker# Read persist.wm.debug. properties 895*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, persist_wm_debug_prop) 896*e4a36f41SAndroid Build Coastguard Worker 897*e4a36f41SAndroid Build Coastguard Worker# Read persist.sysui.notification.builder_extras_override property 898*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, persist_sysui_builder_extras_prop) 899*e4a36f41SAndroid Build Coastguard Worker# Read persist.sysui.notification.ranking_update_ashmem property 900*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, persist_sysui_ranking_update_prop) 901*e4a36f41SAndroid Build Coastguard Worker 902*e4a36f41SAndroid Build Coastguard Worker# Read ro.tuner.lazyhal 903*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, tuner_config_prop) 904*e4a36f41SAndroid Build Coastguard Worker# Write tuner.server.enable 905*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, tuner_server_ctl_prop) 906*e4a36f41SAndroid Build Coastguard Worker 907*e4a36f41SAndroid Build Coastguard Worker# Allow the heap dump ART plugin to the count of sessions waiting for OOME 908*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, traced_oome_heap_session_count_prop) 909*e4a36f41SAndroid Build Coastguard Worker 910*e4a36f41SAndroid Build Coastguard Worker# Allow the sensor service (running in the system service) to read sensor 911*e4a36f41SAndroid Build Coastguard Worker# configuration properties 912*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, sensors_config_prop) 913*e4a36f41SAndroid Build Coastguard Worker 914*e4a36f41SAndroid Build Coastguard Worker# Allow system server to determine if system services are enabled 915*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, system_service_enable_prop) 916*e4a36f41SAndroid Build Coastguard Worker 917*e4a36f41SAndroid Build Coastguard Worker# Create a socket for connections from debuggerd. 918*e4a36f41SAndroid Build Coastguard Workerallow system_server system_ndebug_socket:sock_file create_file_perms; 919*e4a36f41SAndroid Build Coastguard Worker 920*e4a36f41SAndroid Build Coastguard Worker# Create a socket for connections from zygotes. 921*e4a36f41SAndroid Build Coastguard Workerallow system_server system_unsolzygote_socket:sock_file create_file_perms; 922*e4a36f41SAndroid Build Coastguard Worker 923*e4a36f41SAndroid Build Coastguard Worker# Manage cache files. 924*e4a36f41SAndroid Build Coastguard Workerallow system_server cache_file:lnk_file r_file_perms; 925*e4a36f41SAndroid Build Coastguard Workerallow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 926*e4a36f41SAndroid Build Coastguard Workerallow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 927*e4a36f41SAndroid Build Coastguard Workerallow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 928*e4a36f41SAndroid Build Coastguard Worker 929*e4a36f41SAndroid Build Coastguard Workerallow system_server system_file:dir r_dir_perms; 930*e4a36f41SAndroid Build Coastguard Workerallow system_server system_file:lnk_file r_file_perms; 931*e4a36f41SAndroid Build Coastguard Worker 932*e4a36f41SAndroid Build Coastguard Worker# ART locks profile files. 933*e4a36f41SAndroid Build Coastguard Workerallow system_server system_file:file lock; 934*e4a36f41SAndroid Build Coastguard Worker 935*e4a36f41SAndroid Build Coastguard Worker# LocationManager(e.g, GPS) needs to read and write 936*e4a36f41SAndroid Build Coastguard Worker# to uart driver and ctrl proc entry 937*e4a36f41SAndroid Build Coastguard Workerallow system_server gps_control:file rw_file_perms; 938*e4a36f41SAndroid Build Coastguard Worker 939*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to use app-created sockets and pipes. 940*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 941*e4a36f41SAndroid Build Coastguard Workerallow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 942*e4a36f41SAndroid Build Coastguard Worker 943*e4a36f41SAndroid Build Coastguard Worker# BackupManagerService needs to manipulate backup data files 944*e4a36f41SAndroid Build Coastguard Workerallow system_server cache_backup_file:dir rw_dir_perms; 945*e4a36f41SAndroid Build Coastguard Workerallow system_server cache_backup_file:file create_file_perms; 946*e4a36f41SAndroid Build Coastguard Worker# LocalTransport works inside /cache/backup 947*e4a36f41SAndroid Build Coastguard Workerallow system_server cache_private_backup_file:dir create_dir_perms; 948*e4a36f41SAndroid Build Coastguard Workerallow system_server cache_private_backup_file:file create_file_perms; 949*e4a36f41SAndroid Build Coastguard Worker 950*e4a36f41SAndroid Build Coastguard Worker# Allow system to talk to usb device 951*e4a36f41SAndroid Build Coastguard Workerallow system_server usb_device:chr_file rw_file_perms; 952*e4a36f41SAndroid Build Coastguard Workerallow system_server usb_device:dir r_dir_perms; 953*e4a36f41SAndroid Build Coastguard Worker 954*e4a36f41SAndroid Build Coastguard Worker# Read and delete files under /dev/fscklogs. 955*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, fscklogs) 956*e4a36f41SAndroid Build Coastguard Workerallow system_server fscklogs:dir { write remove_name add_name }; 957*e4a36f41SAndroid Build Coastguard Workerallow system_server fscklogs:file rename; 958*e4a36f41SAndroid Build Coastguard Worker 959*e4a36f41SAndroid Build Coastguard Worker# logd access, system_server inherit logd write socket 960*e4a36f41SAndroid Build Coastguard Worker# (urge is to deprecate this long term) 961*e4a36f41SAndroid Build Coastguard Workerallow system_server zygote:unix_dgram_socket write; 962*e4a36f41SAndroid Build Coastguard Worker 963*e4a36f41SAndroid Build Coastguard Worker# Read from log daemon. 964*e4a36f41SAndroid Build Coastguard Workerread_logd(system_server) 965*e4a36f41SAndroid Build Coastguard Workerread_runtime_log_tags(system_server) 966*e4a36f41SAndroid Build Coastguard Worker 967*e4a36f41SAndroid Build Coastguard Worker# Be consistent with DAC permissions. Allow system_server to write to 968*e4a36f41SAndroid Build Coastguard Worker# /sys/module/lowmemorykiller/parameters/adj 969*e4a36f41SAndroid Build Coastguard Worker# /sys/module/lowmemorykiller/parameters/minfree 970*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 971*e4a36f41SAndroid Build Coastguard Worker 972*e4a36f41SAndroid Build Coastguard Worker# Read /sys/fs/pstore/console-ramoops 973*e4a36f41SAndroid Build Coastguard Worker# Don't worry about overly broad permissions for now, as there's 974*e4a36f41SAndroid Build Coastguard Worker# only one file in /sys/fs/pstore 975*e4a36f41SAndroid Build Coastguard Workerallow system_server pstorefs:dir r_dir_perms; 976*e4a36f41SAndroid Build Coastguard Workerallow system_server pstorefs:file r_file_perms; 977*e4a36f41SAndroid Build Coastguard Worker 978*e4a36f41SAndroid Build Coastguard Worker# /sys access 979*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_zram:dir search; 980*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_zram:file rw_file_perms; 981*e4a36f41SAndroid Build Coastguard Worker 982*e4a36f41SAndroid Build Coastguard Worker# Read /sys/fs/selinux/policy 983*e4a36f41SAndroid Build Coastguard Workerallow system_server kernel:security read_policy; 984*e4a36f41SAndroid Build Coastguard Worker 985*e4a36f41SAndroid Build Coastguard Workeradd_service(system_server, system_server_service); 986*e4a36f41SAndroid Build Coastguard Workerallow system_server artd_service:service_manager find; 987*e4a36f41SAndroid Build Coastguard Workerallow system_server artd_pre_reboot_service:service_manager find; 988*e4a36f41SAndroid Build Coastguard Workerallow system_server audioserver_service:service_manager find; 989*e4a36f41SAndroid Build Coastguard Workerallow system_server authorization_service:service_manager find; 990*e4a36f41SAndroid Build Coastguard Workerallow system_server batteryproperties_service:service_manager find; 991*e4a36f41SAndroid Build Coastguard Workerallow system_server cameraserver_service:service_manager find; 992*e4a36f41SAndroid Build Coastguard Workerallow system_server compos_service:service_manager find; 993*e4a36f41SAndroid Build Coastguard Workerallow system_server