Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 1 | # |
| 2 | # System Server aka system_server spawned by zygote. |
| 3 | # Most of the framework services run in this process. |
| 4 | # |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 5 | type system_server, domain, mlstrustedsubject; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 6 | |
Stephen Smalley | e7ec2f5 | 2013-12-23 16:18:55 -0500 | [diff] [blame] | 7 | # Define a type for tmpfs-backed ashmem regions. |
| 8 | tmpfs_domain(system_server) |
| 9 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 10 | # Dalvik Compiler JIT Mapping. |
| 11 | allow system_server self:process execmem; |
Stephen Smalley | e7ec2f5 | 2013-12-23 16:18:55 -0500 | [diff] [blame] | 12 | allow system_server ashmem_device:chr_file execute; |
| 13 | allow system_server system_server_tmpfs:file execute; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 14 | |
Stephen Smalley | 527316a | 2013-12-23 14:48:02 -0500 | [diff] [blame] | 15 | # For art. |
| 16 | allow system_server dalvikcache_data_file:file execute; |
| 17 | |
Nick Kralevich | fad4d5f | 2014-06-16 14:19:31 -0700 | [diff] [blame] | 18 | # /data/resource-cache |
| 19 | allow system_server resourcecache_data_file:file r_file_perms; |
| 20 | allow system_server resourcecache_data_file:dir r_dir_perms; |
| 21 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 22 | # ptrace to processes in the same domain for debugging crashes. |
| 23 | allow system_server self:process ptrace; |
| 24 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 25 | # Child of the zygote. |
| 26 | allow system_server zygote:fd use; |
| 27 | allow system_server zygote:process sigchld; |
| 28 | allow system_server zygote_tmpfs:file read; |
| 29 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 30 | # May kill zygote on crashes. |
| 31 | allow system_server zygote:process sigkill; |
| 32 | |
| 33 | # Read /system/bin/app_process. |
| 34 | allow system_server zygote_exec:file r_file_perms; |
| 35 | |
Nick Kralevich | 63b98b1 | 2014-02-25 19:42:38 -0800 | [diff] [blame] | 36 | # Needed to close the zygote socket, which involves getopt / getattr |
| 37 | allow system_server zygote:unix_stream_socket { getopt getattr }; |
| 38 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 39 | # system server gets network and bluetooth permissions. |
| 40 | net_domain(system_server) |
| 41 | bluetooth_domain(system_server) |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 42 | |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 43 | # These are the capabilities assigned by the zygote to the |
| 44 | # system server. |
| 45 | allow system_server self:capability { |
| 46 | kill |
| 47 | net_admin |
| 48 | net_bind_service |
| 49 | net_broadcast |
| 50 | net_raw |
| 51 | sys_boot |
| 52 | sys_module |
| 53 | sys_nice |
| 54 | sys_resource |
| 55 | sys_time |
| 56 | sys_tty_config |
| 57 | }; |
| 58 | |
Nick Kralevich | 8599e34 | 2014-05-23 13:33:32 -0700 | [diff] [blame] | 59 | wakelock_use(system_server) |
Nick Kralevich | 13e44ec | 2013-12-19 10:53:36 -0800 | [diff] [blame] | 60 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 61 | # Triggered by /proc/pid accesses, not allowed. |
| 62 | dontaudit system_server self:capability sys_ptrace; |
| 63 | |
| 64 | # Trigger module auto-load. |
| 65 | allow system_server kernel:system module_request; |
| 66 | |
| 67 | # Use netlink uevent sockets. |
Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 68 | allow system_server self:netlink_kobject_uevent_socket create_socket_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 69 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 70 | # Use generic netlink sockets. |
| 71 | allow system_server self:netlink_socket create_socket_perms; |
| 72 | |
Sreeram Ramachandran | 997461b | 2014-07-28 15:13:34 -0700 | [diff] [blame] | 73 | # Set and get routes directly via netlink. |
| 74 | allow system_server self:netlink_route_socket nlmsg_write; |
| 75 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 76 | # Kill apps. |
| 77 | allow system_server appdomain:process { sigkill signal }; |
| 78 | |
Nick Kralevich | 2d1650f | 2014-10-24 14:25:49 -0700 | [diff] [blame] | 79 | # This line seems suspect, as it should not really need to |
| 80 | # set scheduling parameters for a kernel domain task. |
