Lines Matching full:system_server
2 # System Server aka system_server spawned by zygote.
6 typeattribute system_server coredomain;
7 typeattribute system_server mlstrustedsubject;
8 typeattribute system_server scheduler_service_server;
9 typeattribute system_server sensor_service_server;
10 typeattribute system_server stats_service_server;
13 tmpfs_domain(system_server)
16 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
19 type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesock…
21 allow system_server zygote_tmpfs:file read;
22 allow system_server appdomain_tmpfs:file { getattr map read write };
25 allow system_server proc_filesystems:file r_file_perms;
28 allow system_server incremental_control_file:file { ioctl r_file_perms };
29 allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_…
32 allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLO…
35 allow system_server dalvikcache_data_file:dir r_dir_perms;
36 allow system_server dalvikcache_data_file:file r_file_perms;
40 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
43 allow system_server resourcecache_data_file:file r_file_perms;
44 allow system_server resourcecache_data_file:dir r_dir_perms;
47 allow system_server self:process ptrace;
50 allow system_server zygote:fd use;
51 allow system_server zygote:process sigchld;
54 allow system_server {
62 allow system_server zygote_exec:file r_file_perms;
65 allow system_server zygote:unix_stream_socket { getopt getattr };
68 net_domain(system_server)
69 # in addition to ioctls allowlisted for all domains, also allow system_server
71 allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
72 bluetooth_domain(system_server)
74 # Allow setup of tcp keepalive offload. This gives system_server the permission to
78 allow system_server appdomain:tcp_socket ioctl;
82 allow system_server self:global_capability_class_set {
97 allow system_server kernel:system module_request;
100 allow system_server self:global_capability2_class_set wake_alarm;
103 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
106 allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
109 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
112 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
113 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
116 allow system_server config_gz:file { read open };
122 allow system_server self:socket create_socket_perms_no_ioctl;
125 allow system_server self:netlink_route_socket nlmsg_write;
128 allow system_server appdomain:process { getpgid sigkill signal };
130 allow system_server appdomain:process { signull };
133 allow system_server appdomain:process { getsched setsched };
134 allow system_server audioserver:process { getsched setsched };
135 allow system_server hal_audio:process { getsched setsched };
136 allow system_server hal_bluetooth:process { getsched setsched };
137 allow system_server hal_codec2_server:process { getsched setsched };
138 allow system_server hal_omx_server:process { getsched setsched };
139 allow system_server mediaswcodec:process { getsched setsched };
140 allow system_server cameraserver:process { getsched setsched };
141 allow system_server hal_camera:process { getsched setsched };
142 allow system_server mediaserver:process { getsched setsched };
143 allow system_server bootanim:process { getsched setsched };
147 allow system_server kernel:process { getsched setsched };
149 # Allow system_server to write to /proc/<pid>/*
150 allow system_server domain:file w_file_perms;
153 # within system_server to keep track of memory and CPU usage for
156 r_dir_file(system_server, domain)
159 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
162 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
165 allow system_server proc_sysrq:file rw_file_perms;
168 allow system_server stats_data_file:dir { open read remove_name search write };
169 allow system_server stats_data_file:file unlink;
172 allow system_server debugfs_wakeup_sources:file r_file_perms;
175 allow system_server sysfs_ion:file r_file_perms;
178 allow system_server self:packet_socket create_socket_perms_no_ioctl;
181 allow system_server self:tun_socket create_socket_perms_no_ioctl;
184 unix_socket_connect(system_server, lmkd, lmkd)
185 unix_socket_connect(system_server, mtpd, mtp)
186 unix_socket_connect(system_server, zygote, zygote)
187 unix_socket_connect(system_server, racoon, racoon)
188 unix_socket_connect(system_server, uncrypt, uncrypt)
190 # Allow system_server to write to statsd.
