Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 1 | # |
| 2 | # System Server aka system_server spawned by zygote. |
| 3 | # Most of the framework services run in this process. |
| 4 | # |
| 5 | type system_server, domain; |
| 6 | permissive system_server; |
| 7 | unconfined_domain(system_server); |
| 8 | relabelto_domain(system_server); |
| 9 | |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 10 | # These are the capabilities assigned by the zygote to the |
| 11 | # system server. |
| 12 | allow system_server self:capability { |
| 13 | kill |
| 14 | net_admin |
| 15 | net_bind_service |
| 16 | net_broadcast |
| 17 | net_raw |
| 18 | sys_boot |
| 19 | sys_module |
| 20 | sys_nice |
| 21 | sys_resource |
| 22 | sys_time |
| 23 | sys_tty_config |
| 24 | }; |
| 25 | |
| 26 | # Create a socket for receiving info from wpa. |
| 27 | type_transition system_server wifi_data_file:sock_file system_wpa_socket; |
Stephen Smalley | 45ba665 | 2013-09-27 10:24:49 -0400 | [diff] [blame^] | 28 | allow system_server system_wpa_socket:sock_file create_file_perms; |
| 29 | |
| 30 | # Create a socket for connections from debuggerd. |
| 31 | type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; |
| 32 | allow system_server system_ndebug_socket:sock_file create_file_perms; |
| 33 | |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 34 | allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; |
| 35 | |
| 36 | allow system_server backup_data_file:dir relabelto; |
| 37 | allow system_server cache_backup_file:dir relabelto; |
| 38 | allow system_server anr_data_file:dir relabelto; |
| 39 | allow system_server system_data_file:dir relabelto; |
| 40 | allow system_server apk_data_file:file relabelto; |
| 41 | allow system_server apk_tmp_file:file relabelto; |
| 42 | allow system_server cache_backup_file:file relabelto; |
| 43 | allow system_server apk_private_tmp_file:file relabelto; |
| 44 | allow system_server wallpaper_file:file relabelto; |