| 81 | allow system_server kernel:process setsched; |
| 82 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 83 | # Set scheduling info for apps. |
| 84 | allow system_server appdomain:process { getsched setsched }; |
| 85 | allow system_server mediaserver:process { getsched setsched }; |
| 86 | |
Nick Kralevich | 8c6552a | 2014-06-25 09:23:57 -0700 | [diff] [blame] | 87 | # Read /proc/pid data for all domains. This is used by ProcessCpuTracker |
| 88 | # within system_server to keep track of memory and CPU usage for |
| 89 | # all processes on the device. |
| 90 | r_dir_file(system_server, domain) |
Stephen Smalley | c181218 | 2014-03-06 13:27:01 -0500 | [diff] [blame] | 91 | |
| 92 | # Write to /proc/pid/oom_adj_score for apps. |
| 93 | allow system_server appdomain:file write; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 94 | |
| 95 | # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. |
| 96 | allow system_server qtaguid_proc:file rw_file_perms; |
| 97 | allow system_server qtaguid_device:chr_file rw_file_perms; |
| 98 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 99 | # Write to /proc/sysrq-trigger. |
| 100 | allow system_server proc_sysrq:file rw_file_perms; |
| 101 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 102 | # Read /sys/kernel/debug/wakeup_sources. |
| 103 | allow system_server debugfs:file r_file_perms; |
| 104 | |
| 105 | # WifiWatchdog uses a packet_socket |
Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 106 | allow system_server self:packet_socket create_socket_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 107 | |
| 108 | # 3rd party VPN clients require a tun_socket to be created |
Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 109 | allow system_server self:tun_socket create_socket_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 110 | |
| 111 | # Notify init of death. |
| 112 | allow system_server init:process sigchld; |
| 113 | |
| 114 | # Talk to init and various daemons via sockets. |
| 115 | unix_socket_connect(system_server, property, init) |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 116 | unix_socket_connect(system_server, installd, installd) |
Nick Kralevich | 2b392fc | 2013-12-05 16:55:34 -0800 | [diff] [blame] | 117 | unix_socket_connect(system_server, lmkd, lmkd) |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 118 | unix_socket_connect(system_server, mtpd, mtp) |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 119 | unix_socket_connect(system_server, netd, netd) |
| 120 | unix_socket_connect(system_server, vold, vold) |
| 121 | unix_socket_connect(system_server, zygote, zygote) |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 122 | unix_socket_connect(system_server, gps, gpsd) |
| 123 | unix_socket_connect(system_server, racoon, racoon) |
| 124 | unix_socket_send(system_server, wpa, wpa) |
| 125 | |
| 126 | # Communicate over a socket created by surfaceflinger. |
| 127 | allow system_server surfaceflinger:unix_stream_socket { read write setopt }; |
| 128 | |
| 129 | # Perform Binder IPC. |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 130 | binder_use(system_server) |
| 131 | binder_call(system_server, binderservicedomain) |
| 132 | binder_call(system_server, appdomain) |
Stephen Smalley | 208deb3 | 2014-01-29 14:56:41 -0500 | [diff] [blame] | 133 | binder_call(system_server, dumpstate) |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 134 | binder_service(system_server) |
| 135 | |
Stephen Smalley | c181218 | 2014-03-06 13:27:01 -0500 | [diff] [blame] | 136 | # Read /proc/pid files for dumping stack traces of native processes. |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 137 | r_dir_file(system_server, mediaserver) |
Stephen Smalley | c181218 | 2014-03-06 13:27:01 -0500 | [diff] [blame] | 138 | r_dir_file(system_server, sdcardd) |
| 139 | r_dir_file(system_server, surfaceflinger) |
Stephen Smalley | e06e536 | 2014-03-21 10:40:56 -0400 | [diff] [blame] | 140 | r_dir_file(system_server, inputflinger) |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 141 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 142 | # Use sockets received over binder from various services. |
| 143 | allow system_server mediaserver:tcp_socket rw_socket_perms; |