191 unix_socket_send(system_server, statsdw, statsd)
194 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
196 allow system_server gpuservice:unix_stream_socket { read write setopt };
199 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
202 allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
205 binder_use(system_server)
206 binder_call(system_server, appdomain)
207 binder_call(system_server, binderservicedomain)
208 binder_call(system_server, dumpstate)
209 binder_call(system_server, fingerprintd)
210 binder_call(system_server, gatekeeperd)
211 binder_call(system_server, gpuservice)
212 binder_call(system_server, idmap)
213 binder_call(system_server, installd)
214 binder_call(system_server, incidentd)
215 binder_call(system_server, iorapd)
216 binder_call(system_server, netd)
217 binder_call(system_server, notify_traceur)
218 binder_call(system_server, statsd)
219 binder_call(system_server, storaged)
220 binder_call(system_server, update_engine)
221 binder_call(system_server, vold)
222 binder_call(system_server, wificond)
223 binder_call(system_server, wpantund)
224 binder_service(system_server)
227 hal_client_domain(system_server, hal_allocator)
228 hal_client_domain(system_server, hal_audio)
229 hal_client_domain(system_server, hal_authsecret)
230 hal_client_domain(system_server, hal_broadcastradio)
231 hal_client_domain(system_server, hal_codec2)
232 hal_client_domain(system_server, hal_configstore)
233 hal_client_domain(system_server, hal_contexthub)
234 hal_client_domain(system_server, hal_face)
235 hal_client_domain(system_server, hal_fingerprint)
236 hal_client_domain(system_server, hal_gnss)
237 hal_client_domain(system_server, hal_graphics_allocator)
238 hal_client_domain(system_server, hal_health)
239 hal_client_domain(system_server, hal_input_classifier)
240 hal_client_domain(system_server, hal_ir)
241 hal_client_domain(system_server, hal_light)
242 hal_client_domain(system_server, hal_memtrack)
243 hal_client_domain(system_server, hal_neuralnetworks)
244 hal_client_domain(system_server, hal_oemlock)
245 hal_client_domain(system_server, hal_omx)
246 hal_client_domain(system_server, hal_power)
247 hal_client_domain(system_server, hal_power_stats)
248 hal_client_domain(system_server, hal_rebootescrow)
249 hal_client_domain(system_server, hal_sensors)
250 hal_client_domain(system_server, hal_tetheroffload)
251 hal_client_domain(system_server, hal_thermal)
252 hal_client_domain(system_server, hal_tv_cec)
253 hal_client_domain(system_server, hal_tv_input)
254 hal_client_domain(system_server, hal_usb)
255 hal_client_domain(system_server, hal_usb_gadget)
256 hal_client_domain(system_server, hal_vibrator)
257 hal_client_domain(system_server, hal_vr)
258 hal_client_domain(system_server, hal_weaver)
259 hal_client_domain(system_server, hal_wifi)
260 hal_client_domain(system_server, hal_wifi_hostapd)
261 hal_client_domain(system_server, hal_wifi_supplicant)
264 allow system_server hal_graphics_composer:fd use;
267 allow system_server hal_renderscript_hwservice:hwservice_manager find;
268 allow system_server same_process_hal_file:file { execute read open getattr map };
271 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
274 allow system_server hwservicemanager:hwservice_manager list;
277 allow system_server {
318 allow system_server audioserver:tcp_socket rw_socket_perms;
319 allow system_server audioserver:udp_socket rw_socket_perms;
320 allow system_server mediaserver:tcp_socket rw_socket_perms;
321 allow system_server mediaserver:udp_socket rw_socket_perms;
324 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
325 allow system_server mediadrmserver:udp_socket rw_socket_perms;
327 userdebug_or_eng(`perfetto_producer({ system_server })')
330 allow system_server file_contexts_file:file r_file_perms;
332 allow system_server mac_perms_file: file r_file_perms;
334 selinux_check_access(system_server)
336 allow system_server sysfs_type:dir search;
338 r_dir_file(system_server, sysfs_android_usb)
339 allow system_server sysfs_android_usb:file w_file_perms;
341 allow system_server sysfs_extcon:dir r_dir_perms;
343 r_dir_file(system_server, sysfs_ipv4)
344 allow system_server sysfs_ipv4:file w_file_perms;
346 r_dir_file(system_server, sysfs_rtc)
347 r_dir_file(system_server, sysfs_switch)
348 r_dir_file(system_server, sysfs_wakeup_reasons)
350 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
351 allow system_server sysfs_power:dir search;
352 allow system_server sysfs_power:file rw_file_perms;
353 allow system_server sysfs_thermal:dir search;
