common/system_server.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

allow system_server self:capability sys_module;

# allow system_server to communicate with cnd process over cnd_socket
unix_socket_connect(system_server, cnd, cnd)

# allow  system/framework applications to update the cnd configuration files
allow system_server cnd_data_file:dir rw_dir_perms;
allow system_server cnd_data_file:file create_file_perms;

# Access to sensors socket
unix_socket_connect(system_server, sensors, sensors)
unix_socket_send(system_server, sensors, sensors)
allow system_server sensors:unix_stream_socket sendto;
allow system_server sensors_socket:sock_file r_file_perms;
qmux_socket(system_server);

allow system_server self:socket create_socket_perms;
allow system_server sensors_persist_file:dir r_dir_perms;
allow system_server sensors_persist_file:file r_file_perms;

# access to perflock
allow system_server mpctl_socket:dir r_dir_perms;
unix_socket_send(system_server, mpctl, mpdecision)
unix_socket_connect(system_server, mpctl, mpdecision)

#access to gamed
unix_socket_connect(system_server, gamed, gamed)

allow system_server {
    # For wifistatemachine
    wbc_service
    # Allow system_server to add digital pen system service
    usf_service
    dpmservice
}:service_manager add;

allow system_server qtitetherservice_service:service_manager find;

#For ANT tty communication and to set wc_transport prop
allow system_server {
    bluetooth_prop
    usf_prop
    alarm_handled_prop
    alarm_instance_prop
}:property_service set;

# required for ANT App to connectto wcnss_filter sockets
allow system_server bluetooth:unix_stream_socket connectto;
# access to iop
allow system_server iop_socket:dir r_dir_perms;
allow system_server iop_data_file:dir r_dir_perms;
unix_socket_send(system_server, iop, dumpstate)
unix_socket_connect(system_server, iop, dumpstate)

# allow  system/framework applications to update the dpmd configuration files
unix_socket_connect(system_server, dpmd, dpmd);
allow system_server { dpmd_socket socket_device }:sock_file w_file_perms;
allow system_server dpmd_data_file:dir create_dir_perms;
allow system_server dpmd_data_file:file create_file_perms;

unix_socket_send(system_server, mpctl, perfd)
unix_socket_connect(system_server, mpctl, perfd)

# For location
type_transition system_server location_data_file:sock_file location_socket "location-mq-s";
type_transition system_server location_data_file:sock_file location_socket "alarm_svc";
allow system_server location:unix_stream_socket connectto;
allow system_server location_data_file:{ file fifo_file } create_file_perms;
allow system_server location_data_file:dir create_dir_perms;
allow system_server { location_app_data_file mdtp_svc_app_data_file } :file rw_file_perms;
allow system_server { location_app_data_file mdtp_svc_app_data_file } :dir r_dir_perms;
allow system_server location_socket:sock_file create_file_perms;
allow system_server location_prop:property_service set;

#For wifistatemachine
allow system_server kernel:key search;

#For ssr
allow system_server ssr_device:chr_file r_file_perms;

allow system_server { fuse persist_file }:dir search;

allow system_server {
    serial_device
    smd_device
    # graphics_device, audio_device, tee_device is for WFD
    graphics_device
    audio_device
    tee_device
}:chr_file rw_file_perms;

#For firmware
r_dir_file(system_server, bt_firmware_file)

#For BT firmware
r_dir_file(system_server, firmware_file)

#connect to wcnss_filter
allow system_server wcnss_filter:unix_stream_socket connectto;

# Allow system server access to usf resources
allow system_server usf:process signal;
allow system_server usf:unix_stream_socket connectto;
allow system_server usf_data_file:sock_file write;
allow system_server usf_data_file:dir rw_dir_perms;
allow system_server usf_data_file:file r_file_perms;
allow system_server usf_data_file:lnk_file create_file_perms;
allow system_server usf_data_file:fifo_file w_file_perms;

# For WFD
allow system_server graphics_device:dir r_dir_perms;

# Allow Izat service
allow system_server izat_service:service_manager add;

# For QSEE Svc Apps
allow system_server qsee_svc_app_data_file:file rw_file_perms;
allow system_server qsee_svc_app_data_file:dir r_dir_perms;

#Allow access to netmgrd socket
netmgr_socket(system_server);

# So init can manage our process
allow system_server RIDL:fd use;
allow system_server RIDL:fifo_file write;

# So init can manage our process
allow system_server qti_logkit:fd use;
allow system_server qti_logkit:fifo_file write;

#Rules for system server to talk to peripheral manager
use_per_mgr(system_server);

#allow binder calls
binder_call(system_server, seempd)

# Allow system server access to qfp daemon
binder_call(system_server, qfp-daemon);
allow system_server iqfp_service:service_manager find;

#for seemp
unix_socket_send(system_server, seempdw, seempd)

# For shutdown animation
allow system_server ctl_bootanim_prop:property_service set;

# allow tethering to access dhcp leases
r_dir_file(system_server, dhcp_data_file)

# Allow system server to set fst system properties
allow system_server fst_prop:property_service set;

#allow access to fingerprintd data file
allow system_server fingerprintd_data_file:file { r_file_perms unlink };
allow system_server fingerprintd_data_file:dir { rw_dir_perms rmdir };

#for Wifi module this is needed
allow system_server system_file:system module_load;

allow system_server persist_alarm_file:dir rw_dir_perms;
allow system_server persist_alarm_file:file { rw_file_perms create };
userdebug_or_eng(`
  diag_use(system_server)
')