Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Nick Kralevich's avatar
    acc0842c
    system_server: neverallow blk_file read/write · acc0842c
    Nick Kralevich authored 
    With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
    acc0842c
    History
    system_server: neverallow blk_file read/write
    Nick Kralevich authored 
    With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
system_server.te 17.51 KiB 
#
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
type system_server, domain, mlstrustedsubject;

# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)

# Dalvik Compiler JIT Mapping.
allow system_server self:process execmem;
allow system_server ashmem_device:chr_file execute;
allow system_server system_server_tmpfs:file execute;

# For art.
allow system_server dalvikcache_data_file:file execute;

# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;

# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;

# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
allow system_server zygote_tmpfs:file read;

# May kill zygote on crashes.
allow system_server zygote:process sigkill;

# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;

# Needed to close the zygote socket, which involves getopt / getattr
allow system_server zygote:unix_stream_socket { getopt getattr };

# system server gets network and bluetooth permissions.
net_domain(system_server)
bluetooth_domain(system_server)

# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
    kill
    net_admin
    net_bind_service
    net_broadcast
    net_raw
    sys_boot
    sys_nice
    sys_resource
    sys_time
    sys_tty_config
};

wakelock_use(system_server)

# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;

# Trigger module auto-load.
allow system_server kernel:system module_request;

# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms;

# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms;

# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;

# Kill apps.
allow system_server appdomain:process { sigkill signal };

# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow system_server kernel:process setsched;

# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };

# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
# all processes on the device.
r_dir_file(system_server, domain)

# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;

# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;

# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;

# WifiWatchdog uses a packet_socket
allow system_server self:packet_socket create_socket_perms;

# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms;

# Notify init of death.
allow system_server init:process sigchld;

# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, property, init)
unix_socket_connect(system_server, installd, installd)
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, gps, gpsd)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)

# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };

# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
binder_call(system_server, dumpstate)
binder_service(system_server)

# Ask debuggerd to dump backtraces for native stacks of interest.
allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;

# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, mediaserver)
r_dir_file(system_server, sdcardd)
r_dir_file(system_server, surfaceflinger)
r_dir_file(system_server, inputflinger)

# Use sockets received over binder from various services.
allow system_server mediaserver:tcp_socket rw_socket_perms;
allow system_server mediaserver:udp_socket rw_socket_perms;

# Check SELinux permissions.
selinux_check_access(system_server)

# XXX Label sysfs files with a specific type?
allow system_server sysfs:file rw_file_perms;
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_devices_system_cpu:file w_file_perms;

# Access devices.
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server alarm_device:chr_file rw_file_perms;
allow system_server gpu_device:chr_file rw_file_perms;
allow system_server iio_device:chr_file rw_file_perms;
allow system_server input_device:dir r_dir_perms;
allow system_server input_device:chr_file rw_file_perms;
allow system_server radio_device:chr_file r_file_perms;
allow system_server tty_device:chr_file rw_file_perms;
allow system_server usbaccessory_device:chr_file rw_file_perms;
allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
allow system_server audio_device:chr_file r_file_perms;

# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;

# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;

# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
allow system_server apk_data_file:file create_file_perms;
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;

# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
allow system_server apk_private_tmp_file:dir create_dir_perms;
allow system_server apk_private_tmp_file:file create_file_perms;

# Manage files within asec containers.
allow system_server asec_apk_file:dir create_dir_perms;
allow system_server asec_apk_file:file create_file_perms;
allow system_server asec_public_file:file create_file_perms;

# Manage /data/anr.
allow system_server anr_data_file:dir create_dir_perms;
allow system_server anr_data_file:file create_file_perms;

# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;

# Read from /data/dalvik-cache/profiles
allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
allow system_server dalvikcache_profiles_data_file:file create_file_perms;

# Manage /data/misc/adb.
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;

# Manage /data/misc/sms.
# TODO:  Split into a separate type?
allow system_server radio_data_file:dir create_dir_perms;
allow system_server radio_data_file:file create_file_perms;

# Manage /data/misc/systemkeys.
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;

# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;

# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
allow system_server vpn_data_file:file create_file_perms;

# Manage /data/misc/wifi.
allow system_server wifi_data_file:dir create_dir_perms;
allow system_server wifi_data_file:file create_file_perms;

# Manage /data/misc/zoneinfo.
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;

# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
# Read pkg.apk file before it has been relabeled by vold.
allow system_server unlabeled:file r_file_perms;

# Populate com.android.providers.settings/databases/settings.db.
allow system_server system_app_data_file:dir create_dir_perms;
allow system_server system_app_data_file:file create_file_perms;

