system_server.te

#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#

typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;

# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)

# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";

allow system_server zygote_tmpfs:file read;

# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;

# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')

# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;

# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;

# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;

# May kill zygote on crashes.
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;

# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;

# Needed to close the zygote socket, which involves getopt / getattr
allow system_server zygote:unix_stream_socket { getopt getattr };

# system server gets network and bluetooth permissions.
net_domain(system_server)
# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)

# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
    ipc_lock
    kill
    net_admin
    net_bind_service
    net_broadcast
    net_raw
    sys_boot
    sys_nice
    sys_ptrace
    sys_time
    sys_tty_config
};

wakelock_use(system_server)