1# 2# System Server aka system_server spawned by zygote. 3# Most of the framework services run in this process. 4# 5 6typeattribute system_server coredomain; 7typeattribute system_server mlstrustedsubject; 8typeattribute system_server scheduler_service_server; 9typeattribute system_server sensor_service_server; 10typeattribute system_server stats_service_server; 11 12# Define a type for tmpfs-backed ashmem regions. 13tmpfs_domain(system_server) 14 15userfaultfd_use(system_server) 16 17# Create a socket for connections from crash_dump. 18type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; 19 20# Create a socket for connections from zygotes. 21type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; 22 23allow system_server zygote_tmpfs:file read; 24allow system_server appdomain_tmpfs:file { getattr map read write }; 25 26# For Incremental Service to check if incfs is available 27allow system_server proc_filesystems:file r_file_perms; 28 29# To create files, get permission to fill blocks, and configure Incremental File System 30allow system_server incremental_control_file:file { ioctl r_file_perms }; 31allowxperm system_server incremental_control_file:file ioctl { 32 INCFS_IOCTL_CREATE_FILE 33 INCFS_IOCTL_CREATE_MAPPED_FILE 34 INCFS_IOCTL_PERMIT_FILL 35 INCFS_IOCTL_GET_READ_TIMEOUTS 36 INCFS_IOCTL_SET_READ_TIMEOUTS 37 INCFS_IOCTL_GET_LAST_READ_ERROR 38}; 39 40# To get signature of an APK installed on Incremental File System, and fill in data 41# blocks and get the filesystem state 42allowxperm system_server apk_data_file:file ioctl { 43 INCFS_IOCTL_READ_SIGNATURE 44 INCFS_IOCTL_FILL_BLOCKS 45 INCFS_IOCTL_GET_FILLED_BLOCKS 46 INCFS_IOCTL_GET_BLOCK_COUNT 47 F2FS_IOC_GET_FEATURES 48 F2FS_IOC_GET_COMPRESS_BLOCKS 49 F2FS_IOC_COMPRESS_FILE 50 F2FS_IOC_DECOMPRESS_FILE 51 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 52 F2FS_IOC_RESERVE_COMPRESS_BLOCKS 53 FS_IOC_SETFLAGS 54 FS_IOC_GETFLAGS 55}; 56 57allowxperm system_server apk_tmp_file:file ioctl { 58 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 59 FS_IOC_GETFLAGS 60}; 61 62# For Incremental Service to check incfs metrics 63allow system_server sysfs_fs_incfs_metrics:file r_file_perms; 64 65# For f2fs-compression support 66allow system_server sysfs_fs_f2fs:dir r_dir_perms; 67allow system_server sysfs_fs_f2fs:file r_file_perms; 68 69# For art. 70allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms; 71allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms; 72 73# When running system server under --invoke-with, we'll try to load the boot image under the 74# system server domain, following links to the system partition. 75with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') 76 77# /data/resource-cache 78allow system_server resourcecache_data_file:file r_file_perms; 79allow system_server resourcecache_data_file:dir r_dir_perms; 80 81# ptrace to processes in the same domain for debugging crashes. 82allow system_server self:process ptrace; 83 84# Child of the zygote. 85allow system_server zygote:fd use; 86allow system_server zygote:process sigchld; 87 88# May kill zygote on crashes. 89allow system_server { 90 app_zygote 91 crash_dump 92 webview_zygote 93 zygote 94}:process { sigkill signull }; 95 96# Read /system/bin/app_process. 97allow system_server zygote_exec:file r_file_perms; 98 99# Needed to close the zygote socket, which involves getopt / getattr 100allow system_server zygote:unix_stream_socket { getopt getattr }; 101 102# system server gets network and bluetooth permissions. 103net_domain(system_server) 104# in addition to ioctls allowlisted for all domains, also allow system_server 105# to use privileged ioctls commands. Needed to set up VPNs. 106allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; 107bluetooth_domain(system_server) 108 109# Allow setup of tcp keepalive offload. This gives system_server the permission to 110# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to 111# be granted individually, except for a small set of safe values allowlisted in 112# public/domain.te. 113allow system_server appdomain:tcp_socket ioctl; 114 115# These are the capabilities assigned by the zygote to the 116# system server. 117allow system_server self:global_capability_class_set { 118 ipc_lock 119 kill 120 net_admin 121 net_bind_service 122 net_broadcast 123 net_raw 124 sys_boot 125 sys_nice 126 sys_ptrace 127 sys_time 128 sys_tty_config 129}; 130 131# Trigger module auto-load. 132allow system_server kernel:system module_request; 133 134# Allow alarmtimers to be set 135allow system_server self:global_capability2_class_set wake_alarm; 136 137# Create and share netlink_netfilter_sockets for tetheroffload. 138allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; 139 140# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. 141allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 142 143# Use netlink uevent sockets. 144allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 145 146# Use generic netlink sockets. 147allow system_server self:netlink_socket create_socket_perms_no_ioctl; 148allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; 149 150# libvintf reads the kernel config to verify vendor interface compatibility. 151allow system_server config_gz:file { read open }; 152 153# Use generic "sockets" where the address family is not known 154# to the kernel. The ioctl permission is specifically omitted here, but may 155# be added to device specific policy along with the ioctl commands to be 156# allowlisted. 157allow system_server self:socket create_socket_perms_no_ioctl; 158 159# Set and get routes directly via netlink. 160allow system_server self:netlink_route_socket nlmsg_write; 161 162# Kill apps. 163allow system_server appdomain:process { getpgid sigkill signal }; 164# signull allowed for kill(pid, 0) existence test. 165allow system_server appdomain:process { signull }; 166 167# Set scheduling info for apps. 168allow system_server appdomain:process { getsched setsched }; 169allow system_server audioserver:process { getsched setsched }; 170allow system_server hal_audio:process { getsched setsched }; 171allow system_server hal_bluetooth:process { getsched setsched }; 172allow system_server hal_codec2_server:process { getsched setsched }; 173allow system_server hal_omx_server:process { getsched setsched }; 174allow system_server mediaswcodec:process { getsched setsched }; 175allow system_server cameraserver:process { getsched setsched }; 176allow system_server hal_camera:process { getsched setsched }; 177allow system_server mediaserver:process { getsched setsched }; 178allow system_server bootanim:process { getsched setsched }; 179 180# Set scheduling info for psi monitor thread. 181# TODO: delete this line b/131761776 182allow system_server kernel:process { getsched setsched }; 183 184# Allow system_server to write to /proc/<pid>/* 185allow system_server domain:file w_file_perms; 186 187# Read /proc/pid data for all domains. This is used by ProcessCpuTracker 188# within system_server to keep track of memory and CPU usage for 189# all processes on the device. In addition, /proc/pid files access is needed 190# for dumping stack traces of native processes. 