dataloader_manager_service:service_manager find; 994*e4a36f41SAndroid Build Coastguard Workerallow system_server dexopt_chroot_setup_service:service_manager find; 995*e4a36f41SAndroid Build Coastguard Workerallow system_server dnsresolver_service:service_manager find; 996*e4a36f41SAndroid Build Coastguard Workerallow system_server drmserver_service:service_manager find; 997*e4a36f41SAndroid Build Coastguard Workerallow system_server dumpstate_service:service_manager find; 998*e4a36f41SAndroid Build Coastguard Workerallow system_server fingerprintd_service:service_manager find; 999*e4a36f41SAndroid Build Coastguard Workerallow system_server gatekeeper_service:service_manager find; 1000*e4a36f41SAndroid Build Coastguard Workerallow system_server gpu_service:service_manager find; 1001*e4a36f41SAndroid Build Coastguard Workerallow system_server gsi_service:service_manager find; 1002*e4a36f41SAndroid Build Coastguard Workerallow system_server idmap_service:service_manager find; 1003*e4a36f41SAndroid Build Coastguard Workerallow system_server incident_service:service_manager find; 1004*e4a36f41SAndroid Build Coastguard Workerallow system_server incremental_service:service_manager find; 1005*e4a36f41SAndroid Build Coastguard Workerallow system_server installd_service:service_manager find; 1006*e4a36f41SAndroid Build Coastguard Workerallow system_server keystore_maintenance_service:service_manager find; 1007*e4a36f41SAndroid Build Coastguard Workerallow system_server keystore_metrics_service:service_manager find; 1008*e4a36f41SAndroid Build Coastguard Workerallow system_server keystore_service:service_manager find; 1009*e4a36f41SAndroid Build Coastguard Workerallow system_server mdns_service:service_manager find; 1010*e4a36f41SAndroid Build Coastguard Workerallow system_server mediaserver_service:service_manager find; 1011*e4a36f41SAndroid Build Coastguard Workerallow system_server mediametrics_service:service_manager find; 1012*e4a36f41SAndroid Build Coastguard Workerallow system_server mediaextractor_service:service_manager find; 1013*e4a36f41SAndroid Build Coastguard Workerallow system_server mediadrmserver_service:service_manager find; 1014*e4a36f41SAndroid Build Coastguard Workerallow system_server mediatuner_service:service_manager find; 1015*e4a36f41SAndroid Build Coastguard Workerallow system_server mmd_service:service_manager find; 1016*e4a36f41SAndroid Build Coastguard Workerallow system_server netd_service:service_manager find; 1017*e4a36f41SAndroid Build Coastguard Workerallow system_server nfc_service:service_manager find; 1018*e4a36f41SAndroid Build Coastguard Workerallow system_server ot_daemon_service:service_manager find; 1019*e4a36f41SAndroid Build Coastguard Workerallow system_server radio_service:service_manager find; 1020*e4a36f41SAndroid Build Coastguard Workerallow system_server stats_service:service_manager find; 1021*e4a36f41SAndroid Build Coastguard Workerallow system_server storaged_service:service_manager find; 1022*e4a36f41SAndroid Build Coastguard Workerallow system_server surfaceflinger_service:service_manager find; 1023*e4a36f41SAndroid Build Coastguard Workerallow system_server update_engine_service:service_manager find; 1024*e4a36f41SAndroid Build Coastguard Workerallow system_server virtual_camera_service:service_manager find; 1025*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 1026*e4a36f41SAndroid Build Coastguard Worker allow system_server virtualization_maintenance_service:service_manager find; 1027*e4a36f41SAndroid Build Coastguard Worker') 1028*e4a36f41SAndroid Build Coastguard Workerallow system_server vold_service:service_manager find; 1029*e4a36f41SAndroid Build Coastguard Workerallow system_server wifinl80211_service:service_manager find; 1030*e4a36f41SAndroid Build Coastguard Workerallow system_server logd_service:service_manager find; 1031*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 1032*e4a36f41SAndroid Build Coastguard Worker allow system_server profcollectd_service:service_manager find; 1033*e4a36f41SAndroid Build Coastguard Worker') 1034*e4a36f41SAndroid Build Coastguard Workerallow system_server wifi_mainline_supplicant_service:service_manager find; 1035*e4a36f41SAndroid Build Coastguard Worker 1036*e4a36f41SAndroid Build Coastguard Workeradd_service(system_server, batteryproperties_service) 1037*e4a36f41SAndroid Build Coastguard Worker 1038*e4a36f41SAndroid Build Coastguard Workerallow system_server keystore:keystore2 { 1039*e4a36f41SAndroid Build Coastguard Worker add_auth 1040*e4a36f41SAndroid Build Coastguard Worker change_password 1041*e4a36f41SAndroid Build Coastguard Worker change_user 1042*e4a36f41SAndroid Build Coastguard Worker clear_ns 1043*e4a36f41SAndroid Build Coastguard Worker clear_uid 1044*e4a36f41SAndroid Build Coastguard Worker delete_all_keys 1045*e4a36f41SAndroid Build Coastguard Worker get_last_auth_time 1046*e4a36f41SAndroid Build Coastguard Worker lock 1047*e4a36f41SAndroid Build Coastguard Worker pull_metrics 1048*e4a36f41SAndroid Build Coastguard Worker reset 1049*e4a36f41SAndroid Build Coastguard Worker unlock 1050*e4a36f41SAndroid Build Coastguard Worker}; 1051*e4a36f41SAndroid Build Coastguard Worker 1052*e4a36f41SAndroid Build Coastguard Workerallow system_server keystore:keystore2_key { 1053*e4a36f41SAndroid Build Coastguard Worker delete 1054*e4a36f41SAndroid Build Coastguard Worker use_dev_id 1055*e4a36f41SAndroid Build Coastguard Worker grant 1056*e4a36f41SAndroid Build Coastguard Worker get_info 1057*e4a36f41SAndroid Build Coastguard Worker rebind 1058*e4a36f41SAndroid Build Coastguard Worker update 1059*e4a36f41SAndroid Build Coastguard Worker use 1060*e4a36f41SAndroid Build Coastguard Worker}; 1061*e4a36f41SAndroid Build Coastguard Worker 1062*e4a36f41SAndroid Build Coastguard Worker# Allow Wifi module to manage Wi-Fi keys. 1063*e4a36f41SAndroid Build Coastguard Workerallow system_server wifi_key:keystore2_key { 1064*e4a36f41SAndroid Build Coastguard Worker delete 1065*e4a36f41SAndroid Build Coastguard Worker get_info 1066*e4a36f41SAndroid Build Coastguard Worker rebind 1067*e4a36f41SAndroid Build Coastguard Worker update 1068*e4a36f41SAndroid Build Coastguard Worker use 1069*e4a36f41SAndroid Build Coastguard Worker}; 1070*e4a36f41SAndroid Build Coastguard Worker 1071*e4a36f41SAndroid Build Coastguard Worker# Allow lock_settings service to manage RoR keys. 1072*e4a36f41SAndroid Build Coastguard Workerallow system_server resume_on_reboot_key:keystore2_key { 1073*e4a36f41SAndroid Build Coastguard Worker delete 1074*e4a36f41SAndroid Build Coastguard Worker get_info 1075*e4a36f41SAndroid Build Coastguard Worker rebind 1076*e4a36f41SAndroid Build Coastguard Worker update 1077*e4a36f41SAndroid Build Coastguard Worker use 1078*e4a36f41SAndroid Build Coastguard Worker}; 1079*e4a36f41SAndroid Build Coastguard Worker 1080*e4a36f41SAndroid Build Coastguard Worker# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 1081*e4a36f41SAndroid Build Coastguard Workerallow system_server locksettings_key:keystore2_key { 1082*e4a36f41SAndroid Build Coastguard Worker delete 1083*e4a36f41SAndroid Build Coastguard Worker get_info 1084*e4a36f41SAndroid Build Coastguard Worker rebind 1085*e4a36f41SAndroid Build Coastguard Worker update 1086*e4a36f41SAndroid Build Coastguard Worker use 1087*e4a36f41SAndroid Build Coastguard Worker}; 1088*e4a36f41SAndroid Build Coastguard Worker 1089*e4a36f41SAndroid Build Coastguard Worker 1090*e4a36f41SAndroid Build Coastguard Worker# Allow system server to search and write to the persistent factory reset 1091*e4a36f41SAndroid Build Coastguard Worker# protection partition. This block device does not get wiped in a factory reset. 