354 allow system_server sysfs_thermal:file r_file_perms;
357 allow system_server sysfs_vibrator:file { write append };
360 allow system_server sysfs_usb:file w_file_perms;
363 allow system_server device:dir r_dir_perms;
364 allow system_server mdns_socket:sock_file rw_file_perms;
365 allow system_server gpu_device:chr_file rw_file_perms;
366 allow system_server input_device:dir r_dir_perms;
367 allow system_server input_device:chr_file rw_file_perms;
368 allow system_server tty_device:chr_file rw_file_perms;
369 allow system_server usbaccessory_device:chr_file rw_file_perms;
370 allow system_server video_device:dir r_dir_perms;
371 allow system_server video_device:chr_file rw_file_perms;
372 allow system_server adbd_socket:sock_file rw_file_perms;
373 allow system_server rtc_device:chr_file rw_file_perms;
374 allow system_server audio_device:dir r_dir_perms;
377 allow system_server audio_device:chr_file rw_file_perms;
380 allow system_server tun_device:chr_file rw_file_perms;
381 allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
384 allow system_server ota_package_file:dir rw_dir_perms;
385 allow system_server ota_package_file:file create_file_perms;
388 allow system_server system_data_file:dir create_dir_perms;
389 allow system_server system_data_file:notdevfile_class_set create_file_perms;
390 allow system_server packages_list_file:file create_file_perms;
391 allow system_server keychain_data_file:dir create_dir_perms;
392 allow system_server keychain_data_file:file create_file_perms;
393 allow system_server keychain_data_file:lnk_file create_file_perms;
396 allow system_server apk_data_file:dir create_dir_perms;
397 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
398 allow system_server apk_tmp_file:dir create_dir_perms;
399 allow system_server apk_tmp_file:file create_file_perms;
402 r_dir_file(system_server, vendor_keylayout_file)
403 r_dir_file(system_server, vendor_keychars_file)
404 r_dir_file(system_server, vendor_idc_file)
407 r_dir_file(system_server, vendor_app_file)
408 r_dir_file(system_server, vendor_framework_file)
409 r_dir_file(system_server, vendor_overlay_file)
412 allow system_server apk_private_data_file:dir create_dir_perms;
413 allow system_server apk_private_data_file:file create_file_perms;
414 allow system_server apk_private_tmp_file:dir create_dir_perms;
415 allow system_server apk_private_tmp_file:file create_file_perms;
418 allow system_server asec_apk_file:dir create_dir_perms;
419 allow system_server asec_apk_file:file create_file_perms;
420 allow system_server asec_public_file:file create_file_perms;
426 # the system_server should never need to create a new anr_data_file:file or write
428 allow system_server anr_data_file:dir create_dir_perms;
429 allow system_server anr_data_file:file create_file_perms;
434 # Allow system_server to connect and write to the tombstoned java trace socket in
437 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
438 allow system_server tombstoned:fd use;
439 allow system_server dumpstate:fifo_file append;
440 allow system_server incidentd:fifo_file append;
441 # Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
443 allow system_server su:fifo_file append;
446 # Allow system_server to read pipes from incidentd (used to deliver incident reports
448 allow system_server incidentd:fifo_file read;
452 allow system_server incident_data_file:file read;
455 allow system_server prereboot_data_file:dir rw_dir_perms;
456 allow system_server prereboot_data_file:file create_file_perms;
460 allow system_server perfetto_traces_data_file:file read;
461 allow system_server perfetto:fd use;
464 allow system_server backup_data_file:dir create_dir_perms;
465 allow system_server backup_data_file:file create_file_perms;
468 allow system_server dropbox_data_file:dir create_dir_perms;
469 allow system_server dropbox_data_file:file create_file_perms;
472 allow system_server heapdump_data_file:dir rw_dir_perms;
473 allow system_server heapdump_data_file:file create_file_perms;
476 allow system_server adb_keys_file:dir create_dir_perms;
477 allow system_server adb_keys_file:file create_file_perms;
480 allow system_server emergency_data_file:dir create_dir_perms;
481 allow system_server emergency_data_file:file create_file_perms;
484 allow system_server network_watchlist_data_file:dir create_dir_perms;
485 allow system_server network_watchlist_data_file:file create_file_perms;
489 allow system_server radio_data_file:dir create_dir_perms;
490 allow system_server radio_data_file:file create_file_perms;