| 144 | allow system_server mediaserver:udp_socket rw_socket_perms; |
| 145 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 146 | # Check SELinux permissions. |
| 147 | selinux_check_access(system_server) |
| 148 | |
| 149 | # XXX Label sysfs files with a specific type? |
| 150 | allow system_server sysfs:file rw_file_perms; |
| 151 | allow system_server sysfs_nfc_power_writable:file rw_file_perms; |
Ruchi Kandoi | 13d5886 | 2014-06-10 16:04:44 -0700 | [diff] [blame] | 152 | allow system_server sysfs_devices_system_cpu:file w_file_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 153 | |
| 154 | # Access devices. |
| 155 | allow system_server device:dir r_dir_perms; |
| 156 | allow system_server mdns_socket:sock_file rw_file_perms; |
| 157 | allow system_server alarm_device:chr_file rw_file_perms; |
Stephen Smalley | 3ba9012 | 2013-12-12 09:09:53 -0500 | [diff] [blame] | 158 | allow system_server gpu_device:chr_file rw_file_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 159 | allow system_server iio_device:chr_file rw_file_perms; |
| 160 | allow system_server input_device:dir r_dir_perms; |
| 161 | allow system_server input_device:chr_file rw_file_perms; |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 162 | allow system_server radio_device:chr_file r_file_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 163 | allow system_server tty_device:chr_file rw_file_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 164 | allow system_server usbaccessory_device:chr_file rw_file_perms; |
Nick Kralevich | 37339c7 | 2014-01-06 12:39:19 -0800 | [diff] [blame] | 165 | allow system_server video_device:dir r_dir_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 166 | allow system_server video_device:chr_file rw_file_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 167 | allow system_server adbd_socket:sock_file rw_file_perms; |
Nick Kralevich | 04e730b | 2014-06-18 16:22:43 -0700 | [diff] [blame] | 168 | allow system_server audio_device:dir r_dir_perms; |
| 169 | allow system_server audio_device:chr_file r_file_perms; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 170 | |
| 171 | # tun device used for 3rd party vpn apps |
| 172 | allow system_server tun_device:chr_file rw_file_perms; |
| 173 | |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 174 | # Manage system data files. |
| 175 | allow system_server system_data_file:dir create_dir_perms; |
| 176 | allow system_server system_data_file:notdevfile_class_set create_file_perms; |
Robin Lee | 51bfecf | 2014-10-13 12:10:08 +0100 | [diff] [blame] | 177 | allow system_server keychain_data_file:dir create_dir_perms; |
| 178 | allow system_server keychain_data_file:file create_file_perms; |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 179 | |
| 180 | # Manage /data/app. |
| 181 | allow system_server apk_data_file:dir create_dir_perms; |
| 182 | allow system_server apk_data_file:file create_file_perms; |
Jeff Sharkey | be092af | 2014-07-07 10:58:53 -0700 | [diff] [blame] | 183 | allow system_server apk_tmp_file:dir create_dir_perms; |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 184 | allow system_server apk_tmp_file:file create_file_perms; |
| 185 | |
| 186 | # Manage /data/app-private. |
| 187 | allow system_server apk_private_data_file:dir create_dir_perms; |
| 188 | allow system_server apk_private_data_file:file create_file_perms; |
Jeff Sharkey | be092af | 2014-07-07 10:58:53 -0700 | [diff] [blame] | 189 | allow system_server apk_private_tmp_file:dir create_dir_perms; |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 190 | allow system_server apk_private_tmp_file:file create_file_perms; |
| 191 | |
| 192 | # Manage files within asec containers. |
| 193 | allow system_server asec_apk_file:dir create_dir_perms; |
| 194 | allow system_server asec_apk_file:file create_file_perms; |
| 195 | allow system_server asec_public_file:file create_file_perms; |
| 196 | |
| 197 | # Manage /data/anr. |
| 198 | allow system_server anr_data_file:dir create_dir_perms; |
| 199 | allow system_server anr_data_file:file create_file_perms; |
| 200 | |
| 201 | # Manage /data/backup. |
| 202 | allow system_server backup_data_file:dir create_dir_perms; |
| 203 | allow system_server backup_data_file:file create_file_perms; |
| 204 | |