191r_dir_file(system_server, domain) 192 193# Write /proc/uid_cputime/remove_uid_range. 194allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; 195 196# Write /proc/uid_procstat/set. 197allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; 198 199# Write to /proc/sysrq-trigger. 200allow system_server proc_sysrq:file rw_file_perms; 201 202# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. 203allow system_server stats_data_file:dir { open read remove_name search write }; 204allow system_server stats_data_file:file unlink; 205 206# Read /sys/kernel/debug/wakeup_sources. 207no_debugfs_restriction(` 208 allow system_server debugfs_wakeup_sources:file r_file_perms; 209') 210 211# Read /sys/kernel/ion/*. 212allow system_server sysfs_ion:file r_file_perms; 213 214# Read /sys/kernel/dma_heap/*. 215allow system_server sysfs_dma_heap:file r_file_perms; 216 217# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf. 218allow system_server sysfs_dmabuf_stats:dir r_dir_perms; 219allow system_server sysfs_dmabuf_stats:file r_file_perms; 220 221# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap 222# for dumpsys meminfo 223allow system_server dmabuf_heap_device:dir r_dir_perms; 224 225# Allow reading /proc/vmstat for the oom kill count 226allow system_server proc_vmstat:file r_file_perms; 227 228# The DhcpClient and WifiWatchdog use packet_sockets 229allow system_server self:packet_socket create_socket_perms_no_ioctl; 230 231# 3rd party VPN clients require a tun_socket to be created 232allow system_server self:tun_socket create_socket_perms_no_ioctl; 233 234# Talk to init and various daemons via sockets. 235unix_socket_connect(system_server, lmkd, lmkd) 236unix_socket_connect(system_server, mtpd, mtp) 237unix_socket_connect(system_server, zygote, zygote) 238unix_socket_connect(system_server, racoon, racoon) 239unix_socket_connect(system_server, uncrypt, uncrypt) 240 241# Allow system_server to write to statsd. 242unix_socket_send(system_server, statsdw, statsd) 243 244# Communicate over a socket created by surfaceflinger. 245allow system_server surfaceflinger:unix_stream_socket { read write setopt }; 246 247allow system_server gpuservice:unix_stream_socket { read write setopt }; 248 249# Communicate over a socket created by webview_zygote. 250allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; 251 252# Communicate over a socket created by app_zygote. 253allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; 254 255# Perform Binder IPC. 256binder_use(system_server) 257binder_call(system_server, appdomain) 258binder_call(system_server, binderservicedomain) 259binder_call(system_server, dumpstate) 260binder_call(system_server, fingerprintd) 261binder_call(system_server, gatekeeperd) 262binder_call(system_server, gpuservice) 263binder_call(system_server, idmap) 264binder_call(system_server, installd) 265binder_call(system_server, incidentd) 266binder_call(system_server, iorapd) 267binder_call(system_server, netd) 268userdebug_or_eng(`binder_call(system_server, profcollectd)') 269binder_call(system_server, statsd) 270binder_call(system_server, storaged) 271binder_call(system_server, update_engine) 272binder_call(system_server, vold) 273binder_call(system_server, wificond) 274binder_call(system_server, wpantund) 275binder_service(system_server) 276 277# Use HALs 278hal_client_domain(system_server, hal_allocator) 279hal_client_domain(system_server, hal_audio) 280hal_client_domain(system_server, hal_authsecret) 281hal_client_domain(system_server, hal_broadcastradio) 282hal_client_domain(system_server, hal_codec2) 283hal_client_domain(system_server, hal_configstore) 284hal_client_domain(system_server, hal_contexthub) 285hal_client_domain(system_server, hal_face) 286hal_client_domain(system_server, hal_fingerprint) 287hal_client_domain(system_server, hal_gnss) 288hal_client_domain(system_server, hal_graphics_allocator) 289hal_client_domain(system_server, hal_health) 290hal_client_domain(system_server, hal_input_classifier) 291hal_client_domain(system_server, hal_ir) 292hal_client_domain(system_server, hal_light) 293hal_client_domain(system_server, hal_memtrack) 294hal_client_domain(system_server, hal_neuralnetworks) 295hal_client_domain(system_server, hal_oemlock) 296hal_client_domain(system_server, hal_omx) 297hal_client_domain(system_server, hal_power) 298hal_client_domain(system_server, hal_power_stats) 299hal_client_domain(system_server, hal_rebootescrow) 300hal_client_domain(system_server, hal_sensors) 301hal_client_domain(system_server, hal_tetheroffload) 302hal_client_domain(system_server, hal_thermal) 303hal_client_domain(system_server, hal_tv_cec) 304hal_client_domain(system_server, hal_tv_input) 305hal_client_domain(system_server, hal_usb) 306hal_client_domain(system_server, hal_usb_gadget) 307hal_client_domain(system_server, hal_vibrator) 308hal_client_domain(system_server, hal_vr) 309hal_client_domain(system_server, hal_weaver) 310hal_client_domain(system_server, hal_wifi) 311hal_client_domain(system_server, hal_wifi_hostapd) 312hal_client_domain(system_server, hal_wifi_supplicant) 313# The bootctl is a pass through HAL mode under recovery mode. So we skip the 314# permission for recovery in order not to give system server the access to 315# the low level block devices. 316not_recovery(`hal_client_domain(system_server, hal_bootctl)') 317 318# Talk with graphics composer fences 319allow system_server hal_graphics_composer:fd use; 320 321# Use RenderScript always-passthrough HAL 322allow system_server hal_renderscript_hwservice:hwservice_manager find; 323allow system_server same_process_hal_file:file { execute read open getattr map }; 324 325# Talk to tombstoned to get ANR traces. 326unix_socket_connect(system_server, tombstoned_intercept, tombstoned) 327 328# List HAL interfaces to get ANR traces. 329allow system_server hwservicemanager:hwservice_manager list; 330allow system_server servicemanager:service_manager list; 331 332# Send signals to trigger ANR traces. 333allow system_server { 334 # This is derived from the list that system server defines as interesting native processes 335 # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in 336 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 337 audioserver 338 cameraserver 339 drmserver 340 gpuservice 341 inputflinger 342 keystore 343 mediadrmserver 344 mediaextractor 345 mediametrics 346 mediaserver 347 mediaswcodec 348 mediatranscoding 349 mediatuner 350 netd 351 sdcardd 352 statsd 353 surfaceflinger 354 vold 355 356 # This list comes from HAL_INTERFACES_OF_INTEREST in 357 # frameworks/base/services/core/java/com/android/server/Watchdog.java. 358 hal_audio_server 359 hal_bluetooth_server 360 hal_camera_server 361 hal_codec2_server 362 hal_face_server 363 hal_fingerprint_server 364 hal_gnss_server 365 hal_graphics_allocator_server 366 hal_graphics_composer_server 367 hal_health_server 368 hal_light_server 369 hal_neuralnetworks_server 370 hal_omx_server 371 hal_power_stats_server 372 hal_sensors_server 373 hal_vr_server 374 system_suspend_server 375}:process { signal }; 376 377# Use sockets received over binder from various services. 