Skip to content
Snippets Groups Projects
Normal view Permalink
system.te 4.55 KiB
Newer Older
  • Learn to ignore specific revisions
    • Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 
    #
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings.  These are not as privileged as the system
# server.
#
type system_app, domain;
app_domain(system_app)

# Perform binder IPC to any app domain.
binder_call(system_app, appdomain)
binder_transfer(system_app, appdomain)

# Read and write system data files.
# May want to split into separate types.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;

# Write to dalvikcache.
allow system_app dalvikcache_data_file:file { write setattr };

# Talk to keystore.
unix_socket_connect(system_app, keystore, keystore)

# Read SELinux enforcing status.
selinux_getenforce(system_app)
    Stephen Smalley's avatar
    Allow Settings to set enforcing and booleans if settings_manage_selinux is true.  
    Stephen Smalley committed
    27 28 29 30 31 32 33 34 35 
    bool settings_manage_selinux true;
if (settings_manage_selinux) {
# Allow settings app to set SELinux to enforcing
selinux_setenforce(system_app)

# Allow settings app to set SELinux booleans
selinux_setbool(system_app)
}
    Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 
    #
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system, domain, mlstrustedsubject;

# Child of the zygote.
allow system zygote:fd use;
allow system zygote:process sigchld;
allow system zygote_tmpfs:file read;

# system server gets network and bluetooth permissions.
net_domain(system)
bluetooth_domain(system)

# These are the capabilities assigned by the zygote to the
# system server.
# XXX See if we can remove some of these.
allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };

# Use netlink uevent sockets.
allow system self:netlink_kobject_uevent_socket *;

# Kill apps.
allow system appdomain:process { sigkill signal };
    Stephen Smalley's avatar
    Allow system server to set scheduling info for apps.  
    Stephen Smalley committed
    62 63 64 
    # Set scheduling info for apps.
allow system appdomain:process setsched;
    Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 
    # Read /proc data for apps.
allow system appdomain:dir r_dir_perms;
allow system appdomain:{ file lnk_file } rw_file_perms;

# Write to /proc/net/xt_qtaguid/ctrl.
# XXX Split /proc/net into its own type.
allow system proc:file write;

# Notify init of death.
allow system init:process sigchld;

# Talk to init and various daemons via sockets.
unix_socket_connect(system, property, init)
unix_socket_connect(system, qemud, qemud)
unix_socket_connect(system, installd, installd)
unix_socket_connect(system, netd, netd)
unix_socket_connect(system, vold, vold)
unix_socket_connect(system, zygote, zygote)
unix_socket_connect(system, keystore, keystore)
unix_socket_connect(system, dbus, dbusd)
unix_socket_connect(system, gps, gpsd)
unix_socket_connect(system, bluetooth, bluetoothd)
unix_socket_send(system, wpa, wpa)

# Perform Binder IPC.
tmpfs_domain(system)
binder_use(system)
binder_call(system, binderservicedomain)
binder_call(system, appdomain)
binder_service(system)
# Transfer other Binder references.
binder_transfer(system, binderservicedomain)
binder_transfer(system, appdomain)

# Read /proc/pid files for Binder clients.
r_dir_file(system, appdomain)
r_dir_file(system, mediaserver)
allow system appdomain:process getattr;
allow system mediaserver:process getattr;

# Specify any arguments to zygote.
allow system self:zygote *;

# Check SELinux permissions.
selinux_check_access(system)

# XXX Label sysfs files with a specific type?
allow system sysfs:file rw_file_perms;

# Access devices.
    Stephen Smalley's avatar
    Further policy for Motorola Xoom.  
    Stephen Smalley committed
    115 
    allow system device:dir r_dir_perms;
    Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 
    allow system device:chr_file rw_file_perms;
allow system akm_device:chr_file rw_file_perms;
allow system accelerometer_device:chr_file rw_file_perms;
allow system alarm_device:chr_file rw_file_perms;
allow system graphics_device:dir search;
allow system graphics_device:chr_file rw_file_perms;
allow system input_device:dir r_dir_perms;
allow system input_device:chr_file rw_file_perms;
allow system tty_device:chr_file rw_file_perms;
allow system urandom_device:chr_file rw_file_perms;
allow system video_device:chr_file rw_file_perms;
allow system qemu_device:chr_file rw_file_perms;

# Manage data files.
allow system data_file_type:dir create_dir_perms;
allow system data_file_type:notdevfile_class_set create_file_perms;

# Create a socket for receiving info from wpa.
type_transition system wifi_data_file:sock_file system_wpa_socket;
allow system system_wpa_socket:sock_file create_file_perms;

# Manage cache files.
allow system cache_file:dir create_dir_perms;
allow system cache_file:file create_file_perms;

# Run system programs, e.g. dexopt.
allow system system_file:file x_file_perms;

# Silently deny any /proc accesses that are not allowed.
# This suppresses noise from walking the process list.
dontaudit system domain:dir r_dir_perms;
dontaudit system domain:file r_file_perms;