# # System Server aka system_server spawned by zygote. # Most of the framework services run in this process. # typeattribute system_server coredomain; typeattribute system_server mlstrustedsubject; typeattribute system_server scheduler_service_server; typeattribute system_server sensor_service_server; typeattribute system_server stats_service_server; # Define a type for tmpfs-backed ashmem regions. tmpfs_domain(system_server) # Create a socket for connections from crash_dump. type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; # Create a socket for connections from zygotes. type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket"; allow system_server zygote_tmpfs:file read; allow system_server appdomain_tmpfs:file { getattr map read write }; # For Incremental Service to check if incfs is available allow system_server proc_filesystems:file r_file_perms; # To create files and get permission to fill blocks on Incremental File System allow system_server incremental_control_file:file { ioctl r_file_perms }; allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL }; # To get signature of an APK installed on Incremental File System and fill in data blocks allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS }; # For art. allow system_server dalvikcache_data_file:dir r_dir_perms; allow system_server dalvikcache_data_file:file r_file_perms; # When running system server under --invoke-with, we'll try to load the boot image under the # system server domain, following links to the system partition. with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') # /data/resource-cache allow system_server resourcecache_data_file:file r_file_perms; allow system_server resourcecache_data_file:dir r_dir_perms; # ptrace to processes in the same domain for debugging crashes. allow system_server self:process ptrace; # Child of the zygote. allow system_server zygote:fd use; allow system_server zygote:process sigchld; # May kill zygote on crashes. allow system_server { app_zygote crash_dump webview_zygote zygote }:process { sigkill signull }; # Read /system/bin/app_process. allow system_server zygote_exec:file r_file_perms; # Needed to close the zygote socket, which involves getopt / getattr allow system_server zygote:unix_stream_socket { getopt getattr }; # system server gets network and bluetooth permissions. net_domain(system_server) # in addition to ioctls allowlisted for all domains, also allow system_server # to use privileged ioctls commands. Needed to set up VPNs. allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; bluetooth_domain(system_server) # Allow setup of tcp keepalive offload. This gives system_server the permission to # call ioctl on app domains' tcp sockets. Additional ioctl commands still need to # be granted individually, except for a small set of safe values allowlisted in # public/domain.te. allow system_server appdomain:tcp_socket ioctl; # These are the capabilities assigned by the zygote to the # system server. allow system_server self:global_capability_class_set { ipc_lock kill net_admin net_bind_service net_broadcast net_raw sys_boot sys_nice sys_ptrace sys_time sys_tty_config }; # Trigger module auto-load. allow system_server kernel:system module_request; # Allow alarmtimers to be set allow system_server self:global_capability2_class_set wake_alarm; # Create and share netlink_netfilter_sockets for tetheroffload. allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; # Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps. allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; # Use netlink uevent sockets. allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; # Use generic netlink sockets. allow system_server self:netlink_socket create_socket_perms_no_ioctl; allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; # libvintf reads the kernel config to verify vendor interface compatibility. allow system_server config_gz:file { read open }; # Use generic "sockets" where the address family is not known # to the kernel. The ioctl permission is specifically omitted here, but may # be added to device specific policy along with the ioctl commands to be # allowlisted. allow system_server self:socket create_socket_perms_no_ioctl; # Set and get routes directly via netlink. allow system_server self:netlink_route_socket nlmsg_write; # Kill apps. allow system_server appdomain:process { getpgid sigkill signal }; # signull allowed for kill(pid, 0) existence test. allow system_server appdomain:process { signull }; # Set scheduling info for apps. allow system_server appdomain:process { getsched setsched }; allow system_server audioserver:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched }; allow system_server hal_bluetooth:process { getsched setsched }; allow system_server hal_codec2_server:process { getsched setsched }; allow system_server hal_omx_server:process { getsched setsched }; allow system_server mediaswcodec:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched }; allow system_server hal_camera:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched }; allow system_server bootanim:process { getsched setsched }; # Set scheduling info for psi monitor thread. # TODO: delete this line b/131761776 allow system_server kernel:process { getsched setsched }; # Allow system_server to write to /proc//* allow system_server domain:file w_file_perms; # Read /proc/pid data for all domains. This is used by ProcessCpuTracker # within system_server to keep track of memory and CPU usage for # all processes