Lines Matching refs:allow
25 allow system_server zygote_tmpfs:file { map read };
26 allow system_server appdomain_tmpfs:file { getattr map read write };
29 allow system_server proc_filesystems:file r_file_perms;
32 allow system_server incremental_control_file:file { ioctl r_file_perms };
65 allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
68 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
69 allow system_server sysfs_fs_f2fs:file r_file_perms;
72 allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
75 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
76 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
92 with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
95 allow system_server resourcecache_data_file:file r_file_perms;
96 allow system_server resourcecache_data_file:dir r_dir_perms;
99 allow system_server self:process ptrace;
102 allow system_server zygote:fd use;
103 allow system_server zygote:process sigchld;
106 allow system_server {
116 allow system_server zygote_exec:file r_file_perms;
119 allow system_server zygote:unix_stream_socket { getopt getattr };
123 # in addition to ioctls allowlisted for all domains, also allow system_server
132 allow system_server appdomain:tcp_socket ioctl;
136 allow system_server self:global_capability_class_set {
151 allow system_server self:global_capability2_class_set wake_alarm;
154 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
157 allow system_server self:netlink_tcpdiag_socket
161 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
163 allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
166 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
167 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
170 allow system_server config_gz:file { read open };
176 allow system_server self:socket create_socket_perms_no_ioctl;
179 allow system_server self:netlink_route_socket nlmsg_write;
182 allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read …
185 allow system_server appdomain:process { getpgid sigkill signal };
187 allow system_server appdomain:process { signull };
190 allow system_server appdomain:process { getsched setsched };
191 allow system_server audioserver:process { getsched setsched };
192 allow system_server hal_audio:process { getsched setsched };
193 allow system_server hal_bluetooth:process { getsched setsched };
194 allow system_server hal_codec2_server:process { getsched setsched };
195 allow system_server hal_omx_server:process { getsched setsched };
196 allow system_server mediaswcodec:process { getsched setsched };
197 allow system_server cameraserver:process { getsched setsched };
198 allow system_server hal_camera:process { getsched setsched };
199 allow system_server mediaserver:process { getsched setsched };
200 allow system_server bootanim:process { getsched setsched };
204 allow system_server kernel:process { getsched setsched };
207 allow system_server domain:file w_file_perms;
216 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
219 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
222 allow system_server proc_sysrq:file rw_file_perms;
225 allow system_server stats_config_data_file:dir { open read remove_name search write };
226 allow system_server stats_config_data_file:file unlink;
229 allow system_server odsign_data_file:dir search;
230 allow system_server odsign_metrics_file:dir { r_dir_perms write remove_name };
231 allow system_server odsign_metrics_file:file { r_file_perms unlink };
235 allow system_server debugfs_wakeup_sources:file r_file_perms;
239 allow system_server sysfs_ion:file r_file_perms;
242 allow system_server sysfs_dma_heap:file r_file_perms;
245 allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
246 allow system_server sysfs_dmabuf_stats:file r_file_perms;
250 allow system_server dmabuf_heap_device:dir r_dir_perms;
253 allow system_server proc_vmstat:file r_file_perms;
256 allow system_server self:packet_socket create_socket_perms_no_ioctl;
259 allow system_server self:tun_socket create_socket_perms_no_ioctl;
270 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
272 allow system_server gpuservice:unix_stream_socket { read write setopt };
275 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
278 allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
360 allow system_server hal_graphics_composer:fd use;
363 allow system_server hal_renderscript_hwservice:hwservice_manager find;
364 allow system_server same_process_hal_file:file { execute read open getattr map };
370 allow system_server hwservicemanager:hwservice_manager list;
371 allow system_server servicemanager:service_manager list;
374 allow system_server {
425 allow system_server audioserver:tcp_socket rw_socket_perms;
426 allow system_server audioserver:udp_socket rw_socket_perms;
427 allow system_server mediaserver:tcp_socket rw_socket_perms;
428 allow system_server mediaserver:udp_socket rw_socket_perms;
431 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
