system_server.te - LeafOS-Project/android_system_sepolicy - Gitiles

 #
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
 #
 type system_server, domain;
 unconfined_domain(system_server);
 relabelto_domain(system_server);

 # These are the capabilities assigned by the zygote to the
 # system server.
 allow system_server self:capability {
     kill
     net_admin
     net_bind_service
     net_broadcast
     net_raw
     sys_boot
     sys_module
     sys_nice
     sys_resource
     sys_time
     sys_tty_config
 };

 # Create a socket for receiving info from wpa.
 type_transition system_server wifi_data_file:sock_file system_wpa_socket;
 allow system_server system_wpa_socket:sock_file create_file_perms;

 # Create a socket for connections from debuggerd.
 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 allow system_server system_ndebug_socket:sock_file create_file_perms;

 allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };

 # Read from HW RNG (needed by EntropyMixer).
 allow system_server hw_random_device:chr_file r_file_perms;

 allow system_server backup_data_file:dir relabelto;
 allow system_server cache_backup_file:dir relabelto;
 allow system_server anr_data_file:dir relabelto;
 allow system_server system_data_file:dir relabelto;
 allow system_server apk_data_file:file relabelto;
 allow system_server apk_tmp_file:file relabelto;
 allow system_server cache_backup_file:file relabelto;
 allow system_server apk_private_tmp_file:file relabelto;
 allow system_server wallpaper_file:file relabelto;

 # Access to wake locks
 allow system_server sysfs_wake_lock:file rw_file_perms;
	#
	# System Server aka system_server spawned by zygote.
	# Most of the framework services run in this process.
	#
	type system_server, domain;
	unconfined_domain(system_server);
	relabelto_domain(system_server);

	# These are the capabilities assigned by the zygote to the
	# system server.
	allow system_server self:capability {
	kill
	net_admin
	net_bind_service
	net_broadcast
	net_raw
	sys_boot
	sys_module
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	};

	# Create a socket for receiving info from wpa.
	type_transition system_server wifi_data_file:sock_file system_wpa_socket;
	allow system_server system_wpa_socket:sock_file create_file_perms;

	# Create a socket for connections from debuggerd.
	type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
	allow system_server system_ndebug_socket:sock_file create_file_perms;

	allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };

	# Read from HW RNG (needed by EntropyMixer).
	allow system_server hw_random_device:chr_file r_file_perms;

	allow system_server backup_data_file:dir relabelto;
	allow system_server cache_backup_file:dir relabelto;
	allow system_server anr_data_file:dir relabelto;
	allow system_server system_data_file:dir relabelto;
	allow system_server apk_data_file:file relabelto;
	allow system_server apk_tmp_file:file relabelto;
	allow system_server cache_backup_file:file relabelto;
	allow system_server apk_private_tmp_file:file relabelto;
	allow system_server wallpaper_file:file relabelto;

	# Access to wake locks
	allow system_server sysfs_wake_lock:file rw_file_perms;