1092*e4a36f41SAndroid Build Coastguard Workerallow system_server block_device:dir search; 1093*e4a36f41SAndroid Build Coastguard Workerallow system_server frp_block_device:blk_file rw_file_perms; 1094*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 1095*e4a36f41SAndroid Build Coastguard Worker 1096*e4a36f41SAndroid Build Coastguard Worker# Create new process groups and clean up old cgroups 1097*e4a36f41SAndroid Build Coastguard Workerallow system_server cgroup:dir create_dir_perms; 1098*e4a36f41SAndroid Build Coastguard Workerallow system_server cgroup:file setattr; 1099*e4a36f41SAndroid Build Coastguard Workerallow system_server cgroup_v2:dir create_dir_perms; 1100*e4a36f41SAndroid Build Coastguard Workerallow system_server cgroup_v2:file { r_file_perms setattr }; 1101*e4a36f41SAndroid Build Coastguard Worker 1102*e4a36f41SAndroid Build Coastguard Worker# /oem access 1103*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, oemfs) 1104*e4a36f41SAndroid Build Coastguard Worker 1105*e4a36f41SAndroid Build Coastguard Worker# Allow resolving per-user storage symlinks 1106*e4a36f41SAndroid Build Coastguard Workerallow system_server { mnt_user_file storage_file }:dir { getattr search }; 1107*e4a36f41SAndroid Build Coastguard Workerallow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 1108*e4a36f41SAndroid Build Coastguard Worker 1109*e4a36f41SAndroid Build Coastguard Worker# Allow statfs() on storage devices, which happens fast enough that 1110*e4a36f41SAndroid Build Coastguard Worker# we shouldn't be killed during unsafe removal 1111*e4a36f41SAndroid Build Coastguard Workerallow system_server { sdcard_type fuse }:dir { getattr search }; 1112*e4a36f41SAndroid Build Coastguard Worker 1113*e4a36f41SAndroid Build Coastguard Worker# Traverse into expanded storage 1114*e4a36f41SAndroid Build Coastguard Workerallow system_server mnt_expand_file:dir r_dir_perms; 1115*e4a36f41SAndroid Build Coastguard Worker 1116*e4a36f41SAndroid Build Coastguard Worker# Allow system process to relabel the fingerprint directory after mkdir 1117*e4a36f41SAndroid Build Coastguard Worker# and delete the directory and files when no longer needed 1118*e4a36f41SAndroid Build Coastguard Workerallow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 1119*e4a36f41SAndroid Build Coastguard Workerallow system_server fingerprintd_data_file:file { getattr unlink }; 1120*e4a36f41SAndroid Build Coastguard Worker 1121*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 1122*e4a36f41SAndroid Build Coastguard Worker # Allow system server to create and write method traces in /data/misc/trace. 1123*e4a36f41SAndroid Build Coastguard Worker allow system_server method_trace_data_file:dir w_dir_perms; 1124*e4a36f41SAndroid Build Coastguard Worker allow system_server method_trace_data_file:file { create w_file_perms }; 1125*e4a36f41SAndroid Build Coastguard Worker 1126*e4a36f41SAndroid Build Coastguard Worker # Allow system server to read dmesg 1127*e4a36f41SAndroid Build Coastguard Worker allow system_server kernel:system syslog_read; 1128*e4a36f41SAndroid Build Coastguard Worker 1129*e4a36f41SAndroid Build Coastguard Worker # Allow writing and removing window traces in /data/misc/wmtrace. 1130*e4a36f41SAndroid Build Coastguard Worker allow system_server wm_trace_data_file:dir rw_dir_perms; 1131*e4a36f41SAndroid Build Coastguard Worker allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1132*e4a36f41SAndroid Build Coastguard Worker 1133*e4a36f41SAndroid Build Coastguard Worker # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 1134*e4a36f41SAndroid Build Coastguard Worker allow system_server accessibility_trace_data_file:dir rw_dir_perms; 1135*e4a36f41SAndroid Build Coastguard Worker allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 1136*e4a36f41SAndroid Build Coastguard Worker') 1137*e4a36f41SAndroid Build Coastguard Worker 1138*e4a36f41SAndroid Build Coastguard Worker# For AppFuse. 1139*e4a36f41SAndroid Build Coastguard Workerallow system_server vold:fd use; 1140*e4a36f41SAndroid Build Coastguard Workerallow system_server fuse_device:chr_file { read write ioctl getattr }; 1141*e4a36f41SAndroid Build Coastguard Workerallow system_server app_fuse_file:file { read write getattr }; 1142*e4a36f41SAndroid Build Coastguard Worker 1143*e4a36f41SAndroid Build Coastguard Worker# For configuring sdcardfs 1144*e4a36f41SAndroid Build Coastguard Workerallow system_server configfs:dir { create_dir_perms }; 1145*e4a36f41SAndroid Build Coastguard Workerallow system_server configfs:file { getattr open create unlink write }; 1146*e4a36f41SAndroid Build Coastguard Worker 1147*e4a36f41SAndroid Build Coastguard Worker# Connect to adbd and use a socket transferred from it. 1148*e4a36f41SAndroid Build Coastguard Worker# Used for e.g. jdwp. 1149*e4a36f41SAndroid Build Coastguard Workerallow system_server adbd_common:unix_stream_socket connectto; 1150*e4a36f41SAndroid Build Coastguard Workerallow system_server adbd_common:fd use; 1151*e4a36f41SAndroid Build Coastguard Workerallow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1152*e4a36f41SAndroid Build Coastguard Worker 1153*e4a36f41SAndroid Build Coastguard Worker# Read service.adb.tls.port, persist.adb.wifi. properties 1154*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, adbd_prop) 1155*e4a36f41SAndroid Build Coastguard Worker 1156*e4a36f41SAndroid Build Coastguard Worker# Set persist.adb.tls_server.enable property 1157*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, system_adbd_prop) 1158*e4a36f41SAndroid Build Coastguard Worker 1159*e4a36f41SAndroid Build Coastguard Worker# Set service.adbd.tradeinmode from ITradeInService. 1160*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, adbd_tradeinmode_prop) 1161*e4a36f41SAndroid Build Coastguard Worker 1162*e4a36f41SAndroid Build Coastguard Worker# Allow invoking tools like "timeout" 1163*e4a36f41SAndroid Build Coastguard Workerallow system_server toolbox_exec:file rx_file_perms; 1164*e4a36f41SAndroid Build Coastguard Worker 1165*e4a36f41SAndroid Build Coastguard Worker# Allow system process to setup fs-verity 1166*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY; 1167*e4a36f41SAndroid Build Coastguard Worker 1168*e4a36f41SAndroid Build Coastguard Worker# Allow system process to measure fs-verity for apps, including those being installed 1169*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY; 1170*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS; 1171*e4a36f41SAndroid Build Coastguard Worker 1172*e4a36f41SAndroid Build Coastguard Worker# Postinstall 1173*e4a36f41SAndroid Build Coastguard Worker# 1174*e4a36f41SAndroid Build Coastguard Worker# For OTA dexopt, allow calls coming from postinstall. 1175*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, postinstall) 1176*e4a36f41SAndroid Build Coastguard Worker 1177*e4a36f41SAndroid Build Coastguard Workerallow system_server postinstall:fifo_file write; 1178*e4a36f41SAndroid Build Coastguard Workerallow system_server update_engine:fd use; 1179*e4a36f41SAndroid Build Coastguard Workerallow system_server update_engine:fifo_file write; 1180*e4a36f41SAndroid Build Coastguard Worker 1181*e4a36f41SAndroid Build Coastguard Worker# Access to /data/preloads 1182*e4a36f41SAndroid Build Coastguard Workerallow system_server preloads_data_file:file { r_file_perms unlink }; 1183*e4a36f41SAndroid Build Coastguard Workerallow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1184*e4a36f41SAndroid Build Coastguard Workerallow system_server preloads_media_file:file { r_file_perms unlink }; 1185*e4a36f41SAndroid Build Coastguard Workerallow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1186*e4a36f41SAndroid Build Coastguard Worker 1187*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, cgroup) 1188*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, cgroup_v2) 1189*e4a36f41SAndroid Build Coastguard Workerallow system_server ion_device:chr_file r_file_perms; 1190*e4a36f41SAndroid Build Coastguard Worker 1191*e4a36f41SAndroid Build Coastguard Worker# Access to /dev/dma_heap/system 1192*e4a36f41SAndroid Build Coastguard Workerallow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1193*e4a36f41SAndroid Build Coastguard Worker# Access to /dev/dma_heap/system-secure 1194*e4a36f41SAndroid Build Coastguard Workerallow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1195*e4a36f41SAndroid Build Coastguard Worker 1196*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, proc_asound) 1197*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, proc_net_type) 