432 allow system_server mediadrmserver:udp_socket rw_socket_perms;
439 allow system_server file_contexts_file:file r_file_perms;
441 allow system_server mac_perms_file: file r_file_perms;
445 allow system_server sysfs_type:dir r_dir_perms;
448 allow system_server sysfs_android_usb:file w_file_perms;
453 allow system_server sysfs_ipv4:file w_file_perms;
458 allow system_server sysfs_nfc_power_writable:file rw_file_perms;
459 allow system_server sysfs_power:dir search;
460 allow system_server sysfs_power:file rw_file_perms;
461 allow system_server sysfs_thermal:dir search;
462 allow system_server sysfs_thermal:file r_file_perms;
463 allow system_server sysfs_uhid:dir r_dir_perms;
464 allow system_server sysfs_uhid:file rw_file_perms;
467 allow system_server sysfs_vibrator:file { write append };
470 allow system_server sysfs_usb:file w_file_perms;
473 allow system_server device:dir r_dir_perms;
474 allow system_server mdns_socket:sock_file rw_file_perms;
475 allow system_server gpu_device:chr_file rw_file_perms;
476 allow system_server gpu_device:dir r_dir_perms;
477 allow system_server sysfs_gpu:file r_file_perms;
478 allow system_server input_device:dir r_dir_perms;
479 allow system_server input_device:chr_file rw_file_perms;
480 allow system_server tty_device:chr_file rw_file_perms;
481 allow system_server usbaccessory_device:chr_file rw_file_perms;
482 allow system_server video_device:dir r_dir_perms;
483 allow system_server video_device:chr_file rw_file_perms;
484 allow system_server adbd_socket:sock_file rw_file_perms;
485 allow system_server rtc_device:chr_file rw_file_perms;
486 allow system_server audio_device:dir r_dir_perms;
487 allow system_server uhid_device:chr_file rw_file_perms;
488 allow system_server hidraw_device:dir r_dir_perms;
489 allow system_server hidraw_device:chr_file rw_file_perms;
492 allow system_server audio_device:chr_file rw_file_perms;
495 allow system_server tun_device:chr_file rw_file_perms;
499 allow system_server ota_package_file:dir rw_dir_perms;
500 allow system_server ota_package_file:file create_file_perms;
503 allow system_server system_data_file:dir create_dir_perms;
504 allow system_server system_data_file:notdevfile_class_set create_file_perms;
505 allow system_server packages_list_file:file create_file_perms;
506 allow system_server game_mode_intervention_list_file:file create_file_perms;
507 allow system_server keychain_data_file:dir create_dir_perms;
508 allow system_server keychain_data_file:file create_file_perms;
509 allow system_server keychain_data_file:lnk_file create_file_perms;
511 # Read the user parent directories like /data/user. Don't allow write access,
513 allow system_server system_userdir_file:dir r_dir_perms;
516 allow system_server apk_data_file:dir create_dir_perms;
517 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
518 allow system_server apk_tmp_file:dir create_dir_perms;
519 allow system_server apk_tmp_file:file create_file_perms;
522 allow system_server apk_metadata_file:dir create_dir_perms;
523 allow system_server apk_metadata_file:file create_file_perms;
537 allow system_server apk_private_data_file:dir create_dir_perms;
538 allow system_server apk_private_data_file:file create_file_perms;
539 allow system_server apk_private_tmp_file:dir create_dir_perms;
540 allow system_server apk_private_tmp_file:file create_file_perms;
543 allow system_server asec_apk_file:dir create_dir_perms;
544 allow system_server asec_apk_file:file create_file_perms;
545 allow system_server asec_public_file:file create_file_perms;
553 allow system_server anr_data_file:dir create_dir_perms;
554 allow system_server anr_data_file:file create_file_perms;
560 # order to dump its traces. Also allow the system server to write its traces to
563 allow system_server tombstoned:fd use;
564 allow system_server dumpstate:fifo_file append;
565 allow system_server incidentd:fifo_file append;
568 allow system_server su:fifo_file append;
573 allow system_server incidentd:fifo_file read;
577 allow system_server incident_data_file:file read;
580 allow system_server prereboot_data_file:dir rw_dir_perms;
581 allow system_server prereboot_data_file:file create_file_perms;
585 allow system_server perfetto_traces_data_file:file { read getattr };
586 allow system_server perfetto:fd use;
590 allow system_server perfetto:fifo_file { read write };
593 allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
594 allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
595 allow system_server perfetto_traces_data_file:dir search;
600 allow system_server trace_redactor:process signal;
603 allow system_server perfetto:process signal;
606 allow system_server backup_data_file:dir create_dir_perms;
607 allow system_server backup_data_file:file create_file_perms;
610 allow system_server dropbox_data_file:dir create_dir_perms;
611 allow system_server dropbox_data_file:file create_file_perms;
614 allow system_server heapdump_data_file:dir rw_dir_perms;