378allow system_server audioserver:tcp_socket rw_socket_perms; 379allow system_server audioserver:udp_socket rw_socket_perms; 380allow system_server mediaserver:tcp_socket rw_socket_perms; 381allow system_server mediaserver:udp_socket rw_socket_perms; 382 383# Use sockets received over binder from various services. 384allow system_server mediadrmserver:tcp_socket rw_socket_perms; 385allow system_server mediadrmserver:udp_socket rw_socket_perms; 386 387userdebug_or_eng(`perfetto_producer({ system_server })') 388 389# Get file context 390allow system_server file_contexts_file:file r_file_perms; 391# access for mac_permissions 392allow system_server mac_perms_file: file r_file_perms; 393# Check SELinux permissions. 394selinux_check_access(system_server) 395 396allow system_server sysfs_type:dir search; 397 398r_dir_file(system_server, sysfs_android_usb) 399allow system_server sysfs_android_usb:file w_file_perms; 400 401allow system_server sysfs_extcon:dir r_dir_perms; 402 403r_dir_file(system_server, sysfs_ipv4) 404allow system_server sysfs_ipv4:file w_file_perms; 405 406r_dir_file(system_server, sysfs_rtc) 407r_dir_file(system_server, sysfs_switch) 408 409allow system_server sysfs_nfc_power_writable:file rw_file_perms; 410allow system_server sysfs_power:dir search; 411allow system_server sysfs_power:file rw_file_perms; 412allow system_server sysfs_thermal:dir search; 413allow system_server sysfs_thermal:file r_file_perms; 414allow system_server sysfs_uhid:dir r_dir_perms; 415allow system_server sysfs_uhid:file rw_file_perms; 416 417# TODO: Remove when HALs are forced into separate processes 418allow system_server sysfs_vibrator:file { write append }; 419 420# TODO: added to match above sysfs rule. Remove me? 421allow system_server sysfs_usb:file w_file_perms; 422 423# Access devices. 424allow system_server device:dir r_dir_perms; 425allow system_server mdns_socket:sock_file rw_file_perms; 426allow system_server gpu_device:chr_file rw_file_perms; 427allow system_server input_device:dir r_dir_perms; 428allow system_server input_device:chr_file rw_file_perms; 429allow system_server tty_device:chr_file rw_file_perms; 430allow system_server usbaccessory_device:chr_file rw_file_perms; 431allow system_server video_device:dir r_dir_perms; 432allow system_server video_device:chr_file rw_file_perms; 433allow system_server adbd_socket:sock_file rw_file_perms; 434allow system_server rtc_device:chr_file rw_file_perms; 435allow system_server audio_device:dir r_dir_perms; 436 437# write access to ALSA interfaces (/dev/snd/*) needed for MIDI 438allow system_server audio_device:chr_file rw_file_perms; 439 440# tun device used for 3rd party vpn apps 441allow system_server tun_device:chr_file rw_file_perms; 442allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; 443 444# Manage data/ota_package 445allow system_server ota_package_file:dir rw_dir_perms; 446allow system_server ota_package_file:file create_file_perms; 447 448# Manage system data files. 449allow system_server system_data_file:dir create_dir_perms; 450allow system_server system_data_file:notdevfile_class_set create_file_perms; 451allow system_server packages_list_file:file create_file_perms; 452allow system_server keychain_data_file:dir create_dir_perms; 453allow system_server keychain_data_file:file create_file_perms; 454allow system_server keychain_data_file:lnk_file create_file_perms; 455 456# Manage /data/app. 457allow system_server apk_data_file:dir create_dir_perms; 458allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; 459allow system_server apk_tmp_file:dir create_dir_perms; 460allow system_server apk_tmp_file:file create_file_perms; 461 462# Access input configuration files in the /vendor directory 463r_dir_file(system_server, vendor_keylayout_file) 464r_dir_file(system_server, vendor_keychars_file) 465r_dir_file(system_server, vendor_idc_file) 466 467# Access /vendor/{app,framework,overlay} 468r_dir_file(system_server, vendor_app_file) 469r_dir_file(system_server, vendor_framework_file) 470r_dir_file(system_server, vendor_overlay_file) 471 472# Manage /data/app-private. 473allow system_server apk_private_data_file:dir create_dir_perms; 474allow system_server apk_private_data_file:file create_file_perms; 475allow system_server apk_private_tmp_file:dir create_dir_perms; 476allow system_server apk_private_tmp_file:file create_file_perms; 477 478# Manage files within asec containers. 479allow system_server asec_apk_file:dir create_dir_perms; 480allow system_server asec_apk_file:file create_file_perms; 481allow system_server asec_public_file:file create_file_perms; 482 483# Manage /data/anr. 484# 485# TODO: Some of these permissions can be withdrawn once we've switched to the 486# new stack dumping mechanism, see b/32064548 and the rules below. In particular, 487# the system_server should never need to create a new anr_data_file:file or write 488# to one, but it will still need to read and append to existing files. 489allow system_server anr_data_file:dir create_dir_perms; 490allow system_server anr_data_file:file create_file_perms; 491 492# New stack dumping scheme : request an output FD from tombstoned via a unix 493# domain socket. 494# 495# Allow system_server to connect and write to the tombstoned java trace socket in 496# order to dump its traces. Also allow the system server to write its traces to 497# dumpstate during bugreport capture and incidentd during incident collection. 498unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) 499allow system_server tombstoned:fd use; 500allow system_server dumpstate:fifo_file append; 501allow system_server incidentd:fifo_file append; 502# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) 503userdebug_or_eng(` 504 allow system_server su:fifo_file append; 505') 506 507# Allow system_server to read pipes from incidentd (used to deliver incident reports 508# to dropbox) 509allow system_server incidentd:fifo_file read; 510 511# Read /data/misc/incidents - only read. The fd will be sent over binder, 512# with no DAC access to it, for dropbox to read. 513allow system_server incident_data_file:file read; 514 515# Manage /data/misc/prereboot. 516allow system_server prereboot_data_file:dir rw_dir_perms; 517allow system_server prereboot_data_file:file create_file_perms; 518 519# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over 520# binder. 521allow system_server perfetto_traces_data_file:file read; 522allow system_server perfetto:fd use; 523 524# Manage /data/backup. 525allow system_server backup_data_file:dir create_dir_perms; 526allow system_server backup_data_file:file create_file_perms; 527 528# Write to /data/system/dropbox 529allow system_server dropbox_data_file:dir create_dir_perms; 530allow system_server dropbox_data_file:file create_file_perms; 531 532# Write to /data/system/heapdump 533allow system_server heapdump_data_file:dir rw_dir_perms; 534allow system_server heapdump_data_file:file create_file_perms; 535 536# Manage /data/misc/adb. 537allow system_server adb_keys_file:dir create_dir_perms; 538allow system_server adb_keys_file:file create_file_perms; 539 540# Manage /data/misc/appcompat. 