1198*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, proc_qtaguid_stat) 1199*e4a36f41SAndroid Build Coastguard Workerallow system_server { 1200*e4a36f41SAndroid Build Coastguard Worker proc_cmdline 1201*e4a36f41SAndroid Build Coastguard Worker proc_loadavg 1202*e4a36f41SAndroid Build Coastguard Worker proc_locks 1203*e4a36f41SAndroid Build Coastguard Worker proc_meminfo 1204*e4a36f41SAndroid Build Coastguard Worker proc_pagetypeinfo 1205*e4a36f41SAndroid Build Coastguard Worker proc_pipe_conf 1206*e4a36f41SAndroid Build Coastguard Worker proc_stat 1207*e4a36f41SAndroid Build Coastguard Worker proc_uid_cputime_showstat 1208*e4a36f41SAndroid Build Coastguard Worker proc_uid_io_stats 1209*e4a36f41SAndroid Build Coastguard Worker proc_uid_time_in_state 1210*e4a36f41SAndroid Build Coastguard Worker proc_uid_concurrent_active_time 1211*e4a36f41SAndroid Build Coastguard Worker proc_uid_concurrent_policy_time 1212*e4a36f41SAndroid Build Coastguard Worker proc_version 1213*e4a36f41SAndroid Build Coastguard Worker proc_vmallocinfo 1214*e4a36f41SAndroid Build Coastguard Worker}:file r_file_perms; 1215*e4a36f41SAndroid Build Coastguard Worker 1216*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_uid_time_in_state:dir r_dir_perms; 1217*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_uid_cpupower:file r_file_perms; 1218*e4a36f41SAndroid Build Coastguard Worker 1219*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, rootfs) 1220*e4a36f41SAndroid Build Coastguard Worker 1221*e4a36f41SAndroid Build Coastguard Worker# Allow WifiService to start, stop, and read wifi-specific trace events. 1222*e4a36f41SAndroid Build Coastguard Workerallow system_server debugfs_tracing_instances:dir search; 1223*e4a36f41SAndroid Build Coastguard Workerallow system_server debugfs_wifi_tracing:dir search; 1224*e4a36f41SAndroid Build Coastguard Workerallow system_server debugfs_wifi_tracing:file rw_file_perms; 1225*e4a36f41SAndroid Build Coastguard Worker 1226*e4a36f41SAndroid Build Coastguard Worker# Allow BootReceiver to watch trace error_report events. 1227*e4a36f41SAndroid Build Coastguard Workerallow system_server debugfs_bootreceiver_tracing:dir search; 1228*e4a36f41SAndroid Build Coastguard Workerallow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1229*e4a36f41SAndroid Build Coastguard Worker 1230*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1231*e4a36f41SAndroid Build Coastguard Workerallow system_server debugfs_tracing:file r_file_perms; 1232*e4a36f41SAndroid Build Coastguard Worker 1233*e4a36f41SAndroid Build Coastguard Worker# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1234*e4a36f41SAndroid Build Coastguard Worker# asanwrapper. 1235*e4a36f41SAndroid Build Coastguard Workerwith_asan(` 1236*e4a36f41SAndroid Build Coastguard Worker allow system_server shell_exec:file rx_file_perms; 1237*e4a36f41SAndroid Build Coastguard Worker allow system_server asanwrapper_exec:file rx_file_perms; 1238*e4a36f41SAndroid Build Coastguard Worker allow system_server zygote_exec:file rx_file_perms; 1239*e4a36f41SAndroid Build Coastguard Worker') 1240*e4a36f41SAndroid Build Coastguard Worker 1241*e4a36f41SAndroid Build Coastguard Worker# allow system_server to read the eBPF maps that stores the traffic stats information and update 1242*e4a36f41SAndroid Build Coastguard Worker# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1243*e4a36f41SAndroid Build Coastguard Worker# time in state accounting 1244*e4a36f41SAndroid Build Coastguard Workerallow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search; 1245*e4a36f41SAndroid Build Coastguard Workerallow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write }; 1246*e4a36f41SAndroid Build Coastguard Workerallow system_server bpfloader:bpf prog_run; 1247*e4a36f41SAndroid Build Coastguard Workerallow system_server self:bpf map_create; 1248*e4a36f41SAndroid Build Coastguard Workerallow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write }; 1249*e4a36f41SAndroid Build Coastguard Worker# in order to invoke side effect of close() on such a socket calling synchronize_rcu() 1250*e4a36f41SAndroid Build Coastguard Workerallow system_server self:key_socket create; 1251*e4a36f41SAndroid Build Coastguard Worker# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100 1252*e4a36f41SAndroid Build Coastguard Worker# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ... 1253*e4a36f41SAndroid Build Coastguard Workerdontaudit system_server self:key_socket getopt; 1254*e4a36f41SAndroid Build Coastguard Worker 1255*e4a36f41SAndroid Build Coastguard Worker# Needed to interact with memevents-eBPF and receive notifications for memory events 1256*e4a36f41SAndroid Build Coastguard Workerallow system_server fs_bpf_memevents:dir search; 1257*e4a36f41SAndroid Build Coastguard Workerallow system_server fs_bpf_memevents:file { read write }; 1258*e4a36f41SAndroid Build Coastguard Worker 1259*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to start clatd in its own domain and kill it. 1260*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(system_server, clatd_exec, clatd) 1261*e4a36f41SAndroid Build Coastguard Workerallow system_server clatd:process { sigkill signal }; 1262*e4a36f41SAndroid Build Coastguard Worker 1263*e4a36f41SAndroid Build Coastguard Worker# ART Profiles. 1264*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to open profile snapshots for read. 1265*e4a36f41SAndroid Build Coastguard Worker# System server never reads the actual content. It passes the descriptor to 1266*e4a36f41SAndroid Build Coastguard Worker# to privileged apps which acquire the permissions to inspect the profiles. 1267*e4a36f41SAndroid Build Coastguard Workerallow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1268*e4a36f41SAndroid Build Coastguard Workerallow system_server user_profile_data_file:file { getattr open read }; 1269*e4a36f41SAndroid Build Coastguard Worker 1270*e4a36f41SAndroid Build Coastguard Worker# System server may dump profile data for debuggable apps in the /data/misc/profman. 1271*e4a36f41SAndroid Build Coastguard Worker# As such it needs to be able create files but it should never read from them. 1272*e4a36f41SAndroid Build Coastguard Worker# It also needs to stat the directory to check if it has the right permissions. 1273*e4a36f41SAndroid Build Coastguard Workerallow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1274*e4a36f41SAndroid Build Coastguard Workerallow system_server profman_dump_data_file:dir rw_dir_perms; 1275*e4a36f41SAndroid Build Coastguard Worker 1276*e4a36f41SAndroid Build Coastguard Worker# On userdebug build we may profile system server. Allow it to write and create its own profile. 1277*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 1278*e4a36f41SAndroid Build Coastguard Worker allow system_server user_profile_data_file:dir w_dir_perms; 1279*e4a36f41SAndroid Build Coastguard Worker allow system_server user_profile_data_file:file create_file_perms; 1280*e4a36f41SAndroid Build Coastguard Worker') 1281*e4a36f41SAndroid Build Coastguard Worker# Allow system server to load JVMTI agents under control of a property. 1282*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server,system_jvmti_agent_prop) 1283*e4a36f41SAndroid Build Coastguard Worker 1284*e4a36f41SAndroid Build Coastguard Worker# UsbDeviceManager uses /dev/usb-ffs 1285*e4a36f41SAndroid Build Coastguard Workerallow system_server functionfs:dir search; 1286*e4a36f41SAndroid Build Coastguard Workerallow system_server functionfs:file rw_file_perms; 1287*e4a36f41SAndroid Build Coastguard Worker# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks. 1288*e4a36f41SAndroid Build Coastguard Workerstarting_at_board_api(202504, ` 1289*e4a36f41SAndroid Build Coastguard Workerallow system_server sysfs_type:dir search; 1290*e4a36f41SAndroid Build Coastguard Workerr_dir_file(system_server, sysfs_udc) 1291*e4a36f41SAndroid Build Coastguard Worker') 1292*e4a36f41SAndroid Build Coastguard Worker 1293*e4a36f41SAndroid Build Coastguard Worker# system_server contains time / time zone detection logic so reads the associated properties. 