| Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame^] | 1 | # |
| 2 | # System Server aka system_server spawned by zygote. |
| 3 | # Most of the framework services run in this process. |
| 4 | # |
| 5 | type system_server, domain; |
| 6 | permissive system_server; |
| 7 | unconfined_domain(system_server); |
| 8 | relabelto_domain(system_server); |
| 9 | |
| 10 | # TODO: Remove the temporary alias below once the renaming of system to system_server is complete in all repositories. |
| 11 | typealias system_server alias system; |
| 12 | |
| 13 | # These are the capabilities assigned by the zygote to the |
| 14 | # system server. |
| 15 | allow system_server self:capability { |
| 16 | kill |
| 17 | net_admin |
| 18 | net_bind_service |
| 19 | net_broadcast |
| 20 | net_raw |
| 21 | sys_boot |
| 22 | sys_module |
| 23 | sys_nice |
| 24 | sys_resource |
| 25 | sys_time |
| 26 | sys_tty_config |
| 27 | }; |
| 28 | |
| 29 | # Create a socket for receiving info from wpa. |
| 30 | type_transition system_server wifi_data_file:sock_file system_wpa_socket; |
| 31 | allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; |
| 32 | |
| 33 | allow system_server backup_data_file:dir relabelto; |
| 34 | allow system_server cache_backup_file:dir relabelto; |
| 35 | allow system_server anr_data_file:dir relabelto; |
| 36 | allow system_server system_data_file:dir relabelto; |
| 37 | allow system_server apk_data_file:file relabelto; |
| 38 | allow system_server apk_tmp_file:file relabelto; |
| 39 | allow system_server cache_backup_file:file relabelto; |
| 40 | allow system_server apk_private_tmp_file:file relabelto; |
| 41 | allow system_server wallpaper_file:file relabelto; |