blob: d45d5de1844a1d90f1943efb33d321a7d300eab1 [file] [log] [blame]
Alex Klyubin1fdee112013-09-13 15:59:04 -07001#
2# System Server aka system_server spawned by zygote.
3# Most of the framework services run in this process.
4#
Stephen Smalley1ff64412013-10-29 14:42:40 -04005type system_server, domain, mlstrustedsubject;
Stephen Smalley1ff64412013-10-29 14:42:40 -04006
Stephen Smalleye7ec2f52013-12-23 16:18:55 -05007# Define a type for tmpfs-backed ashmem regions.
8tmpfs_domain(system_server)
9
Stephen Smalley1ff64412013-10-29 14:42:40 -040010# Dalvik Compiler JIT Mapping.
11allow system_server self:process execmem;
Stephen Smalleye7ec2f52013-12-23 16:18:55 -050012allow system_server ashmem_device:chr_file execute;
13allow system_server system_server_tmpfs:file execute;
Stephen Smalley1ff64412013-10-29 14:42:40 -040014
Stephen Smalley527316a2013-12-23 14:48:02 -050015# For art.
16allow system_server dalvikcache_data_file:file execute;
17
Nick Kralevichfad4d5f2014-06-16 14:19:31 -070018# /data/resource-cache
19allow system_server resourcecache_data_file:file r_file_perms;
20allow system_server resourcecache_data_file:dir r_dir_perms;
21
Stephen Smalley3dad7b62014-03-05 09:50:08 -050022# ptrace to processes in the same domain for debugging crashes.
23allow system_server self:process ptrace;
24
Stephen Smalley1ff64412013-10-29 14:42:40 -040025# Child of the zygote.
26allow system_server zygote:fd use;
27allow system_server zygote:process sigchld;
28allow system_server zygote_tmpfs:file read;
29
Stephen Smalley3dad7b62014-03-05 09:50:08 -050030# May kill zygote on crashes.
31allow system_server zygote:process sigkill;
32
33# Read /system/bin/app_process.
34allow system_server zygote_exec:file r_file_perms;
35
Nick Kralevich63b98b12014-02-25 19:42:38 -080036# Needed to close the zygote socket, which involves getopt / getattr
37allow system_server zygote:unix_stream_socket { getopt getattr };
38
Stephen Smalley1ff64412013-10-29 14:42:40 -040039# system server gets network and bluetooth permissions.
40net_domain(system_server)
41bluetooth_domain(system_server)
Alex Klyubin1fdee112013-09-13 15:59:04 -070042
Alex Klyubin1fdee112013-09-13 15:59:04 -070043# These are the capabilities assigned by the zygote to the
44# system server.
45allow system_server self:capability {
46 kill
47 net_admin
48 net_bind_service
49 net_broadcast
50 net_raw
51 sys_boot
52 sys_module
53 sys_nice
54 sys_resource
55 sys_time
56 sys_tty_config
57};
58
Nick Kralevich8599e342014-05-23 13:33:32 -070059wakelock_use(system_server)
Nick Kralevich13e44ec2013-12-19 10:53:36 -080060
Stephen Smalley1ff64412013-10-29 14:42:40 -040061# Triggered by /proc/pid accesses, not allowed.
62dontaudit system_server self:capability sys_ptrace;
63
64# Trigger module auto-load.
65allow system_server kernel:system module_request;
66
67# Use netlink uevent sockets.
Stephen Smalley16011322014-02-24 15:06:11 -050068allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -040069
Stephen Smalley3dad7b62014-03-05 09:50:08 -050070# Use generic netlink sockets.
71allow system_server self:netlink_socket create_socket_perms;
72
Sreeram Ramachandran997461b2014-07-28 15:13:34 -070073# Set and get routes directly via netlink.
74allow system_server self:netlink_route_socket nlmsg_write;
75
Stephen Smalley1ff64412013-10-29 14:42:40 -040076# Kill apps.
77allow system_server appdomain:process { sigkill signal };
78
Nick Kralevich2d1650f2014-10-24 14:25:49 -070079# This line seems suspect, as it should not really need to
80# set scheduling parameters for a kernel domain task.
81allow system_server kernel:process setsched;
82
Stephen Smalley1ff64412013-10-29 14:42:40 -040083# Set scheduling info for apps.
84allow system_server appdomain:process { getsched setsched };
85allow system_server mediaserver:process { getsched setsched };
86
Nick Kralevich8c6552a2014-06-25 09:23:57 -070087# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
88# within system_server to keep track of memory and CPU usage for
89# all processes on the device.