1294*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, time_prop) 1295*e4a36f41SAndroid Build Coastguard Worker 1296*e4a36f41SAndroid Build Coastguard Worker# system_server reads this property to know it should expect the lmkd sends notification to it 1297*e4a36f41SAndroid Build Coastguard Worker# on low memory kills. 1298*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, system_lmk_prop) 1299*e4a36f41SAndroid Build Coastguard Worker 1300*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, wifi_config_prop) 1301*e4a36f41SAndroid Build Coastguard Worker 1302*e4a36f41SAndroid Build Coastguard Worker# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1303*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1304*e4a36f41SAndroid Build Coastguard Worker 1305*e4a36f41SAndroid Build Coastguard Worker# Watchdog prints debugging log to /dev/kmsg_debug. 1306*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 1307*e4a36f41SAndroid Build Coastguard Worker allow system_server kmsg_debug_device:chr_file { open append getattr }; 1308*e4a36f41SAndroid Build Coastguard Worker') 1309*e4a36f41SAndroid Build Coastguard Worker# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1310*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, framework_watchdog_config_prop) 1311*e4a36f41SAndroid Build Coastguard Worker 1312*e4a36f41SAndroid Build Coastguard Worker 1313*e4a36f41SAndroid Build Coastguard Worker# Font files are written by system server 1314*e4a36f41SAndroid Build Coastguard Workerallow system_server font_data_file:file create_file_perms; 1315*e4a36f41SAndroid Build Coastguard Workerallow system_server font_data_file:dir create_dir_perms; 1316*e4a36f41SAndroid Build Coastguard Worker# Allow system process to setup and measure fs-verity for font files 1317*e4a36f41SAndroid Build Coastguard Workerallowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; 1318*e4a36f41SAndroid Build Coastguard Worker 1319*e4a36f41SAndroid Build Coastguard Worker# Read qemu.hw.mainkeys property 1320*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, qemu_hw_prop) 1321*e4a36f41SAndroid Build Coastguard Worker 1322*e4a36f41SAndroid Build Coastguard Worker# Allow system server to read profcollectd reports for upload. 1323*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1324*e4a36f41SAndroid Build Coastguard Worker 1325*e4a36f41SAndroid Build Coastguard Worker# Power controls for debugging/diagnostics 1326*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, power_debug_prop) 1327*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, power_debug_prop) 1328*e4a36f41SAndroid Build Coastguard Worker 1329*e4a36f41SAndroid Build Coastguard Worker### 1330*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 1331*e4a36f41SAndroid Build Coastguard Worker### 1332*e4a36f41SAndroid Build Coastguard Worker### system_server should NEVER do any of this 1333*e4a36f41SAndroid Build Coastguard Worker 1334*e4a36f41SAndroid Build Coastguard Worker# Do not allow opening files from external storage as unsafe ejection 1335*e4a36f41SAndroid Build Coastguard Worker# could cause the kernel to kill the system_server. 1336*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { sdcard_type fuse }:dir { open read write }; 1337*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { sdcard_type fuse }:file rw_file_perms; 1338*e4a36f41SAndroid Build Coastguard Worker 1339*e4a36f41SAndroid Build Coastguard Worker# system server should never be operating on zygote spawned app data 1340*e4a36f41SAndroid Build Coastguard Worker# files directly. Rather, they should always be passed via a 1341*e4a36f41SAndroid Build Coastguard Worker# file descriptor. 1342*e4a36f41SAndroid Build Coastguard Worker# Exclude those types that system_server needs to open directly. 1343*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { 1344*e4a36f41SAndroid Build Coastguard Worker app_data_file_type 1345*e4a36f41SAndroid Build Coastguard Worker -system_app_data_file 1346*e4a36f41SAndroid Build Coastguard Worker -radio_data_file 1347*e4a36f41SAndroid Build Coastguard Worker}:file { open create unlink link }; 1348*e4a36f41SAndroid Build Coastguard Worker 1349*e4a36f41SAndroid Build Coastguard Worker# Forking and execing is inherently dangerous and racy. See, for 1350*e4a36f41SAndroid Build Coastguard Worker# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1351*e4a36f41SAndroid Build Coastguard Worker# Prevent the addition of new file execs to stop the problem from 1352*e4a36f41SAndroid Build Coastguard Worker# getting worse. b/28035297 1353*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { 1354*e4a36f41SAndroid Build Coastguard Worker file_type 1355*e4a36f41SAndroid Build Coastguard Worker -toolbox_exec 1356*e4a36f41SAndroid Build Coastguard Worker -logcat_exec 1357*e4a36f41SAndroid Build Coastguard Worker with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1358*e4a36f41SAndroid Build Coastguard Worker}:file execute_no_trans; 1359*e4a36f41SAndroid Build Coastguard Worker 1360*e4a36f41SAndroid Build Coastguard Worker# Ensure that system_server doesn't perform any domain transitions other than 1361*e4a36f41SAndroid Build Coastguard Worker# transitioning to the crash_dump domain when a crash occurs or fork clatd. 1362*e4a36f41SAndroid Build Coastguard Worker# add perfetto and trace_redactor which are exec'd from system server for ProfilingService. 1363*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition; 1364*e4a36f41SAndroid Build Coastguard Workerneverallow system_server *:process dyntransition; 1365*e4a36f41SAndroid Build Coastguard Worker 1366*e4a36f41SAndroid Build Coastguard Worker# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir. 1367*e4a36f41SAndroid Build Coastguard Workerneverallow system_server perfetto_traces_data_file:dir ~search; 1368*e4a36f41SAndroid Build Coastguard Worker 1369*e4a36f41SAndroid Build Coastguard Worker# Only allow crash_dump to connect to system_ndebug_socket. 1370*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1371*e4a36f41SAndroid Build Coastguard Worker 1372*e4a36f41SAndroid Build Coastguard Worker# Only allow zygotes to connect to system_unsolzygote_socket. 1373*e4a36f41SAndroid Build Coastguard Workerneverallow { 1374*e4a36f41SAndroid Build Coastguard Worker domain 1375*e4a36f41SAndroid Build Coastguard Worker -init 1376*e4a36f41SAndroid Build Coastguard Worker -system_server 1377*e4a36f41SAndroid Build Coastguard Worker -zygote 1378*e4a36f41SAndroid Build Coastguard Worker -app_zygote 1379*e4a36f41SAndroid Build Coastguard Worker -webview_zygote 1380*e4a36f41SAndroid Build Coastguard Worker} system_unsolzygote_socket:sock_file { open write }; 1381*e4a36f41SAndroid Build Coastguard Worker 1382*e4a36f41SAndroid Build Coastguard Worker# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1383*e4a36f41SAndroid Build Coastguard Workerneverallow { 1384*e4a36f41SAndroid Build Coastguard Worker domain 1385*e4a36f41SAndroid Build Coastguard Worker -init 1386*e4a36f41SAndroid Build Coastguard Worker -system_server 1387*e4a36f41SAndroid Build Coastguard Worker -flags_health_check 1388*e4a36f41SAndroid Build Coastguard Worker} { 1389*e4a36f41SAndroid Build Coastguard Worker device_config_core_experiments_team_internal_prop 1390*e4a36f41SAndroid Build Coastguard Worker device_config_activity_manager_native_boot_prop 1391*e4a36f41SAndroid Build Coastguard Worker device_config_connectivity_prop 1392*e4a36f41SAndroid Build Coastguard Worker device_config_input_native_boot_prop 1393*e4a36f41SAndroid Build Coastguard Worker device_config_lmkd_native_prop 1394*e4a36f41SAndroid Build Coastguard Worker device_config_netd_native_prop 1395*e4a36f41SAndroid Build Coastguard Worker device_config_nnapi_native_prop 1396*e4a36f41SAndroid Build Coastguard Worker device_config_edgetpu_native_prop 1397*e4a36f41SAndroid Build Coastguard Worker device_config_runtime_native_boot_prop 1398*e4a36f41SAndroid Build Coastguard Worker device_config_runtime_native_prop 1399*e4a36f41SAndroid Build Coastguard Worker device_config_media_native_prop 1400*e4a36f41SAndroid Build Coastguard