615 allow system_server heapdump_data_file:file create_file_perms;
618 allow system_server adb_keys_file:dir create_dir_perms;
619 allow system_server adb_keys_file:file create_file_perms;
622 allow system_server appcompat_data_file:dir rw_dir_perms;
623 allow system_server appcompat_data_file:file create_file_perms;
627 allow system_server connectivityblob_data_file:dir create_dir_perms;
628 allow system_server connectivityblob_data_file:file create_file_perms;
631 allow system_server emergency_data_file:dir create_dir_perms;
632 allow system_server emergency_data_file:file create_file_perms;
635 allow system_server network_watchlist_data_file:dir create_dir_perms;
636 allow system_server network_watchlist_data_file:file create_file_perms;
640 allow system_server radio_data_file:dir create_dir_perms;
641 allow system_server radio_data_file:file create_file_perms;
644 allow system_server systemkeys_data_file:dir create_dir_perms;
645 allow system_server systemkeys_data_file:file create_file_perms;
648 allow system_server textclassifier_data_file:dir create_dir_perms;
649 allow system_server textclassifier_data_file:file create_file_perms;
652 allow system_server tombstone_data_file:dir rw_dir_perms;
653 allow system_server tombstone_data_file:file create_file_perms;
656 allow system_server vpn_data_file:dir create_dir_perms;
657 allow system_server vpn_data_file:file create_file_perms;
660 allow system_server wifi_data_file:dir create_dir_perms;
661 allow system_server wifi_data_file:file create_file_perms;
664 allow system_server staging_data_file:dir create_dir_perms;
665 allow system_server staging_data_file:file create_file_perms;
668 allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
671 allow system_server app_data_file_type:dir { getattr read search };
675 allow system_server unlabeled:dir r_dir_perms;
677 allow system_server unlabeled:file r_file_perms;
680 allow system_server system_app_data_file:dir create_dir_perms;
681 allow system_server system_app_data_file:file create_file_perms;
684 allow system_server app_data_file_type:file { getattr read write append map };
687 allow system_server media_rw_data_file:dir { search getattr open read };
691 allow system_server media_rw_data_file:file { getattr read write append };
695 allow system_server system_server:process setfscreate;
698 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
699 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
704 allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
707 allow system_server system_data_file:file relabelfrom;
708 allow system_server wallpaper_file:file relabelto;
709 allow system_server wallpaper_file:file { rw_file_perms rename unlink };
712 allow system_server { system_data_file wallpaper_file }:file link;
715 allow system_server system_data_file:dir relabelfrom;
716 allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
717 allow system_server shortcut_manager_icons:file create_file_perms;
720 allow system_server ringtone_file:dir { create_dir_perms relabelto };
721 allow system_server ringtone_file:file create_file_perms;
724 allow system_server icon_file:file relabelto;
725 allow system_server icon_file:file { rw_file_perms unlink };
728 allow system_server system_data_file:dir relabelfrom;
733 allow system_server server_configurable_flags_data_file:dir r_dir_perms;
734 allow system_server server_configurable_flags_data_file:file r_file_perms;
904 allow system_server system_ndebug_socket:sock_file create_file_perms;
907 allow system_server system_unsolzygote_socket:sock_file create_file_perms;
910 allow system_server cache_file:lnk_file r_file_perms;
911 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
912 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
913 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
915 allow system_server system_file:dir r_dir_perms;
916 allow system_server system_file:lnk_file r_file_perms;
919 allow system_server system_file:file lock;
923 allow system_server gps_control:file rw_file_perms;
926 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown…
927 allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
930 allow system_server cache_backup_file:dir rw_dir_perms;
931 allow system_server cache_backup_file:file create_file_perms;
933 allow system_server cache_private_backup_file:dir create_dir_perms;
934 allow system_server cache_private_backup_file:file create_file_perms;
937 allow system_server usb_device:chr_file rw_file_perms;
938 allow system_server usb_device:dir r_dir_perms;
942 allow system_server fscklogs:dir { write remove_name add_name };
943 allow system_server fscklogs:file rename;
947 allow system_server zygote:unix_dgram_socket write;
956 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
961 allow system_server pstorefs:dir r_dir_perms;
962 allow system_server pstorefs:file r_file_perms;
965 allow system_server sysfs_zram:dir search;
966 allow system_server sysfs_zram:file rw_file_perms;