on the device. In addition, /proc/pid files access is needed # for dumping stack traces of native processes. r_dir_file(system_server, domain) # Write /proc/uid_cputime/remove_uid_range. allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; # Write /proc/uid_procstat/set. allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; # Write to /proc/sysrq-trigger. allow system_server proc_sysrq:file rw_file_perms; # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. allow system_server stats_data_file:dir { open read remove_name search write }; allow system_server stats_data_file:file unlink; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs_wakeup_sources:file r_file_perms; # Read /sys/kernel/ion/*. allow system_server sysfs_ion:file r_file_perms; # The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket create_socket_perms_no_ioctl; # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket create_socket_perms_no_ioctl; # Talk to init and various daemons via sockets. unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, mtpd, mtp) unix_socket_connect(system_server, zygote, zygote) unix_socket_connect(system_server, racoon, racoon) unix_socket_connect(system_server, uncrypt, uncrypt) # Allow system_server to write to statsd. unix_socket_send(system_server, statsdw, statsd) # Communicate over a socket created by surfaceflinger. allow system_server surfaceflinger:unix_stream_socket { read write setopt }; allow system_server gpuservice:unix_stream_socket { read write setopt }; # Communicate over a socket created by webview_zygote. allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; # Communicate over a socket created by app_zygote. allow system_server app_zygote:unix_stream_socket { read write connectto setopt }; # Perform Binder IPC. binder_use(system_server) binder_call(system_server, appdomain) binder_call(system_server, binderservicedomain) binder_call(system_server, dumpstate) binder_call(system_server, fingerprintd) binder_call(system_server, gatekeeperd) binder_call(system_server, gpuservice) binder_call(system_server, idmap) binder_call(system_server, installd) binder_call(system_server, incidentd) binder_call(system_server, iorapd) binder_call(system_server, netd) binder_call(system_server, notify_traceur) binder_call(system_server, statsd) binder_call(system_server, storaged) binder_call(system_server, update_engine) binder_call(system_server, vold) binder_call(system_server, wificond) binder_call(system_server, wpantund) binder_service(system_server) # Use HALs hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_audio) hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) hal_client_domain(system_server, hal_codec2) hal_client_domain(system_server, hal_configstore) hal_client_domain(system_server, hal_contexthub) hal_client_domain(system_server, hal_face) hal_client_domain(system_server, hal_fingerprint) hal_client_domain(system_server, hal_gnss) hal_client_domain(system_server, hal_graphics_allocator) hal_client_domain(system_server, hal_health) hal_client_domain(system_server, hal_input_classifier) hal_client_domain(system_server, hal_ir) hal_client_domain(system_server, hal_light) hal_client_domain(system_server, hal_memtrack) hal_client_domain(system_server, hal_neuralnetworks) hal_client_domain(system_server, hal_oemlock) hal_client_domain(system_server, hal_omx) hal_client_domain(system_server, hal_power) hal_client_domain(system_server, hal_power_stats) hal_client_domain(system_server, hal_rebootescrow) hal_client_domain(system_server, hal_sensors) hal_client_domain(system_server, hal_tetheroffload) hal_client_domain(system_server, hal_thermal) hal_client_domain(system_server, hal_tv_cec) hal_client_domain(system_server, hal_tv_input) hal_client_domain(system_server, hal_usb) hal_client_domain(system_server, hal_usb_gadget) hal_client_domain(system_server, hal_vibrator) hal_client_domain(system_server, hal_vr) hal_client_domain(system_server, hal_weaver) hal_client_domain(system_server, hal_wifi) hal_client_domain(system_server, hal_wifi_hostapd) hal_client_domain(system_server, hal_wifi_supplicant) # Talk with graphics composer fences allow system_server hal_graphics_composer:fd use; # Use RenderScript always-passthrough HAL allow system_server hal_renderscript_hwservice:hwservice_manager find; allow system_server same_process_hal_file:file { execute read open getattr map }; # Talk to tombstoned to get ANR traces. unix_socket_connect(system_server, tombstoned_intercept, tombstoned) # List HAL interfaces to get ANR traces. allow system_server hwservicemanager:hwservice_manager list; # Send signals to trigger ANR traces. allow system_server { # This is derived from the list that system server defines as interesting native processes # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in # frameworks/base/services/core/java/com/android/server/Watchdog.java. audioserver cameraserver drmserver gpuservice inputflinger mediadrmserver mediaextractor mediametrics mediaserver mediaswcodec netd sdcardd statsd surfaceflinger vold # This list comes from HAL_INTERFACES_OF_INTEREST in # frameworks/base/services/core/java/com/android/server/Watchdog.java. hal_audio_server hal_bluetooth_server hal_camera_server hal_codec2_server hal_face_server hal_fingerprint_server hal_gnss_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server hal_neuralnetworks_server hal_omx_server hal_power_stats_server hal_sensors_server hal_vr_server system_suspend_server }:process { signal }; # Use sockets received over binder