541allow system_server appcompat_data_file:dir rw_dir_perms; 542allow system_server appcompat_data_file:file create_file_perms; 543 544# Manage /data/misc/emergencynumberdb 545allow system_server emergency_data_file:dir create_dir_perms; 546allow system_server emergency_data_file:file create_file_perms; 547 548# Manage /data/misc/network_watchlist 549allow system_server network_watchlist_data_file:dir create_dir_perms; 550allow system_server network_watchlist_data_file:file create_file_perms; 551 552# Manage /data/misc/sms. 553# TODO: Split into a separate type? 554allow system_server radio_data_file:dir create_dir_perms; 555allow system_server radio_data_file:file create_file_perms; 556 557# Manage /data/misc/systemkeys. 558allow system_server systemkeys_data_file:dir create_dir_perms; 559allow system_server systemkeys_data_file:file create_file_perms; 560 561# Manage /data/misc/textclassifier. 562allow system_server textclassifier_data_file:dir create_dir_perms; 563allow system_server textclassifier_data_file:file create_file_perms; 564 565# Access /data/tombstones. 566allow system_server tombstone_data_file:dir r_dir_perms; 567allow system_server tombstone_data_file:file r_file_perms; 568 569# Allow write access to be able to truncate tombstones. 570allow system_server tombstone_data_file:file write; 571 572# Manage /data/misc/vpn. 573allow system_server vpn_data_file:dir create_dir_perms; 574allow system_server vpn_data_file:file create_file_perms; 575 576# Manage /data/misc/wifi. 577allow system_server wifi_data_file:dir create_dir_perms; 578allow system_server wifi_data_file:file create_file_perms; 579 580# Manage /data/misc/zoneinfo. 581allow system_server zoneinfo_data_file:dir create_dir_perms; 582allow system_server zoneinfo_data_file:file create_file_perms; 583 584# Manage /data/app-staging. 585allow system_server staging_data_file:dir create_dir_perms; 586allow system_server staging_data_file:file create_file_perms; 587 588# Manage /data/rollback. 589allow system_server staging_data_file:{ file lnk_file } { create_file_perms link }; 590 591# Walk /data/data subdirectories. 592allow system_server app_data_file_type:dir { getattr read search }; 593 594# Also permit for unlabeled /data/data subdirectories and 595# for unlabeled asec containers on upgrades from 4.2. 596allow system_server unlabeled:dir r_dir_perms; 597# Read pkg.apk file before it has been relabeled by vold. 598allow system_server unlabeled:file r_file_perms; 599 600# Populate com.android.providers.settings/databases/settings.db. 601allow system_server system_app_data_file:dir create_dir_perms; 602allow system_server system_app_data_file:file create_file_perms; 603 604# Receive and use open app data files passed over binder IPC. 605allow system_server app_data_file_type:file { getattr read write append map }; 606 607# Access to /data/media for measuring disk usage. 608allow system_server media_rw_data_file:dir { search getattr open read }; 609 610# Receive and use open /data/media files passed over binder IPC. 611# Also used for measuring disk usage. 612allow system_server media_rw_data_file:file { getattr read write append }; 613 614# System server needs to setfscreate to packages_list_file when writing 615# /data/system/packages.list 616allow system_server system_server:process setfscreate; 617 618# Relabel apk files. 619allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; 620allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; 621# Allow PackageManager to: 622# 1. rename file from /data/app-staging folder to /data/app 623# 2. relabel files (linked to /data/rollback) under /data/app-staging 624# during staged apk/apex install. 625allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto }; 626 627# Relabel wallpaper. 628allow system_server system_data_file:file relabelfrom; 629allow system_server wallpaper_file:file relabelto; 630allow system_server wallpaper_file:file { rw_file_perms rename unlink }; 631 632# Backup of wallpaper imagery uses temporary hard links to avoid data churn 633allow system_server { system_data_file wallpaper_file }:file link; 634 635# ShortcutManager icons 636allow system_server system_data_file:dir relabelfrom; 637allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; 638allow system_server shortcut_manager_icons:file create_file_perms; 639 640# Manage ringtones. 641allow system_server ringtone_file:dir { create_dir_perms relabelto }; 642allow system_server ringtone_file:file create_file_perms; 643 644# Relabel icon file. 645allow system_server icon_file:file relabelto; 646allow system_server icon_file:file { rw_file_perms unlink }; 647 648# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? 649allow system_server system_data_file:dir relabelfrom; 650 651# server_configurable_flags_data_file is used for storing server configurable flags which 652# have been reset during current booting. system_server needs to read the data to perform related 653# disaster recovery actions. 654allow system_server server_configurable_flags_data_file:dir r_dir_perms; 655allow system_server server_configurable_flags_data_file:file r_file_perms; 656 657# Property Service write 658set_prop(system_server, system_prop) 659set_prop(system_server, bootanim_system_prop) 660set_prop(system_server, exported_system_prop) 661set_prop(system_server, exported3_system_prop) 662set_prop(system_server, safemode_prop) 663set_prop(system_server, theme_prop) 664set_prop(system_server, dhcp_prop) 665set_prop(system_server, net_connectivity_prop) 666set_prop(system_server, net_radio_prop) 667set_prop(system_server, net_dns_prop) 668set_prop(system_server, usb_control_prop) 669set_prop(system_server, usb_prop) 670set_prop(system_server, debug_prop) 671set_prop(system_server, powerctl_prop) 672set_prop(system_server, fingerprint_prop) 673set_prop(system_server, device_logging_prop) 674set_prop(system_server, dumpstate_options_prop) 675set_prop(system_server, overlay_prop) 676set_prop(system_server, exported_overlay_prop) 677set_prop(system_server, pm_prop) 678set_prop(system_server, exported_pm_prop) 679set_prop(system_server, socket_hook_prop) 680set_prop(system_server, audio_prop) 681set_prop(system_server, boot_status_prop) 682set_prop(system_server, surfaceflinger_color_prop) 683set_prop(system_server, provisioned_prop) 684set_prop(system_server, retaildemo_prop) 685userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') 686 687# ctl interface 688set_prop(system_server, ctl_default_prop) 689set_prop(system_server, ctl_bugreport_prop) 690set_prop(system_server, ctl_gsid_prop) 691 692# cppreopt property 693set_prop(system_server, cppreopt_prop) 694 695# server configurable flags properties 696set_prop(system_server, device_config_input_native_boot_prop) 697set_prop(system_server, device_config_netd_native_prop) 698set_prop(system_server, device_config_activity_manager_native_boot_prop) 699set_prop(system_server, device_config_runtime_native_boot_prop) 700set_prop(system_server, device_config_runtime_native_prop) 701set_prop(system_server, device_config_media_native_prop) 702set_prop(system_server, device_config_profcollect_native_boot_prop) 