Nick Kralevich | 8670305 | 2014-06-10 18:42:22 -0700 | [diff] [blame] | 205 | # Read from /data/dalvik-cache/profiles |
Nick Kralevich | a76d9dd | 2014-06-13 21:29:56 -0700 | [diff] [blame] | 206 | allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; |
Nick Kralevich | 8670305 | 2014-06-10 18:42:22 -0700 | [diff] [blame] | 207 | allow system_server dalvikcache_profiles_data_file:file create_file_perms; |
| 208 | |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 209 | # Manage /data/misc/adb. |
| 210 | allow system_server adb_keys_file:dir create_dir_perms; |
| 211 | allow system_server adb_keys_file:file create_file_perms; |
| 212 | |
| 213 | # Manage /data/misc/sms. |
| 214 | # TODO: Split into a separate type? |
| 215 | allow system_server radio_data_file:dir create_dir_perms; |
| 216 | allow system_server radio_data_file:file create_file_perms; |
| 217 | |
| 218 | # Manage /data/misc/systemkeys. |
| 219 | allow system_server systemkeys_data_file:dir create_dir_perms; |
| 220 | allow system_server systemkeys_data_file:file create_file_perms; |
| 221 | |
Stephen Smalley | 782e084 | 2014-05-14 14:26:04 -0400 | [diff] [blame] | 222 | # Access /data/tombstones. |
| 223 | allow system_server tombstone_data_file:dir r_dir_perms; |
| 224 | allow system_server tombstone_data_file:file r_file_perms; |
| 225 | |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 226 | # Manage /data/misc/vpn. |
| 227 | allow system_server vpn_data_file:dir create_dir_perms; |
| 228 | allow system_server vpn_data_file:file create_file_perms; |
| 229 | |
| 230 | # Manage /data/misc/wifi. |
| 231 | allow system_server wifi_data_file:dir create_dir_perms; |
| 232 | allow system_server wifi_data_file:file create_file_perms; |
| 233 | |
| 234 | # Manage /data/misc/zoneinfo. |
| 235 | allow system_server zoneinfo_data_file:dir create_dir_perms; |
| 236 | allow system_server zoneinfo_data_file:file create_file_perms; |
| 237 | |
| 238 | # Walk /data/data subdirectories. |
| 239 | # Types extracted from seapp_contexts type= fields. |
| 240 | allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; |
Stephen Smalley | f85c1fc | 2014-05-27 10:56:24 -0400 | [diff] [blame] | 241 | # Also permit for unlabeled /data/data subdirectories and |
| 242 | # for unlabeled asec containers on upgrades from 4.2. |
| 243 | allow system_server unlabeled:dir r_dir_perms; |
| 244 | # Read pkg.apk file before it has been relabeled by vold. |
| 245 | allow system_server unlabeled:file r_file_perms; |
Stephen Smalley | 538edd3 | 2014-05-12 09:23:49 -0400 | [diff] [blame] | 246 | |
| 247 | # Populate com.android.providers.settings/databases/settings.db. |
| 248 | allow system_server system_app_data_file:dir create_dir_perms; |
| 249 | allow system_server system_app_data_file:file create_file_perms; |
| 250 | |
| 251 | # Receive and use open app data files passed over binder IPC. |
| 252 | # Types extracted from seapp_contexts type= fields. |
| 253 | allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 254 | |
Stephen Smalley | 2cc6d63 | 2014-06-04 13:36:48 -0400 | [diff] [blame] | 255 | # Receive and use open /data/media files passed over binder IPC. |
| 256 | allow system_server media_rw_data_file:file { getattr read write }; |
| 257 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 258 | # Read /file_contexts and /data/security/file_contexts |
| 259 | security_access_policy(system_server) |
| 260 | |
| 261 | # Relabel apk files. |
Jeff Sharkey | be092af | 2014-07-07 10:58:53 -0700 | [diff] [blame] | 262 | allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; |
| 263 | allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 264 | |
| 265 | # Relabel wallpaper. |
| 266 | allow system_server system_data_file:file relabelfrom; |
| 267 | allow system_server wallpaper_file:file relabelto; |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 268 | allow system_server wallpaper_file:file { rw_file_perms unlink }; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 269 | |
| 270 | # Relabel /data/anr. |
| 271 | allow system_server system_data_file:dir relabelfrom; |
| 272 | allow system_server anr_data_file:dir relabelto; |
| 273 | |
| 274 | # Property Service write |
| 275 | allow system_server system_prop:property_service set; |
Stephen Smalley | fee4915 | 2014-06-19 10:27:02 -0400 | [diff] [blame] | 276 | allow system_server dhcp_prop:property_service set; |
