diff options
author | Adnan Begovic <adnan@cyngn.com> | 2015-10-15 11:06:53 -0700 |
---|---|---|
committer | Adnan Begovic <adnan@cyngn.com> | 2015-10-15 11:06:53 -0700 |
commit | edb21bcd85d86435b58f8f679cb988182b6bbc29 (patch) | |
tree | 41f25669e58c34351a0ba05f23784aa0d71a3cc4 /system_server.te | |
parent | 126d57e0a86e568d0039c72f046ebf9eada3bb06 (diff) | |
parent | 86c188f70d5a1db93cfcef97bafe9a97cc4bc726 (diff) | |
download | android_external_sepolicy-edb21bcd85d86435b58f8f679cb988182b6bbc29.tar.gz android_external_sepolicy-edb21bcd85d86435b58f8f679cb988182b6bbc29.tar.bz2 android_external_sepolicy-edb21bcd85d86435b58f8f679cb988182b6bbc29.zip |
Merge remote-tracking branch 'upstream/marshmallow-release', tag 'android-6.0.0_r1' into HEAD
Android 6.0.0 release 1
Change-Id: Iccee3137d91fb86555abe4596e356cc6c2a2ce47
Diffstat (limited to 'system_server.te')
-rw-r--r-- | system_server.te | 118 |
1 files changed, 84 insertions, 34 deletions
diff --git a/system_server.te b/system_server.te index 645ed8e..036e90e 100644 --- a/system_server.te +++ b/system_server.te @@ -14,6 +14,7 @@ allow system_server system_server_tmpfs:file execute; # For art. allow system_server dalvikcache_data_file:file execute; +allow system_server dalvikcache_data_file:dir r_dir_perms; # /data/resource-cache allow system_server resourcecache_data_file:file r_file_perms; @@ -49,7 +50,6 @@ allow system_server self:capability { net_broadcast net_raw sys_boot - sys_module sys_nice sys_resource sys_time @@ -76,10 +76,6 @@ allow system_server self:netlink_route_socket nlmsg_write; # Kill apps. allow system_server appdomain:process { sigkill signal }; -# This line seems suspect, as it should not really need to -# set scheduling parameters for a kernel domain task. -allow system_server kernel:process setsched; - # Set scheduling info for apps. allow system_server appdomain:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched }; @@ -89,13 +85,16 @@ allow system_server mediaserver:process { getsched setsched }; # all processes on the device. r_dir_file(system_server, domain) -# Write to /proc/pid/oom_adj_score for apps. -allow system_server appdomain:file write; - # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. allow system_server qtaguid_proc:file rw_file_perms; allow system_server qtaguid_device:chr_file rw_file_perms; +# Read /proc/uid_cputime/show_uid_stat. +allow system_server proc_uid_cputime_showstat:file r_file_perms; + +# Write /proc/uid_cputime/remove_uid_range. +allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; + # Write to /proc/sysrq-trigger. allow system_server proc_sysrq:file rw_file_perms; @@ -112,7 +111,6 @@ allow system_server self:tun_socket create_socket_perms; allow system_server init:process sigchld; # Talk to init and various daemons via sockets. -unix_socket_connect(system_server, property, init) unix_socket_connect(system_server, installd, installd) unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, mtpd, mtp) @@ -129,11 +127,16 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt }; # Perform Binder IPC. binder_use(system_server) binder_call(system_server, binderservicedomain) +binder_call(system_server, gatekeeperd) +binder_call(system_server, fingerprintd) binder_call(system_server, appdomain) binder_call(system_server, bootanim) binder_call(system_server, dumpstate) binder_service(system_server) +# Ask debuggerd to dump backtraces for native stacks of interest. +allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; + # Read /proc/pid files for dumping stack traces of native processes. r_dir_file(system_server, mediaserver) r_dir_file(system_server, sdcardd) @@ -166,8 +169,11 @@ allow system_server usbaccessory_device:chr_file rw_file_perms; allow system_server video_device:dir r_dir_perms; allow system_server video_device:chr_file rw_file_perms; allow system_server adbd_socket:sock_file rw_file_perms; +allow system_server rtc_device:chr_file rw_file_perms; allow system_server audio_device:dir r_dir_perms; -allow system_server audio_device:chr_file r_file_perms; + +# write access needed for MIDI +allow system_server audio_device:chr_file rw_file_perms; # tun device used for 3rd party vpn apps allow system_server tun_device:chr_file rw_file_perms; @@ -180,7 +186,7 @@ allow system_server keychain_data_file:file create_file_perms; # Manage /data/app. allow system_server apk_data_file:dir create_dir_perms; -allow system_server apk_data_file:file create_file_perms; +allow system_server apk_data_file:file { create_file_perms link }; allow system_server apk_tmp_file:dir create_dir_perms; allow system_server apk_tmp_file:file create_file_perms; @@ -207,6 +213,10 @@ allow system_server backup_data_file:file create_file_perms; allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; allow system_server dalvikcache_profiles_data_file:file create_file_perms; +# Write to /data/system/heapdump +allow system_server heapdump_data_file:dir rw_dir_perms; +allow system_server heapdump_data_file:file create_file_perms; + # Manage /data/misc/adb. allow system_server adb_keys_file:dir create_dir_perms; allow system_server adb_keys_file:file create_file_perms; @@ -273,23 +283,24 @@ allow system_server system_data_file:dir relabelfrom; allow system_server anr_data_file:dir relabelto; # Property