from various services. allow system_server audioserver:tcp_socket rw_socket_perms; allow system_server audioserver:udp_socket rw_socket_perms; allow system_server mediaserver:tcp_socket rw_socket_perms; allow system_server mediaserver:udp_socket rw_socket_perms; # Use sockets received over binder from various services. allow system_server mediadrmserver:tcp_socket rw_socket_perms; allow system_server mediadrmserver:udp_socket rw_socket_perms; userdebug_or_eng(`perfetto_producer({ system_server })') # Get file context allow system_server file_contexts_file:file r_file_perms; # access for mac_permissions allow system_server mac_perms_file: file r_file_perms; # Check SELinux permissions. selinux_check_access(system_server) allow system_server sysfs_type:dir search; r_dir_file(system_server, sysfs_android_usb) allow system_server sysfs_android_usb:file w_file_perms; allow system_server sysfs_extcon:dir r_dir_perms; r_dir_file(system_server, sysfs_ipv4) allow system_server sysfs_ipv4:file w_file_perms; r_dir_file(system_server, sysfs_rtc) r_dir_file(system_server, sysfs_switch) r_dir_file(system_server, sysfs_wakeup_reasons) allow system_server sysfs_nfc_power_writable:file rw_file_perms; allow system_server sysfs_power:dir search; allow system_server sysfs_power:file rw_file_perms; allow system_server sysfs_thermal:dir search; allow system_server sysfs_thermal:file r_file_perms; # TODO: Remove when HALs are forced into separate processes allow system_server sysfs_vibrator:file { write append }; # TODO: added to match above sysfs rule. Remove me? allow system_server sysfs_usb:file w_file_perms; # Access devices. allow system_server device:dir r_dir_perms; allow system_server mdns_socket:sock_file rw_file_perms; allow system_server gpu_device:chr_file rw_file_perms; allow system_server input_device:dir r_dir_perms; allow system_server input_device:chr_file rw_file_perms; allow system_server tty_device:chr_file rw_file_perms; allow system_server usbaccessory_device:chr_file rw_file_perms; allow system_server video_device:dir r_dir_perms; allow system_server video_device:chr_file rw_file_perms; allow system_server adbd_socket:sock_file rw_file_perms; allow system_server rtc_device:chr_file rw_file_perms; allow system_server audio_device:dir r_dir_perms; # write access to ALSA interfaces (/dev/snd/*) needed for MIDI allow system_server audio_device:chr_file rw_file_perms; # tun device used for 3rd party vpn apps allow system_server tun_device:chr_file rw_file_perms; allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF }; # Manage data/ota_package allow system_server ota_package_file:dir rw_dir_perms; allow system_server ota_package_file:file create_file_perms; # Manage system data files. allow system_server system_data_file:dir create_dir_perms; allow system_server system_data_file:notdevfile_class_set create_file_perms; allow system_server packages_list_file:file create_file_perms; allow system_server keychain_data_file:dir create_dir_perms; allow system_server keychain_data_file:file create_file_perms; allow system_server keychain_data_file:lnk_file create_file_perms; # Manage /data/app. allow system_server apk_data_file:dir create_dir_perms; allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; allow system_server apk_tmp_file:dir create_dir_perms; allow system_server apk_tmp_file:file create_file_perms; # Access input configuration files in the /vendor directory r_dir_file(system_server, vendor_keylayout_file) r_dir_file(system_server, vendor_keychars_file) r_dir_file(system_server, vendor_idc_file) # Access /vendor/{app,framework,overlay} r_dir_file(system_server, vendor_app_file) r_dir_file(system_server, vendor_framework_file) r_dir_file(system_server, vendor_overlay_file) # Manage /data/app-private. allow system_server apk_private_data_file:dir create_dir_perms; allow system_server apk_private_data_file:file create_file_perms; allow system_server apk_private_tmp_file:dir create_dir_perms; allow system_server apk_private_tmp_file:file create_file_perms; # Manage files within asec containers. allow system_server asec_apk_file:dir create_dir_perms; allow system_server asec_apk_file:file create_file_perms; allow system_server asec_public_file:file create_file_perms; # Manage /data/anr. # # TODO: Some of these permissions can be withdrawn once we've switched to the # new stack dumping mechanism, see b/32064548 and the rules below. In particular, # the system_server should never need to create a new anr_data_file:file or write # to one, but it will still need to read and append to existing files. allow system_server anr_data_file:dir create_dir_perms; allow system_server anr_data_file:file create_file_perms; # New stack dumping scheme : request an output FD from tombstoned via a unix # domain socket. # # Allow system_server to connect and write to the tombstoned java trace socket in # order to dump its traces. Also allow the system server to write its traces to # dumpstate during bugreport capture and incidentd during incident collection. unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) allow system_server tombstoned:fd use; allow system_server dumpstate:fifo_file append; allow system_server incidentd:fifo_file append; # Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`) userdebug_or_eng(` allow system_server su:fifo_file append; ') # Allow system_server to read pipes from incidentd (used to deliver incident reports # to dropbox) allow system_server incidentd:fifo_file read; # Read /data/misc/incidents - only read. The