Newer
Older
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain;
permissive system_server;
unconfined_domain(system_server);
relabelto_domain(system_server);
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
kill
net_admin
net_bind_service
net_broadcast
net_raw
sys_boot
sys_module
sys_nice
sys_resource
sys_time
sys_tty_config
};
# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
allow system_server system_wpa_socket:sock_file create_file_perms;
# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
allow system_server backup_data_file:dir relabelto;
allow system_server cache_backup_file:dir relabelto;
allow system_server anr_data_file:dir relabelto;
allow system_server system_data_file:dir relabelto;
allow system_server apk_data_file:file relabelto;
allow system_server apk_tmp_file:file relabelto;
allow system_server cache_backup_file:file relabelto;
allow system_server apk_private_tmp_file:file relabelto;
allow system_server wallpaper_file:file relabelto;