90r_dir_file(system_server, domain)
Stephen Smalleyc1812182014-03-06 13:27:01 -050091
92# Write to /proc/pid/oom_adj_score for apps.
93allow system_server appdomain:file write;
Stephen Smalley1ff64412013-10-29 14:42:40 -040094
95# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
96allow system_server qtaguid_proc:file rw_file_perms;
97allow system_server qtaguid_device:chr_file rw_file_perms;
98
Stephen Smalley3dad7b62014-03-05 09:50:08 -050099# Write to /proc/sysrq-trigger.
100allow system_server proc_sysrq:file rw_file_perms;
101
Stephen Smalley1ff64412013-10-29 14:42:40 -0400102# Read /sys/kernel/debug/wakeup_sources.
103allow system_server debugfs:file r_file_perms;
104
105# WifiWatchdog uses a packet_socket
Stephen Smalley16011322014-02-24 15:06:11 -0500106allow system_server self:packet_socket create_socket_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400107
108# 3rd party VPN clients require a tun_socket to be created
Stephen Smalley16011322014-02-24 15:06:11 -0500109allow system_server self:tun_socket create_socket_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400110
111# Notify init of death.
112allow system_server init:process sigchld;
113
114# Talk to init and various daemons via sockets.
115unix_socket_connect(system_server, property, init)
Stephen Smalley1ff64412013-10-29 14:42:40 -0400116unix_socket_connect(system_server, installd, installd)
Nick Kralevich2b392fc2013-12-05 16:55:34 -0800117unix_socket_connect(system_server, lmkd, lmkd)
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500118unix_socket_connect(system_server, mtpd, mtp)
Stephen Smalley1ff64412013-10-29 14:42:40 -0400119unix_socket_connect(system_server, netd, netd)
120unix_socket_connect(system_server, vold, vold)
121unix_socket_connect(system_server, zygote, zygote)
Stephen Smalley1ff64412013-10-29 14:42:40 -0400122unix_socket_connect(system_server, gps, gpsd)
123unix_socket_connect(system_server, racoon, racoon)
124unix_socket_send(system_server, wpa, wpa)
125
126# Communicate over a socket created by surfaceflinger.
127allow system_server surfaceflinger:unix_stream_socket { read write setopt };
128
129# Perform Binder IPC.
Stephen Smalley1ff64412013-10-29 14:42:40 -0400130binder_use(system_server)
131binder_call(system_server, binderservicedomain)
132binder_call(system_server, appdomain)
Stephen Smalley208deb32014-01-29 14:56:41 -0500133binder_call(system_server, dumpstate)
Stephen Smalley1ff64412013-10-29 14:42:40 -0400134binder_service(system_server)
135
Stephen Smalleyc1812182014-03-06 13:27:01 -0500136# Read /proc/pid files for dumping stack traces of native processes.
Stephen Smalley1ff64412013-10-29 14:42:40 -0400137r_dir_file(system_server, mediaserver)
Stephen Smalleyc1812182014-03-06 13:27:01 -0500138r_dir_file(system_server, sdcardd)
139r_dir_file(system_server, surfaceflinger)
Stephen Smalleye06e5362014-03-21 10:40:56 -0400140r_dir_file(system_server, inputflinger)
Stephen Smalley1ff64412013-10-29 14:42:40 -0400141
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500142# Use sockets received over binder from various services.
143allow system_server mediaserver:tcp_socket rw_socket_perms;
144allow system_server mediaserver:udp_socket rw_socket_perms;
145
Stephen Smalley1ff64412013-10-29 14:42:40 -0400146# Check SELinux permissions.
147selinux_check_access(system_server)
148
149# XXX Label sysfs files with a specific type?
150allow system_server sysfs:file rw_file_perms;
151allow system_server sysfs_nfc_power_writable:file rw_file_perms;
Ruchi Kandoi13d58862014-06-10 16:04:44 -0700152allow system_server sysfs_devices_system_cpu:file w_file_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400153
154# Access devices.
155allow system_server device:dir r_dir_perms;
156allow system_server mdns_socket:sock_file rw_file_perms;
157allow system_server alarm_device:chr_file rw_file_perms;
Stephen Smalley3ba90122013-12-12 09:09:53 -0500158allow system_server gpu_device:chr_file rw_file_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400159allow system_server iio_device:chr_file rw_file_perms;
160allow system_server input_device:dir r_dir_perms;
161allow system_server input_device:chr_file rw_file_perms;
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500162allow system_server radio_device:chr_file r_file_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400163allow system_server tty_device:chr_file rw_file_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400164allow system_server usbaccessory_device:chr_file rw_file_perms;
Nick Kralevich37339c72014-01-06 12:39:19 -0800165allow system_server video_device:dir r_dir_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400166allow system_server video_device:chr_file rw_file_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400167allow system_server adbd_socket:sock_file rw_file_perms;
Nick Kralevich04e730b2014-06-18 16:22:43 -0700168allow system_server audio_device:dir r_dir_perms;
169allow system_server audio_device:chr_file r_file_perms;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400170
171# tun device used for 3rd party vpn apps
172allow system_server tun_device:chr_file rw_file_perms;
173
Stephen Smalley538edd32014-05-12 09:23:49 -0400174# Manage system data files.