fd will be sent over binder, # with no DAC access to it, for dropbox to read. allow system_server incident_data_file:file read; # Manage /data/misc/prereboot. allow system_server prereboot_data_file:dir rw_dir_perms; allow system_server prereboot_data_file:file create_file_perms; # Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over # binder. allow system_server perfetto_traces_data_file:file read; allow system_server perfetto:fd use; # Manage /data/backup. allow system_server backup_data_file:dir create_dir_perms; allow system_server backup_data_file:file create_file_perms; # Write to /data/system/dropbox allow system_server dropbox_data_file:dir create_dir_perms; allow system_server dropbox_data_file:file create_file_perms; # Write to /data/system/heapdump allow system_server heapdump_data_file:dir rw_dir_perms; allow system_server heapdump_data_file:file create_file_perms; # Manage /data/misc/adb. allow system_server adb_keys_file:dir create_dir_perms; allow system_server adb_keys_file:file create_file_perms; # Manage /data/misc/emergencynumberdb allow system_server emergency_data_file:dir create_dir_perms; allow system_server emergency_data_file:file create_file_perms; # Manage /data/misc/network_watchlist allow system_server network_watchlist_data_file:dir create_dir_perms; allow system_server network_watchlist_data_file:file create_file_perms; # Manage /data/misc/sms. # TODO: Split into a separate type? allow system_server radio_data_file:dir create_dir_perms; allow system_server radio_data_file:file create_file_perms; # Manage /data/misc/systemkeys. allow system_server systemkeys_data_file:dir create_dir_perms; allow system_server systemkeys_data_file:file create_file_perms; # Manage /data/misc/textclassifier. allow system_server textclassifier_data_file:dir create_dir_perms; allow system_server textclassifier_data_file:file create_file_perms; # Access /data/tombstones. allow system_server tombstone_data_file:dir r_dir_perms; allow system_server tombstone_data_file:file r_file_perms; # Manage /data/misc/vpn. allow system_server vpn_data_file:dir create_dir_perms; allow system_server vpn_data_file:file create_file_perms; # Manage /data/misc/wifi. allow system_server wifi_data_file:dir create_dir_perms; allow system_server wifi_data_file:file create_file_perms; # Manage /data/misc/zoneinfo. allow system_server zoneinfo_data_file:dir create_dir_perms; allow system_server zoneinfo_data_file:file create_file_perms; # Manage /data/app-staging. allow system_server staging_data_file:dir create_dir_perms; allow system_server staging_data_file:file create_file_perms; # Walk /data/data subdirectories. # Types extracted from seapp_contexts type= fields. allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file privapp_data_file }:dir { getattr read search }; # Also permit for unlabeled /data/data subdirectories and # for unlabeled asec containers on upgrades from 4.2. allow system_server unlabeled:dir r_dir_perms; # Read pkg.apk file before it has been relabeled by vold. allow system_server unlabeled:file r_file_perms; # Populate com.android.providers.settings/databases/settings.db. allow system_server system_app_data_file:dir create_dir_perms; allow system_server system_app_data_file:file create_file_perms; # Receive and use open app data files passed over binder IPC. # Types extracted from seapp_contexts type= fields. allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file privapp_data_file }:file { getattr read write append map }; # Access to /data/media for measuring disk usage. allow system_server media_rw_data_file:dir { search getattr open read }; # Receive and use open /data/media files passed over binder IPC. # Also used for measuring disk usage. allow system_server media_rw_data_file:file { getattr read write append }; # System server needs to setfscreate to packages_list_file when writing # /data/system/packages.list allow system_server system_server:process setfscreate; # Relabel apk files. allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; # Relabel wallpaper. allow system_server system_data_file:file relabelfrom; allow system_server wallpaper_file:file relabelto; allow system_server wallpaper_file:file { rw_file_perms rename unlink }; # Backup of wallpaper imagery uses temporary hard links to avoid data churn allow system_server { system_data_file wallpaper_file }:file link; # ShortcutManager icons allow system_server system_data_file:dir relabelfrom; allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; allow system_server shortcut_manager_icons:file create_file_perms; # Manage ringtones. allow system_server ringtone_file:dir { create_dir_perms relabelto }; allow system_server ringtone_file:file create_file_perms; # Relabel icon file. allow system_server icon_file:file relabelto; allow system_server icon_file:file { rw_file_perms unlink }; # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? allow system_server system_data_file:dir relabelfrom; # server_configurable_flags_data_file is used for storing server configurable flags which # have been reset during current booting. system_server needs to read the data to perform related # disaster recovery actions. allow system_server server_configurable_flags_data_file:dir r_dir_perms; allow system_server server_configurable_flags_data_file:file r_file_perms; # Property Service write