493 allow system_server systemkeys_data_file:dir create_dir_perms;
494 allow system_server systemkeys_data_file:file create_file_perms;
497 allow system_server textclassifier_data_file:dir create_dir_perms;
498 allow system_server textclassifier_data_file:file create_file_perms;
501 allow system_server tombstone_data_file:dir r_dir_perms;
502 allow system_server tombstone_data_file:file r_file_perms;
505 allow system_server vpn_data_file:dir create_dir_perms;
506 allow system_server vpn_data_file:file create_file_perms;
509 allow system_server wifi_data_file:dir create_dir_perms;
510 allow system_server wifi_data_file:file create_file_perms;
513 allow system_server zoneinfo_data_file:dir create_dir_perms;
514 allow system_server zoneinfo_data_file:file create_file_perms;
517 allow system_server staging_data_file:dir create_dir_perms;
518 allow system_server staging_data_file:file create_file_perms;
522 allow system_server {
534 allow system_server unlabeled:dir r_dir_perms;
536 allow system_server unlabeled:file r_file_perms;
539 allow system_server system_app_data_file:dir create_dir_perms;
540 allow system_server system_app_data_file:file create_file_perms;
544 allow system_server {
555 allow system_server media_rw_data_file:dir { search getattr open read };
559 allow system_server media_rw_data_file:file { getattr read write append };
563 allow system_server system_server:process setfscreate;
566 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
567 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
570 allow system_server system_data_file:file relabelfrom;
571 allow system_server wallpaper_file:file relabelto;
572 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
575 allow system_server { system_data_file wallpaper_file }:file link;
578 allow system_server system_data_file:dir relabelfrom;
579 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
580 allow system_server shortcut_manager_icons:file create_file_perms;
583 allow system_server ringtone_file:dir { create_dir_perms relabelto };
584 allow system_server ringtone_file:file create_file_perms;
587 allow system_server icon_file:file relabelto;
588 allow system_server icon_file:file { rw_file_perms unlink };
591 allow system_server system_data_file:dir relabelfrom;
594 # have been reset during current booting. system_server needs to read the data to perform related
596 allow system_server server_configurable_flags_data_file:dir r_dir_perms;
597 allow system_server server_configurable_flags_data_file:file r_file_perms;
600 set_prop(system_server, system_prop)
601 set_prop(system_server, exported_system_prop)
602 set_prop(system_server, exported2_system_prop)
603 set_prop(system_server, exported3_system_prop)
604 set_prop(system_server, safemode_prop)
605 set_prop(system_server, theme_prop)
606 set_prop(system_server, dhcp_prop)
607 set_prop(system_server, net_radio_prop)
608 set_prop(system_server, net_dns_prop)
609 set_prop(system_server, usb_control_prop)
610 set_prop(system_server, usb_prop)
611 set_prop(system_server, debug_prop)
612 set_prop(system_server, powerctl_prop)
613 set_prop(system_server, fingerprint_prop)
614 set_prop(system_server, device_logging_prop)
615 set_prop(system_server, dumpstate_options_prop)
616 set_prop(system_server, overlay_prop)
617 set_prop(system_server, exported_overlay_prop)
618 set_prop(system_server, pm_prop)
619 set_prop(system_server, exported_pm_prop)
620 set_prop(system_server, socket_hook_prop)
621 set_prop(system_server, audio_prop)
622 set_prop(system_server, boot_status_prop)
623 set_prop(system_server, surfaceflinger_color_prop)
624 set_prop(system_server, provisioned_prop)
625 set_prop(system_server, retaildemo_prop)
626 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
629 set_prop(system_server, ctl_default_prop)
630 set_prop(system_server, ctl_bugreport_prop)
631 set_prop(system_server, ctl_gsid_prop)
634 set_prop(system_server, cppreopt_prop)
637 set_prop(system_server, device_config_input_native_boot_prop)
638 set_prop(system_server, device_config_netd_native_prop)
639 set_prop(system_server, device_config_activity_manager_native_boot_prop)
640 set_prop(system_server, device_config_runtime_native_boot_prop)
641 set_prop(system_server, device_config_runtime_native_prop)
642 set_prop(system_server, device_config_media_native_prop)
643 set_prop(system_server, device_config_storage_native_boot_prop)
644 set_prop(system_server, device_config_sys_traced_prop)
645 set_prop(system_server, device_config_window_manager_native_boot_prop)