Worker device_config_mglru_native_prop 1401*e4a36f41SAndroid Build Coastguard Worker device_config_remote_key_provisioning_native_prop 1402*e4a36f41SAndroid Build Coastguard Worker device_config_storage_native_boot_prop 1403*e4a36f41SAndroid Build Coastguard Worker device_config_surface_flinger_native_boot_prop 1404*e4a36f41SAndroid Build Coastguard Worker device_config_sys_traced_prop 1405*e4a36f41SAndroid Build Coastguard Worker device_config_swcodec_native_prop 1406*e4a36f41SAndroid Build Coastguard Worker device_config_aconfig_flags_prop 1407*e4a36f41SAndroid Build Coastguard Worker device_config_window_manager_native_boot_prop 1408*e4a36f41SAndroid Build Coastguard Worker device_config_tethering_u_or_later_native_prop 1409*e4a36f41SAndroid Build Coastguard Worker device_config_mmd_native_prop 1410*e4a36f41SAndroid Build Coastguard Worker next_boot_prop 1411*e4a36f41SAndroid Build Coastguard Worker}:property_service set; 1412*e4a36f41SAndroid Build Coastguard Worker 1413*e4a36f41SAndroid Build Coastguard Worker# Only allow system_server and init to set tuner_server_ctl_prop 1414*e4a36f41SAndroid Build Coastguard Workerneverallow { 1415*e4a36f41SAndroid Build Coastguard Worker domain 1416*e4a36f41SAndroid Build Coastguard Worker -system_server 1417*e4a36f41SAndroid Build Coastguard Worker -init 1418*e4a36f41SAndroid Build Coastguard Worker} tuner_server_ctl_prop:property_service set; 1419*e4a36f41SAndroid Build Coastguard Worker 1420*e4a36f41SAndroid Build Coastguard Worker# system_server should never be executing dex2oat. This is either 1421*e4a36f41SAndroid Build Coastguard Worker# a bug (for example, bug 16317188), or represents an attempt by 1422*e4a36f41SAndroid Build Coastguard Worker# system server to dynamically load a dex file, something we do not 1423*e4a36f41SAndroid Build Coastguard Worker# want to allow. 1424*e4a36f41SAndroid Build Coastguard Workerneverallow system_server dex2oat_exec:file no_x_file_perms; 1425*e4a36f41SAndroid Build Coastguard Worker 1426*e4a36f41SAndroid Build Coastguard Worker# system_server should never execute or load executable shared libraries 1427*e4a36f41SAndroid Build Coastguard Worker# in /data. Executable files in /data are a persistence vector. 1428*e4a36f41SAndroid Build Coastguard Worker# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1429*e4a36f41SAndroid Build Coastguard Workerneverallow system_server data_file_type:file no_x_file_perms; 1430*e4a36f41SAndroid Build Coastguard Worker 1431*e4a36f41SAndroid Build Coastguard Worker# The only block device system_server should be writing to is 1432*e4a36f41SAndroid Build Coastguard Worker# the frp_block_device. This helps avoid a system_server to root 1433*e4a36f41SAndroid Build Coastguard Worker# escalation by writing to raw block devices. 1434*e4a36f41SAndroid Build Coastguard Worker# The system_server may need to read from vd_device if it uses 1435*e4a36f41SAndroid Build Coastguard Worker# block apexes. 1436*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; 1437*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; 1438*e4a36f41SAndroid Build Coastguard Worker 1439*e4a36f41SAndroid Build Coastguard Worker# system_server should never use JIT functionality 1440*e4a36f41SAndroid Build Coastguard Worker# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1441*e4a36f41SAndroid Build Coastguard Worker# in the section titled "A Short ROP Chain" for why. 1442*e4a36f41SAndroid Build Coastguard Worker# However, in emulator builds without OpenGL passthrough, we use software 1443*e4a36f41SAndroid Build Coastguard Worker# rendering via SwiftShader, which requires JIT support. These builds are 1444*e4a36f41SAndroid Build Coastguard Worker# never shipped to users. 1445*e4a36f41SAndroid Build Coastguard Workerifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1446*e4a36f41SAndroid Build Coastguard Worker `allow system_server self:process execmem;', 1447*e4a36f41SAndroid Build Coastguard Worker `neverallow system_server self:process execmem;') 1448*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1449*e4a36f41SAndroid Build Coastguard Worker 1450*e4a36f41SAndroid Build Coastguard Worker# TODO: deal with tmpfs_domain pub/priv split properly 1451*e4a36f41SAndroid Build Coastguard Workerneverallow system_server system_server_tmpfs:file execute; 1452*e4a36f41SAndroid Build Coastguard Worker 1453*e4a36f41SAndroid Build Coastguard Worker# Resources handed off by system_server_startup 1454*e4a36f41SAndroid Build Coastguard Workerallow system_server system_server_startup:fd use; 1455*e4a36f41SAndroid Build Coastguard Workerallow system_server system_server_startup_tmpfs:file { read write map }; 1456*e4a36f41SAndroid Build Coastguard Workerallow system_server system_server_startup:unix_dgram_socket write; 1457*e4a36f41SAndroid Build Coastguard Worker 1458*e4a36f41SAndroid Build Coastguard Worker# Allow system server to communicate to apexd 1459*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_service:service_manager find; 1460*e4a36f41SAndroid Build Coastguard Workerallow system_server apexd:binder call; 1461*e4a36f41SAndroid Build Coastguard Worker 1462*e4a36f41SAndroid Build Coastguard Worker# Allow system server to scan /apex for flattened APEXes 1463*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_mnt_dir:dir r_dir_perms; 1464*e4a36f41SAndroid Build Coastguard Worker 1465*e4a36f41SAndroid Build Coastguard Worker# Allow system server to read /apex/apex-info-list.xml 1466*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_info_file:file r_file_perms; 1467*e4a36f41SAndroid Build Coastguard Worker 1468*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to communicate with tradeinmode. 1469*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, tradeinmode) 1470*e4a36f41SAndroid Build Coastguard Worker 1471*e4a36f41SAndroid Build Coastguard Worker# Allow system server to communicate to system-suspend's control interface 1472*e4a36f41SAndroid Build Coastguard Workerallow system_server system_suspend_control_internal_service:service_manager find; 1473*e4a36f41SAndroid Build Coastguard Workerallow system_server system_suspend_control_service:service_manager find; 1474*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_server, system_suspend) 1475*e4a36f41SAndroid Build Coastguard Workerbinder_call(system_suspend, system_server) 1476*e4a36f41SAndroid Build Coastguard Worker 1477*e4a36f41SAndroid Build Coastguard Worker# Allow system server to communicate to system-suspend's wakelock interface 1478*e4a36f41SAndroid Build Coastguard Workerwakelock_use(system_server) 1479*e4a36f41SAndroid Build Coastguard Worker 1480*e4a36f41SAndroid Build Coastguard Worker# Allow the system server to read files under /data/apex. The system_server 1481*e4a36f41SAndroid Build Coastguard Worker# needs these privileges to compare file signatures while processing installs. 1482*e4a36f41SAndroid Build Coastguard Worker# 1483*e4a36f41SAndroid Build Coastguard Worker# Only apexd is allowed to create new entries or write to any file under /data/apex. 1484*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_data_file:dir { getattr search }; 1485*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_data_file:file r_file_perms; 1486*e4a36f41SAndroid Build Coastguard Worker 1487*e4a36f41SAndroid Build Coastguard Worker# Allow the system server to read files under /vendor/apex. This is where 1488*e4a36f41SAndroid Build Coastguard Worker# vendor APEX packages might be installed and system_server needs to parse 1489*e4a36f41SAndroid Build Coastguard Worker# these packages to inspect the signatures and other metadata. 1490*e4a36f41SAndroid Build Coastguard Workerallow system_server vendor_apex_file:dir { getattr search }; 1491*e4a36f41SAndroid Build Coastguard Workerallow system_server vendor_apex_file:file r_file_perms; 1492*e4a36f41SAndroid Build Coastguard Worker 1493*e4a36f41SAndroid Build Coastguard Worker# Allow the system server to manage relevant apex module data files. 