703set_prop(system_server, device_config_statsd_native_prop) 704set_prop(system_server, device_config_statsd_native_boot_prop) 705set_prop(system_server, device_config_storage_native_boot_prop) 706set_prop(system_server, device_config_swcodec_native_prop) 707set_prop(system_server, device_config_sys_traced_prop) 708set_prop(system_server, device_config_window_manager_native_boot_prop) 709set_prop(system_server, device_config_configuration_prop) 710set_prop(system_server, device_config_connectivity_prop) 711 712 713# Allow query ART device config properties 714get_prop(system_server, device_config_runtime_native_boot_prop) 715get_prop(system_server, device_config_runtime_native_prop) 716 717# BootReceiver to read ro.boot.bootreason 718get_prop(system_server, bootloader_boot_reason_prop) 719# PowerManager to read sys.boot.reason 720get_prop(system_server, system_boot_reason_prop) 721 722# Collect metrics on boot time created by init 723get_prop(system_server, boottime_prop) 724 725# Read device's serial number from system properties 726get_prop(system_server, serialno_prop) 727 728# Read/write the property which keeps track of whether this is the first start of system_server 729set_prop(system_server, firstboot_prop) 730 731# Audio service in system server can read audio config properties, 732# such as camera shutter enforcement 733get_prop(system_server, audio_config_prop) 734 735# system server reads this property to keep track of whether server configurable flags have been 736# reset during current boot. 737get_prop(system_server, device_config_reset_performed_prop) 738 739# Read/write the property that enables Test Harness Mode 740set_prop(system_server, test_harness_prop) 741 742# Read gsid.image_running. 743get_prop(system_server, gsid_prop) 744 745# Read the property that mocks an OTA 746get_prop(system_server, mock_ota_prop) 747 748# Read the property as feature flag for protecting apks with fs-verity. 749get_prop(system_server, apk_verity_prop) 750 751# Read wifi.interface 752get_prop(system_server, wifi_prop) 753 754# Read the vendor property that indicates if Incremental features is enabled 755get_prop(system_server, incremental_prop) 756 757# Read ro.zram. properties 758get_prop(system_server, zram_config_prop) 759 760# Read/write persist.sys.zram_enabled 761set_prop(system_server, zram_control_prop) 762 763# Read/write persist.sys.dalvik.vm.lib.2 764set_prop(system_server, dalvik_runtime_prop) 765 766# Read ro.control_privapp_permissions and ro.cp_system_other_odex 767get_prop(system_server, packagemanager_config_prop) 768 769# Read the net.464xlat.cellular.enabled property (written by init). 770get_prop(system_server, net_464xlat_fromvendor_prop) 771 772# Create a socket for connections from debuggerd. 773allow system_server system_ndebug_socket:sock_file create_file_perms; 774 775# Create a socket for connections from zygotes. 776allow system_server system_unsolzygote_socket:sock_file create_file_perms; 777 778# Manage cache files. 779allow system_server cache_file:lnk_file r_file_perms; 780allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; 781allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; 782allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; 783 784allow system_server system_file:dir r_dir_perms; 785allow system_server system_file:lnk_file r_file_perms; 786 787# ART locks profile files. 788allow system_server system_file:file lock; 789 790# LocationManager(e.g, GPS) needs to read and write 791# to uart driver and ctrl proc entry 792allow system_server gps_control:file rw_file_perms; 793 794# Allow system_server to use app-created sockets and pipes. 795allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; 796allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; 797 798# BackupManagerService needs to manipulate backup data files 799allow system_server cache_backup_file:dir rw_dir_perms; 800allow system_server cache_backup_file:file create_file_perms; 801# LocalTransport works inside /cache/backup 802allow system_server cache_private_backup_file:dir create_dir_perms; 803allow system_server cache_private_backup_file:file create_file_perms; 804 805# Allow system to talk to usb device 806allow system_server usb_device:chr_file rw_file_perms; 807allow system_server usb_device:dir r_dir_perms; 808 809# Read and delete files under /dev/fscklogs. 810r_dir_file(system_server, fscklogs) 811allow system_server fscklogs:dir { write remove_name }; 812allow system_server fscklogs:file unlink; 813 814# logd access, system_server inherit logd write socket 815# (urge is to deprecate this long term) 816allow system_server zygote:unix_dgram_socket write; 817 818# Read from log daemon. 819read_logd(system_server) 820read_runtime_log_tags(system_server) 821 822# Be consistent with DAC permissions. Allow system_server to write to 823# /sys/module/lowmemorykiller/parameters/adj 824# /sys/module/lowmemorykiller/parameters/minfree 825allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; 826 827# Read /sys/fs/pstore/console-ramoops 828# Don't worry about overly broad permissions for now, as there's 829# only one file in /sys/fs/pstore 830allow system_server pstorefs:dir r_dir_perms; 831allow system_server pstorefs:file r_file_perms; 832 833# /sys access 834allow system_server sysfs_zram:dir search; 835allow system_server sysfs_zram:file rw_file_perms; 836 837add_service(system_server, system_server_service); 838allow system_server audioserver_service:service_manager find; 839allow system_server authorization_service:service_manager find; 840allow system_server batteryproperties_service:service_manager find; 841allow system_server cameraserver_service:service_manager find; 842allow system_server dataloader_manager_service:service_manager find; 843allow system_server dnsresolver_service:service_manager find; 844allow system_server drmserver_service:service_manager find; 845allow system_server dumpstate_service:service_manager find; 846allow system_server fingerprintd_service:service_manager find; 847allow system_server gatekeeper_service:service_manager find; 848allow system_server gpu_service:service_manager find; 849allow system_server gsi_service:service_manager find; 850allow system_server idmap_service:service_manager find; 851allow system_server incident_service:service_manager find; 852allow system_server incremental_service:service_manager find; 853allow system_server installd_service:service_manager find; 854allow system_server iorapd_service:service_manager find; 855allow system_server keystore_maintenance_service:service_manager find; 856allow system_server keystore_metrics_service:service_manager find; 857allow system_server keystore_service:service_manager find; 858allow system_server mediaserver_service:service_manager find; 859allow system_server mediametrics_service:service_manager find; 860allow system_server mediaextractor_service:service_manager find; 861allow system_server mediadrmserver_service:service_manager find; 862allow system_server mediatuner_service:service_manager find; 863allow system_server netd_service:service_manager find; 864allow system_server nfc_service:service_manager find; 865allow