| 277 | allow system_server net_radio_prop:property_service set; |
| 278 | allow system_server system_radio_prop:property_service set; |
Nick Kralevich | dd1ec6d | 2013-11-01 10:45:03 -0700 | [diff] [blame] | 279 | allow system_server debug_prop:property_service set; |
Nick Kralevich | cd95e0a | 2013-11-01 12:16:36 -0700 | [diff] [blame] | 280 | allow system_server powerctl_prop:property_service set; |
Nick Kralevich | aaecd1e | 2014-11-18 14:36:23 -0800 | [diff] [blame] | 281 | allow system_server fingerprint_prop:property_service set; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 282 | |
| 283 | # ctl interface |
| 284 | allow system_server ctl_default_prop:property_service set; |
Paul Jensen | 97a2cfd | 2014-06-18 09:20:36 -0400 | [diff] [blame] | 285 | allow system_server ctl_dhcp_pan_prop:property_service set; |
Stephen Smalley | 971b5d7 | 2014-03-18 10:49:34 -0400 | [diff] [blame] | 286 | allow system_server ctl_bugreport_prop:property_service set; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 287 | |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 288 | # Create a socket for receiving info from wpa. |
| 289 | type_transition system_server wifi_data_file:sock_file system_wpa_socket; |
Stephen Smalley | 418e2ab | 2014-01-29 13:45:51 -0500 | [diff] [blame] | 290 | type_transition system_server wpa_socket:sock_file system_wpa_socket; |
| 291 | allow system_server wpa_socket:dir rw_dir_perms; |
Stephen Smalley | 45ba665 | 2013-09-27 10:24:49 -0400 | [diff] [blame] | 292 | allow system_server system_wpa_socket:sock_file create_file_perms; |
| 293 | |
Robert Craig | c50bf17 | 2014-01-08 08:15:04 -0500 | [diff] [blame] | 294 | # Remove sockets created by wpa_supplicant |
| 295 | allow system_server wpa_socket:sock_file unlink; |
| 296 | |
Stephen Smalley | 45ba665 | 2013-09-27 10:24:49 -0400 | [diff] [blame] | 297 | # Create a socket for connections from debuggerd. |
| 298 | type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; |
| 299 | allow system_server system_ndebug_socket:sock_file create_file_perms; |
| 300 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 301 | # Specify any arguments to zygote. |
Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 302 | allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; |
| 303 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 304 | # Manage cache files. |
| 305 | allow system_server cache_file:dir { relabelfrom create_dir_perms }; |
| 306 | allow system_server cache_file:file { relabelfrom create_file_perms }; |
| 307 | |
| 308 | # Run system programs, e.g. dexopt. |
| 309 | allow system_server system_file:file x_file_perms; |
| 310 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 311 | # LocationManager(e.g, GPS) needs to read and write |
| 312 | # to uart driver and ctrl proc entry |
| 313 | allow system_server gps_device:chr_file rw_file_perms; |
| 314 | allow system_server gps_control:file rw_file_perms; |
| 315 | |
Stephen Smalley | 3dad7b6 | 2014-03-05 09:50:08 -0500 | [diff] [blame] | 316 | # Allow system_server to use app-created sockets and pipes. |
| 317 | allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; |
| 318 | allow system_server appdomain:fifo_file { getattr read write }; |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 319 | |
| 320 | # Allow abstract socket connection |
| 321 | allow system_server rild:unix_stream_socket connectto; |
| 322 | |
Stephen Smalley | 1ff6441 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 323 | # BackupManagerService lets PMS create a data backup file |
| 324 | allow system_server cache_backup_file:file create_file_perms; |
| 325 | # Relabel /data/backup |
| 326 | allow system_server backup_data_file:dir { relabelto relabelfrom }; |
| 327 | # Relabel /cache/.*\.{data|restore} |
| 328 | allow system_server cache_backup_file:file { relabelto relabelfrom }; |
| 329 | # LocalTransport creates and relabels /cache/backup |
| 330 | allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; |
| 331 | |
| 332 | # Allow system to talk to usb device |
| 333 | allow system_server usb_device:chr_file rw_file_perms; |
| 334 | allow system_server usb_device:dir r_dir_perms; |
| 335 | |
| 336 | # Allow system to talk to sensors |