646 set_prop(system_server, device_config_configuration_prop)
649 get_prop(system_server, bootloader_boot_reason_prop)
651 get_prop(system_server, system_boot_reason_prop)
654 get_prop(system_server, boottime_prop)
657 get_prop(system_server, serialno_prop)
659 # Read/write the property which keeps track of whether this is the first start of system_server
660 set_prop(system_server, firstboot_prop)
664 get_prop(system_server, audio_config_prop)
668 get_prop(system_server, device_config_reset_performed_prop)
671 set_prop(system_server, test_harness_prop)
674 get_prop(system_server, gsid_prop)
677 get_prop(system_server, mock_ota_prop)
680 get_prop(system_server, apk_verity_prop)
683 get_prop(system_server, wifi_prop)
686 get_prop(system_server, incremental_prop)
689 get_prop(system_server, zram_config_prop)
692 set_prop(system_server, zram_control_prop)
695 set_prop(system_server, dalvik_runtime_prop)
698 get_prop(system_server, packagemanager_config_prop)
701 allow system_server system_ndebug_socket:sock_file create_file_perms;
704 allow system_server system_unsolzygote_socket:sock_file create_file_perms;
707 allow system_server cache_file:lnk_file r_file_perms;
708 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
709 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
710 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
712 allow system_server system_file:dir r_dir_perms;
713 allow system_server system_file:lnk_file r_file_perms;
716 allow system_server system_file:file lock;
720 allow system_server gps_control:file rw_file_perms;
722 # Allow system_server to use app-created sockets and pipes.
723 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown…
724 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
727 allow system_server cache_backup_file:dir rw_dir_perms;
728 allow system_server cache_backup_file:file create_file_perms;
730 allow system_server cache_private_backup_file:dir create_dir_perms;
731 allow system_server cache_private_backup_file:file create_file_perms;
734 allow system_server usb_device:chr_file rw_file_perms;
735 allow system_server usb_device:dir r_dir_perms;
738 allow system_server hw_random_device:chr_file r_file_perms;
741 r_dir_file(system_server, fscklogs)
742 allow system_server fscklogs:dir { write remove_name };
743 allow system_server fscklogs:file unlink;
745 # logd access, system_server inherit logd write socket
747 allow system_server zygote:unix_dgram_socket write;
750 read_logd(system_server)
751 read_runtime_log_tags(system_server)
753 # Be consistent with DAC permissions. Allow system_server to write to
756 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
761 allow system_server pstorefs:dir r_dir_perms;
762 allow system_server pstorefs:file r_file_perms;
765 allow system_server sysfs_zram:dir search;
766 allow system_server sysfs_zram:file rw_file_perms;
768 add_service(system_server, system_server_service);
769 allow system_server audioserver_service:service_manager find;
770 allow system_server batteryproperties_service:service_manager find;
771 allow system_server cameraserver_service:service_manager find;
772 allow system_server dataloader_manager_service:service_manager find;
773 allow system_server dnsresolver_service:service_manager find;
774 allow system_server drmserver_service:service_manager find;
775 allow system_server dumpstate_service:service_manager find;
776 allow system_server fingerprintd_service:service_manager find;
777 allow system_server gatekeeper_service:service_manager find;
778 allow system_server gpu_service:service_manager find;
779 allow system_server gsi_service:service_manager find;
780 allow system_server hal_fingerprint_service:service_manager find;
781 allow system_server idmap_service:service_manager find;
782 allow system_server incident_service:service_manager find;
783 allow system_server incremental_service:service_manager find;
784 allow system_server installd_service:service_manager find;
785 allow system_server iorapd_service:service_manager find;
786 allow system_server keystore_service:service_manager find;
787 allow system_server mediaserver_service:service_manager find;
788 allow system_server mediametrics_service:service_manager find;
789 allow system_server mediaextractor_service:service_manager find;
790 allow system_server mediadrmserver_service:service_manager find;
791 allow system_server netd_service:service_manager find;
792 allow system_server nfc_service:service_manager find;
793 allow system_server radio_service:service_manager find;