system_server radio_service:service_manager find; 866allow system_server stats_service:service_manager find; 867allow system_server storaged_service:service_manager find; 868allow system_server surfaceflinger_service:service_manager find; 869allow system_server update_engine_service:service_manager find; 870allow system_server vold_service:service_manager find; 871allow system_server wifinl80211_service:service_manager find; 872userdebug_or_eng(` 873 allow system_server profcollectd_service:service_manager find; 874') 875 876add_service(system_server, batteryproperties_service) 877 878allow system_server keystore:keystore_key { 879 get_state 880 get 881 insert 882 delete 883 exist 884 list 885 reset 886 password 887 lock 888 unlock 889 is_empty 890 sign 891 verify 892 grant 893 duplicate 894 clear_uid 895 add_auth 896 user_changed 897}; 898 899allow system_server keystore:keystore2 { 900 add_auth 901 change_password 902 change_user 903 clear_ns 904 clear_uid 905 get_state 906 lock 907 pull_metrics 908 reset 909 unlock 910}; 911 912allow system_server keystore:keystore2_key { 913 delete 914 use_dev_id 915 grant 916 get_info 917 rebind 918 update 919 use 920}; 921 922# Allow Wifi module to manage Wi-Fi keys. 923allow system_server wifi_key:keystore2_key { 924 delete 925 get_info 926 rebind 927 update 928 use 929}; 930 931# Allow lock_settings service to manage RoR keys. 932allow system_server resume_on_reboot_key:keystore2_key { 933 delete 934 get_info 935 rebind 936 update 937 use 938}; 939 940# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key). 941allow system_server locksettings_key:keystore2_key { 942 delete 943 get_info 944 rebind 945 update 946 use 947}; 948 949 950# Allow system server to search and write to the persistent factory reset 951# protection partition. This block device does not get wiped in a factory reset. 952allow system_server block_device:dir search; 953allow system_server frp_block_device:blk_file rw_file_perms; 954allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; 955 956# Create new process groups and clean up old cgroups 957allow system_server cgroup:dir { remove_name rmdir }; 958allow system_server cgroup_v2:dir create_dir_perms; 959allow system_server cgroup_v2:file { r_file_perms setattr }; 960 961# /oem access 962r_dir_file(system_server, oemfs) 963 964# Allow resolving per-user storage symlinks 965allow system_server { mnt_user_file storage_file }:dir { getattr search }; 966allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; 967 968# Allow statfs() on storage devices, which happens fast enough that 969# we shouldn't be killed during unsafe removal 970allow system_server sdcard_type:dir { getattr search }; 971 972# Traverse into expanded storage 973allow system_server mnt_expand_file:dir r_dir_perms; 974 975# Allow system process to relabel the fingerprint directory after mkdir 976# and delete the directory and files when no longer needed 977allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; 978allow system_server fingerprintd_data_file:file { getattr unlink }; 979 980userdebug_or_eng(` 981 # Allow system server to create and write method traces in /data/misc/trace. 982 allow system_server method_trace_data_file:dir w_dir_perms; 983 allow system_server method_trace_data_file:file { create w_file_perms }; 984 985 # Allow system server to read dmesg 986 allow system_server kernel:system syslog_read; 987 988 # Allow writing and removing window traces in /data/misc/wmtrace. 989 allow system_server wm_trace_data_file:dir rw_dir_perms; 990 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; 991 992 # Allow writing and removing accessibility traces in /data/misc/a11ytrace. 993 allow system_server accessibility_trace_data_file:dir rw_dir_perms; 994 allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms }; 995') 996 997# For AppFuse. 998allow system_server vold:fd use; 999allow system_server fuse_device:chr_file { read write ioctl getattr }; 1000allow system_server app_fuse_file:file { read write getattr }; 1001 1002# For configuring sdcardfs 1003allow system_server configfs:dir { create_dir_perms }; 1004allow system_server configfs:file { getattr open create unlink write }; 1005 1006# Connect to adbd and use a socket transferred from it. 1007# Used for e.g. jdwp. 1008allow system_server adbd:unix_stream_socket connectto; 1009allow system_server adbd:fd use; 1010allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; 1011 1012# Read service.adb.tls.port, persist.adb.wifi. properties 1013get_prop(system_server, adbd_prop) 1014 1015# Set persist.adb.tls_server.enable property 1016set_prop(system_server, system_adbd_prop) 1017 1018# Allow invoking tools like "timeout" 1019allow system_server toolbox_exec:file rx_file_perms; 1020 1021# Allow system process to setup and measure fs-verity 1022allowxperm system_server apk_data_file:file ioctl { 1023 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 1024}; 1025 1026# Postinstall 1027# 1028# For OTA dexopt, allow calls coming from postinstall. 1029binder_call(system_server, postinstall) 1030 1031allow system_server postinstall:fifo_file write; 1032allow system_server update_engine:fd use; 1033allow system_server update_engine:fifo_file write; 1034 1035# Access to /data/preloads 1036allow system_server preloads_data_file:file { r_file_perms unlink }; 1037allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; 1038allow system_server preloads_media_file:file { r_file_perms unlink }; 1039allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; 1040 1041r_dir_file(system_server, cgroup) 1042r_dir_file(system_server, cgroup_v2) 1043allow system_server ion_device:chr_file r_file_perms; 1044 1045# Access to /dev/dma_heap/system 1046allow system_server dmabuf_system_heap_device:chr_file r_file_perms; 1047# Access to /dev/dma_heap/system-secure 1048allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms; 1049 1050r_dir_file(system_server, proc_asound) 1051r_dir_file(system_server, proc_net_type) 1052r_dir_file(system_server, proc_qtaguid_stat) 1053allow system_server { 1054 proc_cmdline 1055 proc_loadavg 1056 proc_locks 1057 proc_meminfo 1058 proc_pagetypeinfo 1059 proc_pipe_conf 1060 proc_stat 1061 proc_uid_cputime_showstat 1062 proc_uid_io_stats 1063 proc_uid_time_in_state 1064 proc_uid_concurrent_active_time 1065 proc_uid_concurrent_policy_time 1066 proc_version 1067 proc_vmallocinfo 1068}:file r_file_perms; 1069 1070allow system_server proc_uid_time_in_state:dir r_dir_perms; 1071allow system_server proc_uid_cpupower:file r_file_perms; 1072 1073r_dir_file(system_server, rootfs) 1074 1075# Allow WifiService to start, stop, and read wifi-specific trace events. 1076allow system_server debugfs_tracing_instances:dir search; 1077allow system_server debugfs_wifi_tracing:dir search; 1078allow system_server debugfs_wifi_tracing:file rw_file_perms; 1079 1080# Allow BootReceiver to watch trace error_report events. 1081allow system_server debugfs_bootreceiver_tracing:dir search; 1082allow system_server debugfs_bootreceiver_tracing:file r_file_perms; 1083 1084# Allow system_server to read tracepoint ids in order to attach BPF programs to them. 1085allow system_server debugfs_tracing:file r_file_perms; 1086 1087# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run 1088# asanwrapper. 