| 337 | allow system_server sensors_device:chr_file rw_file_perms; |
| 338 | |
Alex Klyubin | 8d68831 | 2013-10-03 13:35:56 -0700 | [diff] [blame] | 339 | # Read from HW RNG (needed by EntropyMixer). |
| 340 | allow system_server hw_random_device:chr_file r_file_perms; |
| 341 | |
Stephen Smalley | af47ebb | 2013-11-04 09:47:29 -0500 | [diff] [blame] | 342 | # Read and delete files under /dev/fscklogs. |
| 343 | r_dir_file(system_server, fscklogs) |
| 344 | allow system_server fscklogs:dir { write remove_name }; |
| 345 | allow system_server fscklogs:file unlink; |
Stephen Smalley | a49ba92 | 2013-12-02 14:22:17 -0500 | [diff] [blame] | 346 | |
| 347 | # For SELinuxPolicyInstallReceiver |
| 348 | selinux_manage_policy(system_server) |
Stephen Smalley | 959fdaa | 2014-01-09 08:28:06 -0500 | [diff] [blame] | 349 | |
Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 350 | # logd access, system_server inherit logd write socket |
| 351 | # (urge is to deprecate this long term) |
| 352 | allow system_server zygote:unix_dgram_socket write; |
Nick Kralevich | 5467fce | 2014-02-13 12:19:50 -0800 | [diff] [blame] | 353 | |
Stephen Smalley | bafbf81 | 2014-03-14 08:37:16 -0400 | [diff] [blame] | 354 | # Read from log daemon. |
| 355 | read_logd(system_server) |
| 356 | |
Nick Kralevich | 5467fce | 2014-02-13 12:19:50 -0800 | [diff] [blame] | 357 | # Be consistent with DAC permissions. Allow system_server to write to |
| 358 | # /sys/module/lowmemorykiller/parameters/adj |
| 359 | # /sys/module/lowmemorykiller/parameters/minfree |
Stephen Smalley | 335faf2 | 2014-02-21 11:39:30 -0500 | [diff] [blame] | 360 | allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; |
Stephen Smalley | d331e00 | 2014-03-05 13:07:01 -0500 | [diff] [blame] | 361 | |
Nick Kralevich | 3f3d6ff | 2014-04-15 14:24:39 -0700 | [diff] [blame] | 362 | # Read /sys/fs/pstore/console-ramoops |
| 363 | # Don't worry about overly broad permissions for now, as there's |
| 364 | # only one file in /sys/fs/pstore |
| 365 | allow system_server pstorefs:dir r_dir_perms; |
| 366 | allow system_server pstorefs:file r_file_perms; |
| 367 | |
Riley Spahn | f90c41f | 2014-06-05 15:52:02 -0700 | [diff] [blame] | 368 | allow system_server system_server_service:service_manager add; |
| 369 | |
Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 370 | allow system_server keystore:keystore_key { |
| 371 | test |
| 372 | get |
| 373 | insert |
| 374 | delete |
| 375 | exist |
| 376 | saw |
| 377 | reset |
| 378 | password |
| 379 | lock |
| 380 | unlock |
| 381 | zero |
| 382 | sign |
| 383 | verify |
| 384 | grant |
| 385 | duplicate |
| 386 | clear_uid |
Robin Lee | de08be8 | 2014-08-27 21:35:34 +0100 | [diff] [blame] | 387 | reset_uid |
| 388 | sync_uid |
| 389 | password_uid |
Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 390 | }; |
| 391 | |
dcashman | 47bd730 | 2014-09-08 13:11:01 -0700 | [diff] [blame] | 392 | # Allow system server to search and write to the persistent factory reset |
| 393 | # protection partition. This block device does not get wiped in a factory reset. |
Andres Morales | d8447fd | 2014-07-09 15:18:32 -0700 | [diff] [blame] | 394 | allow system_server block_device:dir search; |
dcashman | 47bd730 | 2014-09-08 13:11:01 -0700 | [diff] [blame] | 395 | allow system_server frp_block_device:blk_file rw_file_perms; |
Andres Morales | d8447fd | 2014-07-09 15:18:32 -0700 | [diff] [blame] | 396 | |
Colin Cross | 5d60f04 | 2014-07-09 16:35:30 -0700 | [diff] [blame] | 397 | # Clean up old cgroups |
| 398 | allow system_server cgroup:dir { remove_name rmdir }; |
| 399 | |
Ed Heyl | 81839df | 2014-07-14 23:31:31 -0700 | [diff] [blame] | 400 | # /oem access |
Nick Kralevich | 2380d05 | 2014-10-10 15:56:22 -0700 | [diff] [blame] | 401 | r_dir_file(system_server, oemfs) |
Ed Heyl | 81839df | 2014-07-14 23:31:31 -0700 | [diff] [blame] | 402 | |
Stephen Smalley | d331e00 | 2014-03-05 13:07:01 -0500 | [diff] [blame] | 403 | ### |
| 404 | ### Neverallow rules |
| 405 | ### |
| 406 | ### system_server should NEVER do any of this |
| 407 | |
| 408 | # Do not allow accessing SDcard files as unsafe ejection could |
| 409 | # cause the kernel to kill the system_server. |
Nick Kralevich | d00eff4 | 2014-07-04 11:45:49 -0700 | [diff] [blame] | 410 | neverallow system_server sdcard_type:file rw_file_perms; |