794 allow system_server stats_service:service_manager find;
795 allow system_server storaged_service:service_manager find;
796 allow system_server surfaceflinger_service:service_manager find;
797 allow system_server update_engine_service:service_manager find;
798 allow system_server vold_service:service_manager find;
799 allow system_server wifinl80211_service:service_manager find;
801 allow system_server profcollectd_service:service_manager find;
804 add_service(system_server, batteryproperties_service)
806 allow system_server keystore:keystore_key {
829 allow system_server block_device:dir search;
830 allow system_server frp_block_device:blk_file rw_file_perms;
831 allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
834 allow system_server cgroup:dir { remove_name rmdir };
837 r_dir_file(system_server, oemfs)
840 allow system_server { mnt_user_file storage_file }:dir { getattr search };
841 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
845 allow system_server sdcard_type:dir { getattr search };
848 allow system_server mnt_expand_file:dir r_dir_perms;
852 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
853 allow system_server fingerprintd_data_file:file { getattr unlink };
857 allow system_server method_trace_data_file:dir w_dir_perms;
858 allow system_server method_trace_data_file:file { create w_file_perms };
861 allow system_server kernel:system syslog_read;
864 allow system_server wm_trace_data_file:dir rw_dir_perms;
865 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
869 allow system_server vold:fd use;
870 allow system_server fuse_device:chr_file { read write ioctl getattr };
871 allow system_server app_fuse_file:file { read write getattr };
874 allow system_server configfs:dir { create_dir_perms };
875 allow system_server configfs:file { getattr open create unlink write };
879 allow system_server adbd:unix_stream_socket connectto;
880 allow system_server adbd:fd use;
881 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
884 get_prop(system_server, adbd_prop)
887 set_prop(system_server, system_adbd_prop)
890 allow system_server toolbox_exec:file rx_file_perms;
893 allowxperm system_server apk_data_file:file ioctl {
900 binder_call(system_server, postinstall)
902 allow system_server postinstall:fifo_file write;
903 allow system_server update_engine:fd use;
904 allow system_server update_engine:fifo_file write;
907 allow system_server preloads_data_file:file { r_file_perms unlink };
908 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
909 allow system_server preloads_media_file:file { r_file_perms unlink };
910 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
912 r_dir_file(system_server, cgroup)
913 allow system_server ion_device:chr_file r_file_perms;
915 r_dir_file(system_server, proc_asound)
916 r_dir_file(system_server, proc_net_type)
917 r_dir_file(system_server, proc_qtaguid_stat)
918 allow system_server {
934 allow system_server proc_uid_time_in_state:dir r_dir_perms;
935 allow system_server proc_uid_cpupower:file r_file_perms;
937 r_dir_file(system_server, rootfs)
940 allow system_server debugfs_tracing_instances:dir search;
941 allow system_server debugfs_wifi_tracing:dir search;
942 allow system_server debugfs_wifi_tracing:file rw_file_perms;
944 # Allow system_server to read tracepoint ids in order to attach BPF programs to them.
945 allow system_server debugfs_tracing:file r_file_perms;
947 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
950 allow system_server shell_exec:file rx_file_perms;
951 allow system_server asanwrapper_exec:file rx_file_perms;
952 allow system_server zygote_exec:file rx_file_perms;
955 # allow system_server to read the eBPF maps that stores the traffic stats information and update
958 allow system_server fs_bpf:dir search;
959 allow system_server fs_bpf:file { read write };
960 allow system_server bpfloader:bpf { map_read map_write prog_run };
963 # Allow system_server to open profile snapshots for read.
966 allow system_server user_profile_data_file:dir { getattr search };
967 allow system_server user_profile_data_file:file { getattr open read };
971 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
972 allow system_server profman_dump_data_file:dir w_dir_perms;
976 allow system_server user_profile_data_file:file create_file_perms;
979 get_prop(system_server,system_jvmti_agent_prop)
982 allow system_server functionfs:dir search;
983 allow system_server functionfs:file rw_file_perms;
985 # system_server contains time / time zone detection logic so reads the associated properties.