1089with_asan(` 1090 allow system_server shell_exec:file rx_file_perms; 1091 allow system_server asanwrapper_exec:file rx_file_perms; 1092 allow system_server zygote_exec:file rx_file_perms; 1093') 1094 1095# allow system_server to read the eBPF maps that stores the traffic stats information and update 1096# the map after snapshot is recorded, and to read, update and run the maps and programs used for 1097# time in state accounting 1098allow system_server fs_bpf:dir search; 1099allow system_server fs_bpf:file { read write }; 1100allow system_server bpfloader:bpf { map_read map_write prog_run }; 1101 1102# ART Profiles. 1103# Allow system_server to open profile snapshots for read. 1104# System server never reads the actual content. It passes the descriptor to 1105# to privileged apps which acquire the permissions to inspect the profiles. 1106allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search }; 1107allow system_server user_profile_data_file:file { getattr open read }; 1108 1109# System server may dump profile data for debuggable apps in the /data/misc/profman. 1110# As such it needs to be able create files but it should never read from them. 1111allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; 1112allow system_server profman_dump_data_file:dir w_dir_perms; 1113 1114# On userdebug build we may profile system server. Allow it to write and create its own profile. 1115userdebug_or_eng(` 1116 allow system_server user_profile_data_file:file create_file_perms; 1117') 1118# Allow system server to load JVMTI agents under control of a property. 1119get_prop(system_server,system_jvmti_agent_prop) 1120 1121# UsbDeviceManager uses /dev/usb-ffs 1122allow system_server functionfs:dir search; 1123allow system_server functionfs:file rw_file_perms; 1124 1125# system_server contains time / time zone detection logic so reads the associated properties. 1126get_prop(system_server, time_prop) 1127 1128# system_server reads this property to know it should expect the lmkd sends notification to it 1129# on low memory kills. 1130get_prop(system_server, system_lmk_prop) 1131 1132get_prop(system_server, wifi_config_prop) 1133 1134# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO 1135allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1136 1137# Watchdog prints debugging log to /dev/kmsg_debug. 1138userdebug_or_eng(` 1139 allow system_server kmsg_debug_device:chr_file { open append getattr }; 1140') 1141# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. 1142get_prop(system_server, framework_watchdog_config_prop) 1143 1144 1145# Font files are written by system server 1146allow system_server font_data_file:file create_file_perms; 1147allow system_server font_data_file:dir create_dir_perms; 1148# Allow system process to setup fs-verity for font files 1149allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY; 1150 1151# Read qemu.hw.mainkeys property 1152get_prop(system_server, qemu_hw_prop) 1153 1154# Allow system server to read profcollectd reports for upload. 1155userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)') 1156 1157### 1158### Neverallow rules 1159### 1160### system_server should NEVER do any of this 1161 1162# Do not allow opening files from external storage as unsafe ejection 1163# could cause the kernel to kill the system_server. 1164neverallow system_server sdcard_type:dir { open read write }; 1165neverallow system_server sdcard_type:file rw_file_perms; 1166 1167# system server should never be operating on zygote spawned app data 1168# files directly. Rather, they should always be passed via a 1169# file descriptor. 1170# Exclude those types that system_server needs to open directly. 1171neverallow system_server { 1172 app_data_file_type 1173 -system_app_data_file 1174 -radio_data_file 1175}:file { open create unlink link }; 1176 1177# Forking and execing is inherently dangerous and racy. See, for 1178# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them 1179# Prevent the addition of new file execs to stop the problem from 1180# getting worse. b/28035297 1181neverallow system_server { 1182 file_type 1183 -toolbox_exec 1184 -logcat_exec 1185 with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') 1186}:file execute_no_trans; 1187 1188# Ensure that system_server doesn't perform any domain transitions other than 1189# transitioning to the crash_dump domain when a crash occurs. 1190neverallow system_server { domain -crash_dump }:process transition; 1191neverallow system_server *:process dyntransition; 1192 1193# Only allow crash_dump to connect to system_ndebug_socket. 1194neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; 1195 1196# Only allow zygotes to connect to system_unsolzygote_socket. 1197neverallow { 1198 domain 1199 -init 1200 -system_server 1201 -zygote 1202 -app_zygote 1203 -webview_zygote 1204} system_unsolzygote_socket:sock_file { open write }; 1205 1206# Only allow init, system_server, flags_health_check to set properties for server configurable flags 1207neverallow { 1208 domain 1209 -init 1210 -system_server 1211 -flags_health_check 1212} { 1213 device_config_activity_manager_native_boot_prop 1214 device_config_connectivity_prop 1215 device_config_input_native_boot_prop 1216 device_config_netd_native_prop 1217 device_config_runtime_native_boot_prop 1218 device_config_runtime_native_prop 1219 device_config_media_native_prop 1220 device_config_storage_native_boot_prop 1221 device_config_sys_traced_prop 1222 device_config_swcodec_native_prop 1223 device_config_window_manager_native_boot_prop 1224}:property_service set; 1225 1226# system_server should never be executing dex2oat. This is either 1227# a bug (for example, bug 16317188), or represents an attempt by 1228# system server to dynamically load a dex file, something we do not 1229# want to allow. 1230neverallow system_server dex2oat_exec:file no_x_file_perms; 1231 1232# system_server should never execute or load executable shared libraries 1233# in /data. Executable files in /data are a persistence vector. 1234# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. 1235neverallow system_server data_file_type:file no_x_file_perms; 1236 1237# The only block device system_server should be accessing is 1238# the frp_block_device. This helps avoid a system_server to root 1239# escalation by writing to raw block devices. 1240neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; 1241 1242# system_server should never use JIT functionality 1243# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html 1244# in the section titled "A Short ROP Chain" for why. 1245# However, in emulator builds without OpenGL passthrough, we use software 1246# rendering via SwiftShader, which requires JIT support. These builds are 1247# never shipped to users. 