Service write -allow system_server system_prop:property_service set; -allow system_server dhcp_prop:property_service set; -allow system_server net_radio_prop:property_service set; -allow system_server system_radio_prop:property_service set; -allow system_server debug_prop:property_service set; -allow system_server powerctl_prop:property_service set; -allow system_server fingerprint_prop:property_service set; +set_prop(system_server, system_prop) +set_prop(system_server, dhcp_prop) +set_prop(system_server, net_radio_prop) +set_prop(system_server, system_radio_prop) +set_prop(system_server, debug_prop) +set_prop(system_server, powerctl_prop) +set_prop(system_server, fingerprint_prop) # ctl interface -allow system_server ctl_default_prop:property_service set; -allow system_server ctl_dhcp_pan_prop:property_service set; -allow system_server ctl_bugreport_prop:property_service set; allow system_server ctl_bootanim_prop:property_service set; # Use open file provided by bootanim. allow system_server bootanim:fd use; +set_prop(system_server, ctl_default_prop) +set_prop(system_server, ctl_dhcp_pan_prop) +set_prop(system_server, ctl_bugreport_prop) + # Create a socket for receiving info from wpa. type_transition system_server wifi_data_file:sock_file system_wpa_socket; type_transition system_server wpa_socket:sock_file system_wpa_socket; @@ -303,12 +314,10 @@ allow system_server wpa_socket:sock_file unlink; type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; allow system_server system_ndebug_socket:sock_file create_file_perms; -# Specify any arguments to zygote. -allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; - # Manage cache files. allow system_server cache_file:dir { relabelfrom create_dir_perms }; allow system_server cache_file:file { relabelfrom create_file_perms }; +allow system_server cache_file:fifo_file create_file_perms; # Run system programs, e.g. dexopt. allow system_server system_file:file x_file_perms; @@ -320,7 +329,7 @@ allow system_server gps_control:file rw_file_perms; # Allow system_server to use app-created sockets and pipes. allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; -allow system_server appdomain:fifo_file { getattr read write }; +allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; # Allow abstract socket connection allow system_server rild:unix_stream_socket connectto; @@ -370,28 +379,36 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; -allow system_server system_server_service:service_manager add; +allow system_server drmserver_service:service_manager find; +allow system_server healthd_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server gatekeeper_service:service_manager find; +allow system_server fingerprintd_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server nfc_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server system_server_service:service_manager { add find }; +allow system_server surfaceflinger_service:service_manager find; allow system_server keystore:keystore_key { - test + get_state get insert delete exist - saw + list reset password lock unlock - zero + is_empty sign verify grant duplicate clear_uid - reset_uid - sync_uid - password_uid + add_auth + user_changed }; # Allow system server to search and write to the persistent factory reset @@ -405,11 +422,44 @@ allow system_server cgroup:dir { remove_name rmdir }; # /oem access r_dir_file(system_server, oemfs) +# Allow resolving per-user storage symlinks +allow system_server { mnt_user_file storage_file }:dir { getattr search }; +allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; + +# Allow statfs() on storage devices, which happens fast enough that +# we shouldn't be killed during unsafe removal +allow system_server sdcard_type:dir { getattr search }; + +# Traverse into expanded storage +allow system_server mnt_expand_file:dir r_dir_perms; + +# Allow system process to relabel the fingerprint directory after mkdir +allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto}; + ### ### Neverallow rules ### ### system_server should NEVER do any of this -# Do not allow accessing SDcard files as unsafe ejection could -# cause the kernel to kill the system_server. +# Do not allow opening files from external storage as unsafe ejection +# could cause the kernel to kill the system_server. +neverallow system_server sdcard_type:dir { open read write }; neverallow system_server sdcard_type:file rw_file_perms; + +# system server should never be opening zygote spawned app data +# files directly. Rather, they should always be passed via a +# file descriptor. +# Types extracted from seapp_contexts type= fields, excluding +# those types that system_server needs to open directly. +neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open; + +# system_server should never be executing dex2oat. This is either +# a bug (for example, bug 16317188), or represents an attempt by +# system server to dynamically load a dex file, something we do not +# want to allow. +neverallow system_server dex2oat_exec:file no_x_file_perms; + +# The only block device system_server should be accessing is +# the frp_block_device. This helps avoid a system_server to root +# escalation by writing to raw block devices. +neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; |