# Receive and use open app data files passed over binder IPC.
# Types extracted from seapp_contexts type= fields.
allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };

# Receive and use open /data/media files passed over binder IPC.
allow system_server media_rw_data_file:file { getattr read write };

# Read /file_contexts and /data/security/file_contexts
security_access_policy(system_server)

# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };

# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { rw_file_perms unlink };

# Relabel /data/anr.
allow system_server system_data_file:dir relabelfrom;
allow system_server anr_data_file:dir relabelto;

# Property Service write
allow system_server system_prop:property_service set;
allow system_server dhcp_prop:property_service set;
allow system_server net_radio_prop:property_service set;
allow system_server system_radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;
allow system_server fingerprint_prop:property_service set;

# ctl interface
allow system_server ctl_default_prop:property_service set;
allow system_server ctl_dhcp_pan_prop:property_service set;
allow system_server ctl_bugreport_prop:property_service set;

# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
type_transition system_server wpa_socket:sock_file system_wpa_socket;
allow system_server wpa_socket:dir rw_dir_perms;
allow system_server system_wpa_socket:sock_file create_file_perms;

# Remove sockets created by wpa_supplicant
allow system_server wpa_socket:sock_file unlink;

# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;

# Manage cache files.
allow system_server cache_file:dir { relabelfrom create_dir_perms };
allow system_server cache_file:file { relabelfrom create_file_perms };

# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;

# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file rw_file_perms;
allow system_server gps_control:file rw_file_perms;

# Allow system_server to use app-created sockets and pipes.
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };

# Allow abstract socket connection
allow system_server rild:unix_stream_socket connectto;

# BackupManagerService lets PMS create a data backup file
allow system_server cache_backup_file:file create_file_perms;
# Relabel /data/backup
allow system_server backup_data_file:dir { relabelto relabelfrom };
# Relabel /cache/.*\.{data|restore}
allow system_server cache_backup_file:file { relabelto relabelfrom };
# LocalTransport creates and relabels /cache/backup
allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };

# Allow system to talk to usb device
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;

# Allow system to talk to sensors
allow system_server sensors_device:chr_file rw_file_perms;

# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;

# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
allow system_server fscklogs:file unlink;

# For SELinuxPolicyInstallReceiver
selinux_manage_policy(system_server)

# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
allow system_server zygote:unix_dgram_socket write;

# Read from log daemon.
read_logd(system_server)

# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
# /sys/module/lowmemorykiller/parameters/minfree
allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };

# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
# only one file in /sys/fs/pstore
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;

allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
allow system_server tmp_system_server_service:service_manager { add find };

# TODO: Remove. Make up for previously lacking auditing.
allow system_server service_manager_type:service_manager find;
auditallow system_server {
    service_manager_type
    -drmserver_service
    -healthd_service
    -keystore_service
    -mediaserver_service
    -nfc_service
    -radio_service
    -system_server_service
    -surfaceflinger_service
    -tmp_system_server_service
}:service_manager find;

service_manager_local_audit_domain(system_server)
auditallow system_server {
    tmp_system_server_service
    -accessibility_service
    -account_service
    -activity_service
    -alarm_service
    -appops_service
    -assetatlas_service
    -audio_service
    -backup_service
    -batterystats_service
    -bluetooth_manager_service
    -connectivity_service
    -content_service
    -device_policy_service
    -display_service
    -dreams_service
    -dropbox_service
    -ethernet_service
    -hdmi_control_service
    -input_method_service
    -input_service
    -jobscheduler_service
    -location_service
    -lock_settings_service
    -media_router_service
    -media_session_service
    -mount_service
    -network_management_service
    -network_score_service
    -notification_service
    -package_service
    -permission_service
    -power_service
    -registry_service
    -sensorservice_service
    -statusbar_service
    -textservices_service
    -trust_service
    -uimode_service
    -updatelock_service
    -usagestats_service
    -user_service
    -vibrator_service
    -wallpaper_service
    -webviewupdate_service
    -wifi_service
    -wifip2p_service
    -window_service
}:service_manager find;

allow system_server keystore:keystore_key {
	test
	get
	insert
	delete
	exist
	saw
	reset
	password
	lock
	unlock
	zero
	sign
	verify
	grant
	duplicate
	clear_uid
	reset_uid
	sync_uid
	password_uid
};

# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;

# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };

# /oem access
r_dir_file(system_server, oemfs)

###
### Neverallow rules
###
### system_server should NEVER do any of this

# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the system_server.
neverallow system_server sdcard_type:file rw_file_perms;

# system server should never be opening zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;

# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
# want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms;

# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;