969 allow system_server kernel:security read_policy;
972 allow system_server artd_service:service_manager find;
973 allow system_server artd_pre_reboot_service:service_manager find;
974 allow system_server audioserver_service:service_manager find;
975 allow system_server authorization_service:service_manager find;
976 allow system_server batteryproperties_service:service_manager find;
977 allow system_server cameraserver_service:service_manager find;
978 allow system_server compos_service:service_manager find;
979 allow system_server dataloader_manager_service:service_manager find;
980 allow system_server dexopt_chroot_setup_service:service_manager find;
981 allow system_server dnsresolver_service:service_manager find;
982 allow system_server drmserver_service:service_manager find;
983 allow system_server dumpstate_service:service_manager find;
984 allow system_server fingerprintd_service:service_manager find;
985 allow system_server gatekeeper_service:service_manager find;
986 allow system_server gpu_service:service_manager find;
987 allow system_server gsi_service:service_manager find;
988 allow system_server idmap_service:service_manager find;
989 allow system_server incident_service:service_manager find;
990 allow system_server incremental_service:service_manager find;
991 allow system_server installd_service:service_manager find;
992 allow system_server keystore_maintenance_service:service_manager find;
993 allow system_server keystore_metrics_service:service_manager find;
994 allow system_server keystore_service:service_manager find;
995 allow system_server mdns_service:service_manager find;
996 allow system_server mediaserver_service:service_manager find;
997 allow system_server mediametrics_service:service_manager find;
998 allow system_server mediaextractor_service:service_manager find;
999 allow system_server mediadrmserver_service:service_manager find;
1000 allow system_server mediatuner_service:service_manager find;
1001 allow system_server netd_service:service_manager find;
1002 allow system_server nfc_service:service_manager find;
1003 allow system_server ot_daemon_service:service_manager find;
1004 allow system_server radio_service:service_manager find;
1005 allow system_server stats_service:service_manager find;
1006 allow system_server storaged_service:service_manager find;
1007 allow system_server surfaceflinger_service:service_manager find;
1008 allow system_server update_engine_service:service_manager find;
1009 allow system_server virtual_camera_service:service_manager find;
1011 allow system_server virtualization_maintenance_service:service_manager find;
1013 allow system_server vold_service:service_manager find;
1014 allow system_server wifinl80211_service:service_manager find;
1015 allow system_server logd_service:service_manager find;
1017 allow system_server profcollectd_service:service_manager find;
1022 allow system_server keystore:keystore2 {
1036 allow system_server keystore:keystore2_key {
1047 allow system_server wifi_key:keystore2_key {
1056 allow system_server resume_on_reboot_key:keystore2_key {
1065 allow system_server locksettings_key:keystore2_key {
1076 allow system_server block_device:dir search;
1077 allow system_server frp_block_device:blk_file rw_file_perms;
1081 allow system_server cgroup:dir create_dir_perms;
1082 allow system_server cgroup:file setattr;
1083 allow system_server cgroup_v2:dir create_dir_perms;
1084 allow system_server cgroup_v2:file { r_file_perms setattr };
1090 allow system_server { mnt_user_file storage_file }:dir { getattr search };
1091 allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
1095 allow system_server { sdcard_type fuse }:dir { getattr search };
1098 allow system_server mnt_expand_file:dir r_dir_perms;
1102 allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
1103 allow system_server fingerprintd_data_file:file { getattr unlink };
1107 allow system_server method_trace_data_file:dir w_dir_perms;
1108 allow system_server method_trace_data_file:file { create w_file_perms };
1111 allow system_server kernel:system syslog_read;
1114 allow system_server wm_trace_data_file:dir rw_dir_perms;
1115 allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
1118 allow system_server accessibility_trace_data_file:dir rw_dir_perms;
1119 …allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perm…
1123 allow system_server vold:fd use;
1124 allow system_server fuse_device:chr_file { read write ioctl getattr };
1125 allow system_server app_fuse_file:file { read write getattr };
1128 allow system_server configfs:dir { create_dir_perms };
1129 allow system_server configfs:file { getattr open create unlink write };
1133 allow system_server adbd:unix_stream_socket connectto;
1134 allow system_server adbd:fd use;
1135 allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
1144 allow system_server toolbox_exec:file rx_file_perms;
1155 # For OTA dexopt, allow calls coming from postinstall.