1248ifelse(target_requires_insecure_execmem_for_swiftshader, `true', 1249 `allow system_server self:process execmem;', 1250 `neverallow system_server self:process execmem;') 1251neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; 1252 1253# TODO: deal with tmpfs_domain pub/priv split properly 1254neverallow system_server system_server_tmpfs:file execute; 1255 1256# Resources handed off by system_server_startup 1257allow system_server system_server_startup:fd use; 1258allow system_server system_server_startup_tmpfs:file { read write map }; 1259allow system_server system_server_startup:unix_dgram_socket write; 1260 1261# Allow system server to communicate to apexd 1262allow system_server apex_service:service_manager find; 1263allow system_server apexd:binder call; 1264 1265# Allow system server to scan /apex for flattened APEXes 1266allow system_server apex_mnt_dir:dir r_dir_perms; 1267 1268# Allow system server to read /apex/apex-info-list.xml 1269allow system_server apex_info_file:file r_file_perms; 1270 1271# Allow system server to communicate to system-suspend's control interface 1272allow system_server system_suspend_control_internal_service:service_manager find; 1273allow system_server system_suspend_control_service:service_manager find; 1274binder_call(system_server, system_suspend) 1275binder_call(system_suspend, system_server) 1276 1277# Allow system server to communicate to system-suspend's wakelock interface 1278wakelock_use(system_server) 1279 1280# Allow the system server to read files under /data/apex. The system_server 1281# needs these privileges to compare file signatures while processing installs. 1282# 1283# Only apexd is allowed to create new entries or write to any file under /data/apex. 1284allow system_server apex_data_file:dir { getattr search }; 1285allow system_server apex_data_file:file r_file_perms; 1286 1287# Allow the system server to read files under /vendor/apex. This is where 1288# vendor APEX packages might be installed and system_server needs to parse 1289# these packages to inspect the signatures and other metadata. 1290allow system_server vendor_apex_file:dir { getattr search }; 1291allow system_server vendor_apex_file:file r_file_perms; 1292 1293# Allow the system server to manage relevant apex module data files. 1294allow system_server apex_module_data_file:dir { getattr search }; 1295allow system_server apex_appsearch_data_file:dir create_dir_perms; 1296allow system_server apex_appsearch_data_file:file create_file_perms; 1297allow system_server apex_permission_data_file:dir create_dir_perms; 1298allow system_server apex_permission_data_file:file create_file_perms; 1299allow system_server apex_scheduling_data_file:dir create_dir_perms; 1300allow system_server apex_scheduling_data_file:file create_file_perms; 1301allow system_server apex_wifi_data_file:dir create_dir_perms; 1302allow system_server apex_wifi_data_file:file create_file_perms; 1303 1304# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can 1305# communicate which slots are available for use. 1306allow system_server metadata_file:dir search; 1307allow system_server password_slot_metadata_file:dir rw_dir_perms; 1308allow system_server password_slot_metadata_file:file create_file_perms; 1309 1310allow system_server userspace_reboot_metadata_file:dir create_dir_perms; 1311allow system_server userspace_reboot_metadata_file:file create_file_perms; 1312 1313# Allow system server rw access to files in /metadata/staged-install folder 1314allow system_server staged_install_file:dir rw_dir_perms; 1315allow system_server staged_install_file:file create_file_perms; 1316 1317allow system_server watchdog_metadata_file:dir rw_dir_perms; 1318allow system_server watchdog_metadata_file:file create_file_perms; 1319 1320allow system_server gsi_persistent_data_file:dir rw_dir_perms; 1321allow system_server gsi_persistent_data_file:file create_file_perms; 1322 1323# Allow system server read and remove files under /data/misc/odrefresh 1324allow system_server odrefresh_data_file:dir rw_dir_perms; 1325allow system_server odrefresh_data_file:file { r_file_perms unlink }; 1326 1327# Allow system server r access to /system/bin/surfaceflinger for PinnerService. 1328allow system_server surfaceflinger_exec:file r_file_perms; 1329 1330# Allow init to set sysprop used to compute stats about userspace reboot. 1331set_prop(system_server, userspace_reboot_log_prop) 1332 1333# JVMTI agent settings are only readable from the system server. 1334neverallow { 1335 domain 1336 -system_server 1337 -dumpstate 1338 -init 1339 -vendor_init 1340} { 1341 system_jvmti_agent_prop 1342}:file no_rw_file_perms; 1343 1344# Read/Write /proc/pressure/memory 1345allow system_server proc_pressure_mem:file rw_file_perms; 1346 1347# dexoptanalyzer is currently used only for secondary dex files which 1348# system_server should never access. 1349neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; 1350 1351# No ptracing others 1352neverallow system_server { domain -system_server }:process ptrace; 1353 1354# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID 1355# file read access. However, that is now unnecessary (b/34951864) 1356neverallow system_server system_server:global_capability_class_set sys_resource; 1357 1358# Only system_server/init should access /metadata/password_slots. 1359neverallow { domain -init -system_server } password_slot_metadata_file:dir *; 1360neverallow { 1361 domain 1362 -init 1363 -system_server 1364} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 1365neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; 1366 1367# Only system_server/init should access /metadata/userspacereboot. 1368neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *; 1369neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms; 1370 1371# Allow systemserver to read/write the invalidation property 1372set_prop(system_server, binder_cache_system_server_prop) 1373neverallow { domain -system_server -init } 1374 binder_cache_system_server_prop:property_service set; 1375 1376# Allow system server to attach BPF programs to tracepoints. Deny read permission so that 1377# system_server cannot use this access to read perf event data like process stacks. 1378allow system_server self:perf_event { open write cpu kernel }; 1379neverallow system_server self:perf_event ~{ open write cpu kernel }; 1380 1381# Do not allow any domain other than init or system server to set the property 1382neverallow { domain -init -system_server } socket_hook_prop:property_service set; 1383 1384neverallow { domain -init -system_server } boot_status_prop:property_service set; 1385 1386neverallow { 1387 domain 1388 -init 1389 -vendor_init 1390 -dumpstate 1391 -system_server 1392} wifi_config_prop:file no_rw_file_perms; 1393 1394# Only allow system server to write uhid sysfs files 1395neverallow { 1396 domain 1397 -init 1398 -system_server 1399 -ueventd 1400 -vendor_init 1401} sysfs_uhid:file no_w_file_perms; 1402 1403# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it 1404# can be accessed by system_server only (b/143717177) 1405# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder 1406# interface 1407neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; 1408 1409# Only system server can write the font files. 1410neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; 1411neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms; 1412