175allow system_server system_data_file:dir create_dir_perms;
176allow system_server system_data_file:notdevfile_class_set create_file_perms;
Robin Lee51bfecf2014-10-13 12:10:08 +0100177allow system_server keychain_data_file:dir create_dir_perms;
178allow system_server keychain_data_file:file create_file_perms;
Stephen Smalley538edd32014-05-12 09:23:49 -0400179
180# Manage /data/app.
181allow system_server apk_data_file:dir create_dir_perms;
182allow system_server apk_data_file:file create_file_perms;
Jeff Sharkeybe092af2014-07-07 10:58:53 -0700183allow system_server apk_tmp_file:dir create_dir_perms;
Stephen Smalley538edd32014-05-12 09:23:49 -0400184allow system_server apk_tmp_file:file create_file_perms;
185
186# Manage /data/app-private.
187allow system_server apk_private_data_file:dir create_dir_perms;
188allow system_server apk_private_data_file:file create_file_perms;
Jeff Sharkeybe092af2014-07-07 10:58:53 -0700189allow system_server apk_private_tmp_file:dir create_dir_perms;
Stephen Smalley538edd32014-05-12 09:23:49 -0400190allow system_server apk_private_tmp_file:file create_file_perms;
191
192# Manage files within asec containers.
193allow system_server asec_apk_file:dir create_dir_perms;
194allow system_server asec_apk_file:file create_file_perms;
195allow system_server asec_public_file:file create_file_perms;
196
197# Manage /data/anr.
198allow system_server anr_data_file:dir create_dir_perms;
199allow system_server anr_data_file:file create_file_perms;
200
201# Manage /data/backup.
202allow system_server backup_data_file:dir create_dir_perms;
203allow system_server backup_data_file:file create_file_perms;
204
Nick Kralevich86703052014-06-10 18:42:22 -0700205# Read from /data/dalvik-cache/profiles
Nick Kralevicha76d9dd2014-06-13 21:29:56 -0700206allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
Nick Kralevich86703052014-06-10 18:42:22 -0700207allow system_server dalvikcache_profiles_data_file:file create_file_perms;
208
Stephen Smalley538edd32014-05-12 09:23:49 -0400209# Manage /data/misc/adb.
210allow system_server adb_keys_file:dir create_dir_perms;
211allow system_server adb_keys_file:file create_file_perms;
212
213# Manage /data/misc/sms.
214# TODO: Split into a separate type?
215allow system_server radio_data_file:dir create_dir_perms;
216allow system_server radio_data_file:file create_file_perms;
217
218# Manage /data/misc/systemkeys.
219allow system_server systemkeys_data_file:dir create_dir_perms;
220allow system_server systemkeys_data_file:file create_file_perms;
221
Stephen Smalley782e0842014-05-14 14:26:04 -0400222# Access /data/tombstones.
223allow system_server tombstone_data_file:dir r_dir_perms;
224allow system_server tombstone_data_file:file r_file_perms;
225
Stephen Smalley538edd32014-05-12 09:23:49 -0400226# Manage /data/misc/vpn.
227allow system_server vpn_data_file:dir create_dir_perms;
228allow system_server vpn_data_file:file create_file_perms;
229
230# Manage /data/misc/wifi.
231allow system_server wifi_data_file:dir create_dir_perms;
232allow system_server wifi_data_file:file create_file_perms;
233
234# Manage /data/misc/zoneinfo.
235allow system_server zoneinfo_data_file:dir create_dir_perms;
236allow system_server zoneinfo_data_file:file create_file_perms;
237
238# Walk /data/data subdirectories.
239# Types extracted from seapp_contexts type= fields.
240allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
Stephen Smalleyf85c1fc2014-05-27 10:56:24 -0400241# Also permit for unlabeled /data/data subdirectories and
242# for unlabeled asec containers on upgrades from 4.2.
243allow system_server unlabeled:dir r_dir_perms;
244# Read pkg.apk file before it has been relabeled by vold.