set_prop(system_server, system_prop) set_prop(system_server, exported_system_prop) set_prop(system_server, exported2_system_prop) set_prop(system_server, exported3_system_prop) set_prop(system_server, safemode_prop) set_prop(system_server, theme_prop) set_prop(system_server, dhcp_prop) set_prop(system_server, net_radio_prop) set_prop(system_server, net_dns_prop) set_prop(system_server, usb_control_prop) set_prop(system_server, usb_prop) set_prop(system_server, debug_prop) set_prop(system_server, powerctl_prop) set_prop(system_server, fingerprint_prop) set_prop(system_server, device_logging_prop) set_prop(system_server, dumpstate_options_prop) set_prop(system_server, overlay_prop) set_prop(system_server, exported_overlay_prop) set_prop(system_server, pm_prop) set_prop(system_server, exported_pm_prop) set_prop(system_server, socket_hook_prop) set_prop(system_server, audio_prop) set_prop(system_server, boot_status_prop) set_prop(system_server, surfaceflinger_color_prop) set_prop(system_server, provisioned_prop) set_prop(system_server, retaildemo_prop) userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') # ctl interface set_prop(system_server, ctl_default_prop) set_prop(system_server, ctl_bugreport_prop) set_prop(system_server, ctl_gsid_prop) # cppreopt property set_prop(system_server, cppreopt_prop) # server configurable flags properties set_prop(system_server, device_config_input_native_boot_prop) set_prop(system_server, device_config_netd_native_prop) set_prop(system_server, device_config_activity_manager_native_boot_prop) set_prop(system_server, device_config_runtime_native_boot_prop) set_prop(system_server, device_config_runtime_native_prop) set_prop(system_server, device_config_media_native_prop) set_prop(system_server, device_config_storage_native_boot_prop) set_prop(system_server, device_config_sys_traced_prop) set_prop(system_server, device_config_window_manager_native_boot_prop) set_prop(system_server, device_config_configuration_prop) # BootReceiver to read ro.boot.bootreason get_prop(system_server, bootloader_boot_reason_prop) # PowerManager to read sys.boot.reason get_prop(system_server, system_boot_reason_prop) # Collect metrics on boot time created by init get_prop(system_server, boottime_prop) # Read device's serial number from system properties get_prop(system_server, serialno_prop) # Read/write the property which keeps track of whether this is the first start of system_server set_prop(system_server, firstboot_prop) # Audio service in system server can read audio config properties, # such as camera shutter enforcement get_prop(system_server, audio_config_prop) # system server reads this property to keep track of whether server configurable flags have been # reset during current boot. get_prop(system_server, device_config_reset_performed_prop) # Read/write the property that enables Test Harness Mode set_prop(system_server, test_harness_prop) # Read gsid.image_running. get_prop(system_server, gsid_prop) # Read the property that mocks an OTA get_prop(system_server, mock_ota_prop) # Read the property as feature flag for protecting apks with fs-verity. get_prop(system_server, apk_verity_prop) # Read wifi.interface get_prop(system_server, wifi_prop) # Read the vendor property that indicates if Incremental features is enabled get_prop(system_server, incremental_prop) # Read ro.zram. properties get_prop(system_server, zram_config_prop) # Read/write persist.sys.zram_enabled set_prop(system_server, zram_control_prop) # Read/write persist.sys.dalvik.vm.lib.2 set_prop(system_server, dalvik_runtime_prop) # Read ro.control_privapp_permissions and ro.cp_system_other_odex get_prop(system_server, packagemanager_config_prop) # Create a socket for connections from debuggerd. allow system_server system_ndebug_socket:sock_file create_file_perms; # Create a socket for connections from zygotes. allow system_server system_unsolzygote_socket:sock_file create_file_perms; # Manage cache files. allow system_server cache_file:lnk_file r_file_perms; allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; allow system_server system_file:dir r_dir_perms; allow system_server system_file:lnk_file r_file_perms; # ART locks profile files. allow system_server system_file:file lock; # LocationManager(e.g, GPS) needs to read and write # to uart driver and ctrl proc entry allow system_server gps_control:file rw_file_perms; # Allow system_server to use app-created sockets and pipes. allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; # BackupManagerService needs to manipulate backup data files allow system_server cache_backup_file:dir rw_dir_perms; allow system_server cache_backup_file:file create_file_perms; # LocalTransport works inside /cache/backup allow system_server cache_private_backup_file:dir create_dir_perms; allow system_server cache_private_backup_file:file create_file_perms; # Allow system to talk to usb device allow system_server usb_device:chr_file rw_file_perms; allow system_server usb_device:dir r_dir_perms; # Read from HW RNG (needed by EntropyMixer). allow system_server hw_random_device:chr_file r_file_perms; # Read and delete files under /dev/fscklogs. r_dir_file(system_server, fscklogs) allow system_server fscklogs:dir { write remove_name }; allow system_server fscklogs:file unlink; # logd access, system_server inherit logd write socket # (urge is to deprecate this long term) allow system_server zygote:unix_dgram_socket write; # Read from log daemon. read_logd(system_server) read_runtime_log_tags(system_server) # Be consistent with DAC permissions. Allow system_server to write to # /sys/module/lowmemorykiller/parameters/adj # /sys/module/lowmemorykiller/parameters/minfree allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; # Read /sys/fs/pstore/console-ramoops # Don't worry about overly broad permissions for now, as there's # only one file in /sys/fs/pstore allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; # /sys access allow system_server sysfs_zram:dir search; allow system_server sysfs_zram:file rw_file_perms; add_service(system_server, system_server_service); allow system_server audioserver_service:service_manager find; allow system_server batteryproperties_service:service_manager find; allow system_server cameraserver_service:service_manager find; allow system_server dataloader_manager_service:service_manager find; allow system_server dnsresolver_service:service_manager find; allow system_server drmserver_service:service_manager find; allow system_server dumpstate_service:service_manager find; allow system_server fingerprintd_service:service_manager find; allow system_server gatekeeper_service:service_manager find; allow system_server gpu_service:service_manager find; allow system_server gsi_service:service_manager find; allow system_server hal_fingerprint_service:service_manager find; allow system_server idmap_service:service_manager find; allow system_server incident_service:service_manager find; allow system_server incremental_service:service_manager find; allow system_server installd_service:service_manager find; allow system_server iorapd_service:service_manager find; allow system_server keystore_service:service_manager find; allow system_server mediaserver_service:service_manager find; allow system_server mediametrics_service:service_manager find; allow system_server mediaextractor_service:service_manager find; allow system_server mediadrmserver_service:service_manager find; allow system_server netd_service:service_manager find; allow system_server nfc_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server stats_service:service_manager find; allow system_server storaged_service:service_manager find; allow system_server surfaceflinger_service:service_manager find; allow system_server update_engine_service:service_manager find; allow system_server vold_service:service_manager find; allow system_server wifinl80211_service:service_manager find; userdebug_or_eng(` allow system_server profcollectd_service:service_manager find; ') add_service(system_server, batteryproperties_service) allow system_server keystore:keystore_key { get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed }; # Allow system server to search and write to the persistent factory reset # protection partition. This block device does not get wiped in a factory reset. allow system_server block_device:dir search; allow system_server frp_block_device:blk_file rw_file_perms; allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; # Clean up old cgroups allow system_server cgroup:dir { remove_name rmdir }; # /oem access r_dir_file(system_server, oemfs) # Allow resolving per-user storage symlinks allow system_server { mnt_user_file storage_file }:dir { getattr search }; allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; # Allow statfs() on storage devices, which happens fast enough that # we shouldn't be killed during unsafe removal allow system_server sdcard_type:dir { getattr search }; # Traverse into expanded storage allow system_server mnt_expand_file:dir r_dir_perms; # Allow system process to relabel the fingerprint directory after mkdir # and delete the directory and files when no longer needed allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; allow system_server fingerprintd_data_file:file { getattr unlink }; userdebug_or_eng(` # Allow system server to create and write method traces in /data/misc/trace. allow system_server method_trace_data_file:dir w_dir_perms; allow system_server method_trace_data_file:file { create w_file_perms }; # Allow system server to read dmesg allow system_server kernel:system syslog_read; # Allow writing and removing window traces in /data/misc/wmtrace. allow system_server wm_trace_data_file:dir rw_dir_perms; allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; ') # For AppFuse. allow system_server vold:fd use; allow system_server fuse_device:chr_file { read write ioctl getattr }; allow system_server app_fuse_file:file { read write getattr }; # For configuring sdcardfs allow system_server configfs:dir { create_dir_perms }; allow system_server configfs:file { getattr open create unlink write }; # Connect to adbd and use a socket transferred from it. # Used for e.g. jdwp. allow system_server adbd:unix_stream_socket connectto; allow system_server adbd:fd use; allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; # Read service.adb.tls.port, persist.adb.wifi. properties get_prop(system_server, adbd_prop) # Set persist.adb.tls_server.enable property set_prop(system_server, system_adbd_prop) # Allow invoking tools like "timeout" allow system_server toolbox_exec:file rx_file_perms; # Allow system process to setup and measure fs-verity allowxperm system_server apk_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY }; # Postinstall # # For OTA dexopt, allow calls coming from postinstall. binder_call(system_server, postinstall) allow system_server postinstall:fifo_file write; allow system_server update_engine:fd use; allow system_server update_engine:fifo_file write; # Access to /data/preloads allow system_server preloads_data_file:file { r_file_perms unlink }; allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; allow system_server preloads_media_file:file { r_file_perms unlink }; allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; r_dir_file(system_server, proc_asound) r_dir_file(system_server, proc_net_type) r_dir_file(system_server, proc_qtaguid_stat) allow system_server { proc_cmdline proc_loadavg proc_meminfo proc_pagetypeinfo proc_pipe_conf proc_stat proc_uid_cputime_showstat proc_uid_io_stats proc_uid_time_in_state proc_uid_concurrent_active_time proc_uid_concurrent_policy_time proc_version proc_vmallocinfo }:file r_file_perms; allow system_server proc_uid_time_in_state:dir r_dir_perms; allow system_server proc_uid_cpupower:file r_file_perms; r_dir_file(system_server, rootfs) # Allow WifiService to start, stop, and read wifi-specific trace events. allow system_server debugfs_tracing_instances:dir search; allow system_server debugfs_wifi_tracing:dir search; allow system_server debugfs_wifi_tracing:file rw_file_perms; # Allow system_server to read tracepoint ids in order to attach BPF programs to them. allow system_server debugfs_tracing:file r_file_perms; # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run # asanwrapper. with_asan(` allow system_server shell_exec:file rx_file_perms; allow system_server asanwrapper_exec:file rx_file_perms; allow system_server zygote_exec:file rx_file_perms; ') # allow system_server to read the eBPF maps that stores the traffic stats information and update # the map after snapshot is recorded, and to read, update and run the maps and programs used for # time in state accounting allow system_server fs_bpf:dir search; allow system_server fs_bpf:file { read write }; allow system_server bpfloader:bpf { map_read map_write prog_run }; # ART Profiles. # Allow system_server to open profile snapshots for read. # System server never reads the actual content. It passes the descriptor to # to privileged apps which acquire the permissions to inspect the profiles. allow system_server user_profile_data_file:dir { getattr search }; allow system_server user_profile_data_file:file { getattr open read }; # System server may dump profile data for debuggable apps in the /data/misc/profman. # As such it needs to be able create files but it should never read from them. allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms}; allow system_server profman_dump_data_file:dir w_dir_perms; # On userdebug build we may profile system server. Allow it to write and create its own profile. userdebug_or_eng(` allow system_server user_profile_data_file:file create_file_perms; ') # Allow system server to load JVMTI agents under control of a property. get_prop(system_server,system_jvmti_agent_prop) # UsbDeviceManager uses /dev/usb-ffs allow system_server functionfs:dir search; allow system_server functionfs:file rw_file_perms; # system_server contains time / time zone detection logic so reads the associated properties. get_prop(system_server, time_prop) # system_server reads this property to know it should expect the lmkd sends notification to it # on low memory kills. get_prop(system_server, system_lmk_prop) get_prop(system_server, wifi_config_prop) ### ### Neverallow rules ### ### system_server should NEVER do any of this # Do not allow opening files from external storage as unsafe ejection # could cause the kernel to kill the system_server. neverallow system_server sdcard_type:dir { open read write }; neverallow system_server sdcard_type:file rw_file_perms; # system server should never be operating on zygote spawned app data # files directly. Rather, they should always be passed via a # file descriptor. # Types extracted from seapp_contexts type= fields, excluding # those types that system_server needs to open directly. neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file privapp_data_file }:file { open create unlink link }; # Forking and execing is inherently dangerous and racy. See, for # example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them # Prevent the addition of new file execs to stop the problem from # getting worse. b/28035297 neverallow system_server { file_type -toolbox_exec -logcat_exec with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') }:file execute_no_trans; # Ensure that system_server doesn't perform any domain transitions other than # transitioning to the crash_dump domain when a crash occurs. neverallow system_server { domain -crash_dump }:process transition; neverallow system_server *:process dyntransition; # Only allow crash_dump to connect to system_ndebug_socket. neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; # Only allow zygotes to connect to system_unsolzygote_socket. neverallow { domain -init -system_server -zygote -app_zygote -webview_zygote } system_unsolzygote_socket:sock_file { open write }; # Only allow init, system_server, flags_health_check to set properties for server configurable flags neverallow { domain -init -system_server -flags_health_check } { device_config_activity_manager_native_boot_prop device_config_input_native_boot_prop device_config_netd_native_prop device_config_runtime_native_boot_prop device_config_runtime_native_prop device_config_media_native_prop device_config_storage_native_boot_prop device_config_sys_traced_prop device_config_window_manager_native_boot_prop }:property_service set; # system_server should never be executing dex2oat. This is either # a bug (for example, bug 16317188), or represents an attempt by # system server to dynamically load a dex file, something we do not # want to allow. neverallow system_server dex2oat_exec:file no_x_file_perms; # system_server should never execute or load