1494*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_module_data_file:dir { getattr search }; 1495*e4a36f41SAndroid Build Coastguard Worker# These are modules where the code runs in system_server, so we need full access. 1496*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_system_server_data_file:dir create_dir_perms; 1497*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_system_server_data_file:file create_file_perms; 1498*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_tethering_data_file:dir create_dir_perms; 1499*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_tethering_data_file:file create_file_perms; 1500*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_uwb_data_file:dir create_dir_perms; 1501*e4a36f41SAndroid Build Coastguard Workerallow system_server apex_uwb_data_file:file create_file_perms; 1502*e4a36f41SAndroid Build Coastguard Worker# Legacy labels that we still need to support (b/217581286) 1503*e4a36f41SAndroid Build Coastguard Workerallow system_server { 1504*e4a36f41SAndroid Build Coastguard Worker apex_appsearch_data_file 1505*e4a36f41SAndroid Build Coastguard Worker apex_permission_data_file 1506*e4a36f41SAndroid Build Coastguard Worker apex_scheduling_data_file 1507*e4a36f41SAndroid Build Coastguard Worker apex_wifi_data_file 1508*e4a36f41SAndroid Build Coastguard Worker}:dir create_dir_perms; 1509*e4a36f41SAndroid Build Coastguard Workerallow system_server { 1510*e4a36f41SAndroid Build Coastguard Worker apex_appsearch_data_file 1511*e4a36f41SAndroid Build Coastguard Worker apex_permission_data_file 1512*e4a36f41SAndroid Build Coastguard Worker apex_scheduling_data_file 1513*e4a36f41SAndroid Build Coastguard Worker apex_wifi_data_file 1514*e4a36f41SAndroid Build Coastguard Worker}:file create_file_perms; 1515*e4a36f41SAndroid Build Coastguard Worker 1516*e4a36f41SAndroid Build Coastguard Worker# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1517*e4a36f41SAndroid Build Coastguard Worker# communicate which slots are available for use. 1518*e4a36f41SAndroid Build Coastguard Workerallow system_server metadata_file:dir search; 1519*e4a36f41SAndroid Build Coastguard Workerallow system_server password_slot_metadata_file:dir rw_dir_perms; 1520*e4a36f41SAndroid Build Coastguard Workerallow system_server password_slot_metadata_file:file create_file_perms; 1521*e4a36f41SAndroid Build Coastguard Worker 1522*e4a36f41SAndroid Build Coastguard Worker# Allow TradeInMode service rw access to /metadata/tradeinmode. 1523*e4a36f41SAndroid Build Coastguard Workerallow system_server tradeinmode_metadata_file:dir rw_dir_perms; 1524*e4a36f41SAndroid Build Coastguard Workerallow system_server tradeinmode_metadata_file:file create_file_perms; 1525*e4a36f41SAndroid Build Coastguard Worker 1526*e4a36f41SAndroid Build Coastguard Workerallow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1527*e4a36f41SAndroid Build Coastguard Workerallow system_server userspace_reboot_metadata_file:file create_file_perms; 1528*e4a36f41SAndroid Build Coastguard Worker 1529*e4a36f41SAndroid Build Coastguard Worker# Allow system server rw access to files in /metadata/staged-install folder 1530*e4a36f41SAndroid Build Coastguard Workerallow system_server staged_install_file:dir rw_dir_perms; 1531*e4a36f41SAndroid Build Coastguard Workerallow system_server staged_install_file:file create_file_perms; 1532*e4a36f41SAndroid Build Coastguard Worker 1533*e4a36f41SAndroid Build Coastguard Workerallow system_server watchdog_metadata_file:dir rw_dir_perms; 1534*e4a36f41SAndroid Build Coastguard Workerallow system_server watchdog_metadata_file:file create_file_perms; 1535*e4a36f41SAndroid Build Coastguard Worker 1536*e4a36f41SAndroid Build Coastguard Worker# allow system_server write to aconfigd socket 1537*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, aconfigd, aconfigd); 1538*e4a36f41SAndroid Build Coastguard Worker 1539*e4a36f41SAndroid Build Coastguard Worker# allow system_server write to aconfigd_mainline socket 1540*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline); 1541*e4a36f41SAndroid Build Coastguard Worker 1542*e4a36f41SAndroid Build Coastguard Workerallow system_server repair_mode_metadata_file:dir rw_dir_perms; 1543*e4a36f41SAndroid Build Coastguard Workerallow system_server repair_mode_metadata_file:file create_file_perms; 1544*e4a36f41SAndroid Build Coastguard Worker 1545*e4a36f41SAndroid Build Coastguard Workerallow system_server gsi_persistent_data_file:dir rw_dir_perms; 1546*e4a36f41SAndroid Build Coastguard Workerallow system_server gsi_persistent_data_file:file create_file_perms; 1547*e4a36f41SAndroid Build Coastguard Worker 1548*e4a36f41SAndroid Build Coastguard Worker# Allow system server read and remove files under /data/misc/odrefresh 1549*e4a36f41SAndroid Build Coastguard Workerallow system_server odrefresh_data_file:dir rw_dir_perms; 1550*e4a36f41SAndroid Build Coastguard Workerallow system_server odrefresh_data_file:file { r_file_perms unlink }; 1551*e4a36f41SAndroid Build Coastguard Worker 1552*e4a36f41SAndroid Build Coastguard Worker# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1553*e4a36f41SAndroid Build Coastguard Workerallow system_server surfaceflinger_exec:file r_file_perms; 1554*e4a36f41SAndroid Build Coastguard Worker 1555*e4a36f41SAndroid Build Coastguard Worker# Allow init to set sysprop used to compute stats about userspace reboot. 1556*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, userspace_reboot_log_prop) 1557*e4a36f41SAndroid Build Coastguard Worker 1558*e4a36f41SAndroid Build Coastguard Worker# JVMTI agent settings are only readable from the system server. 1559*e4a36f41SAndroid Build Coastguard Workerneverallow { 1560*e4a36f41SAndroid Build Coastguard Worker domain 1561*e4a36f41SAndroid Build Coastguard Worker -system_server 1562*e4a36f41SAndroid Build Coastguard Worker -dumpstate 1563*e4a36f41SAndroid Build Coastguard Worker -init 1564*e4a36f41SAndroid Build Coastguard Worker -vendor_init 1565*e4a36f41SAndroid Build Coastguard Worker} { 1566*e4a36f41SAndroid Build Coastguard Worker system_jvmti_agent_prop 1567*e4a36f41SAndroid Build Coastguard Worker}:file no_rw_file_perms; 1568*e4a36f41SAndroid Build Coastguard Worker 1569*e4a36f41SAndroid Build Coastguard Worker# Read/Write /proc/pressure/memory 1570*e4a36f41SAndroid Build Coastguard Workerallow system_server proc_pressure_mem:file rw_file_perms; 1571*e4a36f41SAndroid Build Coastguard Worker# Read /proc/pressure/cpu and /proc/pressure/io 1572*e4a36f41SAndroid Build Coastguard Workerallow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms; 1573*e4a36f41SAndroid Build Coastguard Worker 1574*e4a36f41SAndroid Build Coastguard Worker# No ptracing others 1575*e4a36f41SAndroid Build Coastguard Workerneverallow system_server { domain -system_server }:process ptrace; 1576*e4a36f41SAndroid Build Coastguard Worker 1577*e4a36f41SAndroid Build Coastguard Worker# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1578*e4a36f41SAndroid Build Coastguard Worker# file read access. However, that is now unnecessary (b/34951864) 1579*e4a36f41SAndroid Build Coastguard Workerneverallow system_server system_server:global_capability_class_set sys_resource; 1580*e4a36f41SAndroid Build Coastguard Worker 1581*e4a36f41SAndroid Build Coastguard Worker# Only system_server/init should access /metadata/password_slots. 1582*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1583*e4a36f41SAndroid Build Coastguard Workerneverallow { 1584*e4a36f41SAndroid Build Coastguard Worker domain 1585*e4a36f41SAndroid Build Coastguard Worker -init 1586*e4a36f41SAndroid Build Coastguard Worker -system_server 1587*e4a36f41SAndroid Build Coastguard Worker} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1588*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1589*e4a36f41SAndroid Build Coastguard Worker 1590*e4a36f41SAndroid Build Coastguard Worker# Allow systemserver to read/write the invalidation property 1591*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, binder_cache_system_server_prop) 1592*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -system_server -init } 1593*e4a36f41SAndroid Build Coastguard Worker binder_cache_system_server_prop:property_service set; 1594*e4a36f41SAndroid Build Coastguard Worker 1595*e4a36f41SAndroid Build Coastguard Worker# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1596*e4a36f41SAndroid Build Coastguard Worker# system_server cannot use this access to read perf event data like process stacks. 