245allow system_server unlabeled:file r_file_perms;
Stephen Smalley538edd32014-05-12 09:23:49 -0400246
247# Populate com.android.providers.settings/databases/settings.db.
248allow system_server system_app_data_file:dir create_dir_perms;
249allow system_server system_app_data_file:file create_file_perms;
250
251# Receive and use open app data files passed over binder IPC.
252# Types extracted from seapp_contexts type= fields.
253allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
Stephen Smalley1ff64412013-10-29 14:42:40 -0400254
Stephen Smalley2cc6d632014-06-04 13:36:48 -0400255# Receive and use open /data/media files passed over binder IPC.
256allow system_server media_rw_data_file:file { getattr read write };
257
Stephen Smalley1ff64412013-10-29 14:42:40 -0400258# Read /file_contexts and /data/security/file_contexts
259security_access_policy(system_server)
260
261# Relabel apk files.
Jeff Sharkeybe092af2014-07-07 10:58:53 -0700262allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
263allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
Stephen Smalley1ff64412013-10-29 14:42:40 -0400264
265# Relabel wallpaper.
266allow system_server system_data_file:file relabelfrom;
267allow system_server wallpaper_file:file relabelto;
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500268allow system_server wallpaper_file:file { rw_file_perms unlink };
Stephen Smalley1ff64412013-10-29 14:42:40 -0400269
270# Relabel /data/anr.
271allow system_server system_data_file:dir relabelfrom;
272allow system_server anr_data_file:dir relabelto;
273
274# Property Service write
275allow system_server system_prop:property_service set;
Stephen Smalleyfee49152014-06-19 10:27:02 -0400276allow system_server dhcp_prop:property_service set;
277allow system_server net_radio_prop:property_service set;
278allow system_server system_radio_prop:property_service set;
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700279allow system_server debug_prop:property_service set;
Nick Kralevichcd95e0a2013-11-01 12:16:36 -0700280allow system_server powerctl_prop:property_service set;
Nick Kralevichaaecd1e2014-11-18 14:36:23 -0800281allow system_server fingerprint_prop:property_service set;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400282
283# ctl interface
284allow system_server ctl_default_prop:property_service set;
Paul Jensen97a2cfd2014-06-18 09:20:36 -0400285allow system_server ctl_dhcp_pan_prop:property_service set;
Stephen Smalley971b5d72014-03-18 10:49:34 -0400286allow system_server ctl_bugreport_prop:property_service set;
Stephen Smalley1ff64412013-10-29 14:42:40 -0400287
Alex Klyubin1fdee112013-09-13 15:59:04 -0700288# Create a socket for receiving info from wpa.
289type_transition system_server wifi_data_file:sock_file system_wpa_socket;
Stephen Smalley418e2ab2014-01-29 13:45:51 -0500290type_transition system_server wpa_socket:sock_file system_wpa_socket;
291allow system_server wpa_socket:dir rw_dir_perms;
Stephen Smalley45ba6652013-09-27 10:24:49 -0400292allow system_server system_wpa_socket:sock_file create_file_perms;
293
Robert Craigc50bf172014-01-08 08:15:04 -0500294# Remove sockets created by wpa_supplicant
295allow system_server wpa_socket:sock_file unlink;
296
Stephen Smalley45ba6652013-09-27 10:24:49 -0400297# Create a socket for connections from debuggerd.
298type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
299allow system_server system_ndebug_socket:sock_file create_file_perms;
300
Stephen Smalley1ff64412013-10-29 14:42:40 -0400301# Specify any arguments to zygote.
Alex Klyubin1fdee112013-09-13 15:59:04 -0700302allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
303
Stephen Smalley1ff64412013-10-29 14:42:40 -0400304# Manage cache files.
305allow system_server cache_file:dir { relabelfrom create_dir_perms };
306allow system_server cache_file:file { relabelfrom create_file_perms };
307
308# Run system programs, e.g. dexopt.
309allow system_server system_file:file x_file_perms;
310
Stephen Smalley1ff64412013-10-29 14:42:40 -0400311# LocationManager(e.g, GPS) needs to read and write
312# to uart driver and ctrl proc entry
313allow system_server gps_device:chr_file rw_file_perms;
314allow system_server gps_control:file rw_file_perms;
315
Stephen Smalley3dad7b62014-03-05 09:50:08 -0500316# Allow system_server to use app-created sockets and pipes.
317allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
318allow system_server appdomain:fifo_file { getattr read write };
Stephen Smalley1ff64412013-10-29 14:42:40 -0400319
320# Allow abstract socket connection
321allow system_server rild:unix_stream_socket connectto;
322
Stephen Smalley1ff64412013-10-29 14:42:40 -0400323# BackupManagerService lets PMS create a data backup file
324allow system_server cache_backup_file:file create_file_perms;
325# Relabel /data/backup
326allow system_server backup_data_file:dir { relabelto relabelfrom };
327# Relabel /cache/.*\.{data|restore}
328allow system_server cache_backup_file:file { relabelto relabelfrom };
329# LocalTransport creates and relabels /cache/backup
330allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
331
332# Allow system to talk to usb device
333allow system_server usb_device:chr_file rw_file_perms;
334allow system_server usb_device:dir r_dir_perms;
335
336# Allow system to talk to sensors
337allow system_server sensors_device:chr_file rw_file_perms;
338
Alex Klyubin8d688312013-10-03 13:35:56 -0700339# Read from HW RNG (needed by EntropyMixer).
340allow system_server hw_random_device:chr_file r_file_perms;
341
Stephen Smalleyaf47ebb2013-11-04 09:47:29 -0500342# Read and delete files under /dev/fscklogs.
343r_dir_file(system_server, fscklogs)
344allow system_server fscklogs:dir { write remove_name };
345allow system_server fscklogs:file unlink;
Stephen Smalleya49ba922013-12-02 14:22:17 -0500346
347# For SELinuxPolicyInstallReceiver
348selinux_manage_policy(system_server)
Stephen Smalley959fdaa2014-01-09 08:28:06 -0500349
Mark Salyzyn8ed750e2013-11-12 15:34:52 -0800350# logd access, system_server inherit logd write socket
351# (urge is to deprecate this long term)
352allow system_server zygote:unix_dgram_socket write;
Nick Kralevich5467fce2014-02-13 12:19:50 -0800353
Stephen Smalleybafbf812014-03-14 08:37:16 -0400354# Read from log daemon.
355read_logd(system_server)
356
Nick Kralevich5467fce2014-02-13 12:19:50 -0800357# Be consistent with DAC permissions. Allow system_server to write to
358# /sys/module/lowmemorykiller/parameters/adj
359# /sys/module/lowmemorykiller/parameters/minfree
Stephen Smalley335faf22014-02-21 11:39:30 -0500360allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
Stephen Smalleyd331e002014-03-05 13:07:01 -0500361
Nick Kralevich3f3d6ff2014-04-15 14:24:39 -0700362# Read /sys/fs/pstore/console-ramoops
363# Don't worry about overly broad permissions for now, as there's
364# only one file in /sys/fs/pstore
365allow system_server pstorefs:dir r_dir_perms;
366allow system_server pstorefs:file r_file_perms;
367
Riley Spahnf90c41f2014-06-05 15:52:02 -0700368allow system_server system_server_service:service_manager add;
369
Riley Spahn1196d2a2014-06-17 14:58:52 -0700370allow system_server keystore:keystore_key {
371 test
372 get
373 insert
374 delete
375 exist
376 saw
377 reset
378 password
379 lock
380 unlock
381 zero
382 sign
383 verify
384 grant
385 duplicate
386 clear_uid
Robin Leede08be82014-08-27 21:35:34 +0100387 reset_uid
388 sync_uid
389 password_uid
Riley Spahn1196d2a2014-06-17 14:58:52 -0700390};
391
dcashman47bd7302014-09-08 13:11:01 -0700392# Allow system server to search and write to the persistent factory reset
393# protection partition. This block device does not get wiped in a factory reset.
Andres Moralesd8447fd2014-07-09 15:18:32 -0700394allow system_server block_device:dir search;
dcashman47bd7302014-09-08 13:11:01 -0700395allow system_server frp_block_device:blk_file rw_file_perms;
Andres Moralesd8447fd2014-07-09 15:18:32 -0700396
Colin Cross5d60f042014-07-09 16:35:30 -0700397# Clean up old cgroups
398allow system_server cgroup:dir { remove_name rmdir };
399
Ed Heyl81839df2014-07-14 23:31:31 -0700400# /oem access
Nick Kralevich2380d052014-10-10 15:56:22 -0700401r_dir_file(system_server, oemfs)
Ed Heyl81839df2014-07-14 23:31:31 -0700402
Stephen Smalleyd331e002014-03-05 13:07:01 -0500403###
404### Neverallow rules
405###
406### system_server should NEVER do any of this
407
408# Do not allow accessing SDcard files as unsafe ejection could
409# cause the kernel to kill the system_server.
Nick Kralevichd00eff42014-07-04 11:45:49 -0700410neverallow system_server sdcard_type:file rw_file_perms;