executable shared libraries # in /data. Executable files in /data are a persistence vector. # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. neverallow system_server data_file_type:file no_x_file_perms; # The only block device system_server should be accessing is # the frp_block_device. This helps avoid a system_server to root # escalation by writing to raw block devices. neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; # system_server should never use JIT functionality # See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html # in the section titled "A Short ROP Chain" for why. # However, in emulator builds without OpenGL passthrough, we use software # rendering via SwiftShader, which requires JIT support. These builds are # never shipped to users. ifelse(target_requires_insecure_execmem_for_swiftshader, `true', `allow system_server self:process execmem;', `neverallow system_server self:process execmem;') neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; # TODO: deal with tmpfs_domain pub/priv split properly neverallow system_server system_server_tmpfs:file execute; # Resources handed off by system_server_startup allow system_server system_server_startup:fd use; allow system_server system_server_startup_tmpfs:file { read write map }; allow system_server system_server_startup:unix_dgram_socket write; # Allow system server to communicate to apexd allow system_server apex_service:service_manager find; allow system_server apexd:binder call; # Allow system server to scan /apex for flattened APEXes allow system_server apex_mnt_dir:dir r_dir_perms; # Allow system server to read /apex/apex-info-list.xml allow system_server apex_info_file:file r_file_perms; # Allow system server to communicate to system-suspend's control interface allow system_server system_suspend_control_service:service_manager find; binder_call(system_server, system_suspend) binder_call(system_suspend, system_server) # Allow system server to communicate to system-suspend's wakelock interface wakelock_use(system_server) # Allow the system server to read files under /data/apex. The system_server # needs these privileges to compare file signatures while processing installs. # # Only apexd is allowed to create new entries or write to any file under /data/apex. allow system_server apex_data_file:dir { getattr search }; allow system_server apex_data_file:file r_file_perms; # Allow the system server to read files under /vendor/apex. This is where # vendor APEX packages might be installed and system_server needs to parse # these packages to inspect the signatures and other metadata. allow system_server vendor_apex_file:dir { getattr search }; allow system_server vendor_apex_file:file r_file_perms; # Allow the system server to manage relevant apex module data files. allow system_server apex_module_data_file:dir { getattr search }; allow system_server apex_permission_data_file:dir create_dir_perms; allow system_server apex_permission_data_file:file create_file_perms; allow system_server apex_wifi_data_file:dir create_dir_perms; allow system_server apex_wifi_data_file:file create_file_perms; # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can # communicate which slots are available for use. allow system_server metadata_file:dir search; allow system_server password_slot_metadata_file:dir rw_dir_perms; allow system_server password_slot_metadata_file:file create_file_perms; # Allow system server rw access to files in /metadata/staged-install folder allow system_server staged_install_file:dir rw_dir_perms; allow system_server staged_install_file:file create_file_perms; # Allow init to set sysprop used to compute stats about userspace reboot. set_prop(system_server, userspace_reboot_log_prop) # JVMTI agent settings are only readable from the system server. neverallow { domain -system_server -dumpstate -init -vendor_init } { system_jvmti_agent_prop }:file no_rw_file_perms; # Read/Write /proc/pressure/memory allow system_server proc_pressure_mem:file rw_file_perms; # dexoptanalyzer is currently used only for secondary dex files which # system_server should never access. neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; # No ptracing others neverallow system_server { domain -system_server }:process ptrace; # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID # file read access. However, that is now unnecessary (b/34951864) neverallow system_server system_server:global_capability_class_set sys_resource; # Only system_server/init should access /metadata/password_slots. neverallow { domain -init -system_server } password_slot_metadata_file:dir *; neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; # Allow systemserver to read/write the invalidation property set_prop(system_server, binder_cache_system_server_prop) neverallow { domain -system_server -init } binder_cache_system_server_prop:property_service set; # Allow system server to attach BPF programs to tracepoints. Deny read permission so that # system_server cannot use this access to read perf event data like process stacks. allow system_server self:perf_event { open write cpu kernel }; neverallow system_server self:perf_event ~{ open write cpu kernel }; # Do not allow any domain other than init or system server to set the property neverallow { domain -init -system_server } socket_hook_prop:property_service set; neverallow { domain -init -system_server } boot_status_prop:property_service set; neverallow { -init -vendor_init -dumpstate -system_server } wifi_config_prop:file no_rw_file_perms;