1597*e4a36f41SAndroid Build Coastguard Workerallow system_server self:perf_event { open write cpu kernel }; 1598*e4a36f41SAndroid Build Coastguard Workerneverallow system_server self:perf_event ~{ open write cpu kernel }; 1599*e4a36f41SAndroid Build Coastguard Worker 1600*e4a36f41SAndroid Build Coastguard Worker# Allow writing files under /data/system/shutdown-checkpoints/ 1601*e4a36f41SAndroid Build Coastguard Workerallow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms; 1602*e4a36f41SAndroid Build Coastguard Workerallow system_server shutdown_checkpoints_system_data_file:file create_file_perms; 1603*e4a36f41SAndroid Build Coastguard Worker 1604*e4a36f41SAndroid Build Coastguard Worker# Do not allow any domain other than init or system server to set the property 1605*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } socket_hook_prop:property_service set; 1606*e4a36f41SAndroid Build Coastguard Worker 1607*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } boot_status_prop:property_service set; 1608*e4a36f41SAndroid Build Coastguard Worker 1609*e4a36f41SAndroid Build Coastguard Workerneverallow { 1610*e4a36f41SAndroid Build Coastguard Worker domain 1611*e4a36f41SAndroid Build Coastguard Worker -init 1612*e4a36f41SAndroid Build Coastguard Worker -vendor_init 1613*e4a36f41SAndroid Build Coastguard Worker -dumpstate 1614*e4a36f41SAndroid Build Coastguard Worker -system_server 1615*e4a36f41SAndroid Build Coastguard Worker} wifi_config_prop:file no_rw_file_perms; 1616*e4a36f41SAndroid Build Coastguard Worker 1617*e4a36f41SAndroid Build Coastguard Worker# Only allow system server to write uhid sysfs files 1618*e4a36f41SAndroid Build Coastguard Workerneverallow { 1619*e4a36f41SAndroid Build Coastguard Worker domain 1620*e4a36f41SAndroid Build Coastguard Worker -init 1621*e4a36f41SAndroid Build Coastguard Worker -system_server 1622*e4a36f41SAndroid Build Coastguard Worker -ueventd 1623*e4a36f41SAndroid Build Coastguard Worker -vendor_init 1624*e4a36f41SAndroid Build Coastguard Worker} sysfs_uhid:file no_w_file_perms; 1625*e4a36f41SAndroid Build Coastguard Worker 1626*e4a36f41SAndroid Build Coastguard Worker# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1627*e4a36f41SAndroid Build Coastguard Worker# can be accessed by system_server only (b/143717177) 1628*e4a36f41SAndroid Build Coastguard Worker# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1629*e4a36f41SAndroid Build Coastguard Worker# interface 1630*e4a36f41SAndroid Build Coastguard Workerneverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1631*e4a36f41SAndroid Build Coastguard Worker 1632*e4a36f41SAndroid Build Coastguard Worker# Only system server can write the font files. 1633*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1634*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1635*e4a36f41SAndroid Build Coastguard Worker 1636*e4a36f41SAndroid Build Coastguard Worker# Allow reading /system/etc/font_fallback.xml 1637*e4a36f41SAndroid Build Coastguard Workerallow system_server system_font_fallback_file:file r_file_perms; 1638*e4a36f41SAndroid Build Coastguard Worker 1639*e4a36f41SAndroid Build Coastguard Worker# Allow system server to set dynamic ART properties. 1640*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, dalvik_dynamic_config_prop) 1641*e4a36f41SAndroid Build Coastguard Worker 1642*e4a36f41SAndroid Build Coastguard Worker# Allow system server to read binderfs 1643*e4a36f41SAndroid Build Coastguard Workerallow system_server binderfs_logs:dir r_dir_perms; 1644*e4a36f41SAndroid Build Coastguard Workerallow system_server binderfs_logs_stats:file r_file_perms; 1645*e4a36f41SAndroid Build Coastguard Worker 1646*e4a36f41SAndroid Build Coastguard Worker# For ANRs 1647*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 1648*e4a36f41SAndroid Build Coastguard Worker allow system_server binderfs_logs_transactions:file r_file_perms; 1649*e4a36f41SAndroid Build Coastguard Worker') 1650*e4a36f41SAndroid Build Coastguard Worker 1651*e4a36f41SAndroid Build Coastguard Worker# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled 1652*e4a36f41SAndroid Build Coastguard Workerset_prop(system_server, game_manager_config_prop) 1653*e4a36f41SAndroid Build Coastguard Worker 1654*e4a36f41SAndroid Build Coastguard Worker# ThreadNetworkService reads Thread Network properties 1655*e4a36f41SAndroid Build Coastguard Workerget_prop(system_server, threadnetwork_config_prop) 1656*e4a36f41SAndroid Build Coastguard Worker 1657*e4a36f41SAndroid Build Coastguard Worker# Do not allow any domain other than init and system server to set the property 1658*e4a36f41SAndroid Build Coastguard Workerneverallow { 1659*e4a36f41SAndroid Build Coastguard Worker domain 1660*e4a36f41SAndroid Build Coastguard Worker -init 1661*e4a36f41SAndroid Build Coastguard Worker -vendor_init 1662*e4a36f41SAndroid Build Coastguard Worker -dumpstate 1663*e4a36f41SAndroid Build Coastguard Worker -system_server 1664*e4a36f41SAndroid Build Coastguard Worker} threadnetwork_config_prop:file no_rw_file_perms; 1665*e4a36f41SAndroid Build Coastguard Worker 1666*e4a36f41SAndroid Build Coastguard Worker# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar 1667*e4a36f41SAndroid Build Coastguard Worker# in Pre-reboot Dexopt. 1668*e4a36f41SAndroid Build Coastguard Workerallow system_server pre_reboot_dexopt_file:dir { getattr search }; 1669*e4a36f41SAndroid Build Coastguard Worker 1670*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to reopen its own memfd. 1671*e4a36f41SAndroid Build Coastguard Worker# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path 1672*e4a36f41SAndroid Build Coastguard Worker# /proc/self/fd/<fd> with a classloader. 1673*e4a36f41SAndroid Build Coastguard Workerallow system_server system_server_tmpfs:file open; 1674*e4a36f41SAndroid Build Coastguard Worker 1675*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to read from postinstall scripts through STDIN, to check if the 1676*e4a36f41SAndroid Build Coastguard Worker# otapreopt_script is still alive. 1677*e4a36f41SAndroid Build Coastguard Workerallow system_server postinstall:fifo_file read; 1678*e4a36f41SAndroid Build Coastguard Worker 1679*e4a36f41SAndroid Build Coastguard Worker# Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing 1680*e4a36f41SAndroid Build Coastguard Worker# files in chroot when we teardown chroot. 1681*e4a36f41SAndroid Build Coastguard Workerallow system_server { 1682*e4a36f41SAndroid Build Coastguard Worker artd 1683*e4a36f41SAndroid Build Coastguard Worker derive_classpath 1684*e4a36f41SAndroid Build Coastguard Worker dex2oat 1685*e4a36f41SAndroid Build Coastguard Worker odrefresh 1686*e4a36f41SAndroid Build Coastguard Worker profman 1687*e4a36f41SAndroid Build Coastguard Worker}:process sigkill; 1688*e4a36f41SAndroid Build Coastguard Worker 1689*e4a36f41SAndroid Build Coastguard Worker# Do not allow any domain other than init or system server to get or set the property 1690*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } crashrecovery_prop:property_service set; 1691*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms; 1692*e4a36f41SAndroid Build Coastguard Worker 1693*e4a36f41SAndroid Build Coastguard Worker# Do not allow anything other than system_server and init to touch /metadata/tradeinmode. 1694*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms; 1695*e4a36f41SAndroid Build Coastguard Worker 1696*e4a36f41SAndroid Build Coastguard Workerneverallow { 1697*e4a36f41SAndroid Build Coastguard Worker domain 1698*e4a36f41SAndroid Build Coastguard Worker -init 1699*e4a36f41SAndroid Build Coastguard Worker -vendor_init 1700*e4a36f41SAndroid Build Coastguard Worker -system_server 1701*e4a36f41SAndroid Build Coastguard Worker -shell 1702*e4a36f41SAndroid Build Coastguard Worker} power_debug_prop:property_service set; 1703