986 get_prop(system_server, time_prop)
988 # system_server reads this property to know it should expect the lmkd sends notification to it
990 get_prop(system_server, system_lmk_prop)
992 get_prop(system_server, wifi_config_prop)
997 ### system_server should NEVER do any of this
1000 # could cause the kernel to kill the system_server.
1001 neverallow system_server sdcard_type:dir { open read write };
1002 neverallow system_server sdcard_type:file rw_file_perms;
1008 # those types that system_server needs to open directly.
1009 neverallow system_server {
1021 neverallow system_server {
1028 # Ensure that system_server doesn't perform any domain transitions other than
1030 neverallow system_server { domain -crash_dump }:process transition;
1031 neverallow system_server *:process dyntransition;
1034 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write …
1040 -system_server
1046 # Only allow init, system_server, flags_health_check to set properties for server configurable flags
1050 -system_server
1064 # system_server should never be executing dex2oat. This is either
1068 neverallow system_server dex2oat_exec:file no_x_file_perms;
1070 # system_server should never execute or load executable shared libraries
1073 neverallow system_server data_file_type:file no_x_file_perms;
1075 # The only block device system_server should be accessing is
1076 # the frp_block_device. This helps avoid a system_server to root
1078 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
1080 # system_server should never use JIT functionality
1087 `allow system_server self:process execmem;',
1088 `neverallow system_server self:process execmem;')
1089 neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
1092 neverallow system_server system_server_tmpfs:file execute;
1095 allow system_server system_server_startup:fd use;
1096 allow system_server system_server_startup_tmpfs:file { read write map };
1097 allow system_server system_server_startup:unix_dgram_socket write;
1100 allow system_server apex_service:service_manager find;
1101 allow system_server apexd:binder call;
1104 allow system_server apex_mnt_dir:dir r_dir_perms;
1107 allow system_server apex_info_file:file r_file_perms;
1110 allow system_server system_suspend_control_service:service_manager find;
1111 binder_call(system_server, system_suspend)
1112 binder_call(system_suspend, system_server)
1115 wakelock_use(system_server)
1117 # Allow the system server to read files under /data/apex. The system_server
1121 allow system_server apex_data_file:dir { getattr search };
1122 allow system_server apex_data_file:file r_file_perms;
1125 # vendor APEX packages might be installed and system_server needs to parse
1127 allow system_server vendor_apex_file:dir { getattr search };
1128 allow system_server vendor_apex_file:file r_file_perms;
1131 allow system_server apex_module_data_file:dir { getattr search };
1132 allow system_server apex_permission_data_file:dir create_dir_perms;
1133 allow system_server apex_permission_data_file:file create_file_perms;
1134 allow system_server apex_wifi_data_file:dir create_dir_perms;
1135 allow system_server apex_wifi_data_file:file create_file_perms;
1139 allow system_server metadata_file:dir search;
1140 allow system_server password_slot_metadata_file:dir rw_dir_perms;
1141 allow system_server password_slot_metadata_file:file create_file_perms;
1144 allow system_server staged_install_file:dir rw_dir_perms;
1145 allow system_server staged_install_file:file create_file_perms;
1148 set_prop(system_server, userspace_reboot_log_prop)
1153 -system_server
1162 allow system_server proc_pressure_mem:file rw_file_perms;
1165 # system_server should never access.
1166 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
1169 neverallow system_server { domain -system_server }:process ptrace;
1173 neverallow system_server system_server:global_capability_class_set sys_resource;
1175 # Only system_server/init should access /metadata/password_slots.
1176 neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
1180 -system_server
1182 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
1185 set_prop(system_server, binder_cache_system_server_prop)
1186 neverallow { domain -system_server -init }
1190 # system_server cannot use this access to read perf event data like process stacks.
1191 allow system_server self:perf_event { open write cpu kernel };
1192 neverallow system_server self:perf_event ~{ open write cpu kernel };
1195 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
1197 neverallow { domain -init -system_server } boot_status_prop:property_service set;
1203 -system_server