1158 allow system_server postinstall:fifo_file write;
1159 allow system_server update_engine:fd use;
1160 allow system_server update_engine:fifo_file write;
1163 allow system_server preloads_data_file:file { r_file_perms unlink };
1164 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
1165 allow system_server preloads_media_file:file { r_file_perms unlink };
1166 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
1170 allow system_server ion_device:chr_file r_file_perms;
1173 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
1175 allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
1180 allow system_server {
1197 allow system_server proc_uid_time_in_state:dir r_dir_perms;
1198 allow system_server proc_uid_cpupower:file r_file_perms;
1203 allow system_server debugfs_tracing_instances:dir search;
1204 allow system_server debugfs_wifi_tracing:dir search;
1205 allow system_server debugfs_wifi_tracing:file rw_file_perms;
1208 allow system_server debugfs_bootreceiver_tracing:dir search;
1209 allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
1212 allow system_server debugfs_tracing:file r_file_perms;
1214 # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
1217 allow system_server shell_exec:file rx_file_perms;
1218 allow system_server asanwrapper_exec:file rx_file_perms;
1219 allow system_server zygote_exec:file rx_file_perms;
1222 # allow system_server to read the eBPF maps that stores the traffic stats information and update
1225 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
1226 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { get…
1227 allow system_server bpfloader:bpf prog_run;
1228 allow system_server self:bpf map_create;
1229 allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
1231 allow system_server self:key_socket create;
1238 allow system_server clatd:process { sigkill signal };
1244 allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
1245 allow system_server user_profile_data_file:file { getattr open read };
1250 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
1251 allow system_server profman_dump_data_file:dir rw_dir_perms;
1255 allow system_server user_profile_data_file:dir w_dir_perms;
1256 allow system_server user_profile_data_file:file create_file_perms;
1262 allow system_server functionfs:dir search;
1263 allow system_server functionfs:file rw_file_perms;
1279 allow system_server kmsg_debug_device:chr_file { open append getattr };
1286 allow system_server font_data_file:file create_file_perms;
1287 allow system_server font_data_file:dir create_dir_perms;
1306 # Do not allow opening files from external storage as unsafe ejection
1341 # Only allow crash_dump to connect to system_ndebug_socket.
1344 # Only allow zygotes to connect to system_unsolzygote_socket.
1354 # Only allow init, system_server, flags_health_check to set properties for server configurable flags
1384 # Only allow system_server and init to set tuner_server_ctl_prop
1394 # want to allow.
1417 `allow system_server self:process execmem;',
1425 allow system_server system_server_startup:fd use;
1426 allow system_server system_server_startup_tmpfs:file { read write map };
1427 allow system_server system_server_startup:unix_dgram_socket write;
1430 allow system_server apex_service:service_manager find;
1431 allow system_server apexd:binder call;
1434 allow system_server apex_mnt_dir:dir r_dir_perms;
1437 allow system_server apex_info_file:file r_file_perms;
1440 allow system_server system_suspend_control_internal_service:service_manager find;
1441 allow system_server system_suspend_control_service:service_manager find;
1452 allow system_server apex_data_file:dir { getattr search };
1453 allow system_server apex_data_file:file r_file_perms;
1458 allow system_server vendor_apex_file:dir { getattr search };
1459 allow system_server vendor_apex_file:file r_file_perms;
1462 allow system_server apex_module_data_file:dir { getattr search };
1464 allow system_server apex_system_server_data_file:dir create_dir_perms;
1465 allow system_server apex_system_server_data_file:file create_file_perms;
1466 allow system_server apex_tethering_data_file:dir create_dir_perms;
1467 allow system_server apex_tethering_data_file:file create_file_perms;
1468 allow system_server apex_uwb_data_file:dir create_dir_perms;
1469 allow system_server apex_uwb_data_file:file create_file_perms;
1471 allow system_server {
1477 allow system_server {
1486 allow system_server metadata_file:dir search;
1487 allow system_server password_slot_metadata_file:dir rw_dir_perms;
1488 allow system_server password_slot_metadata_file:file create_file_perms;
1490 allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
1491 allow system_server userspace_reboot_metadata_file:file create_file_perms;
1494 allow system_server staged_install_file:dir rw_dir_perms;
1495 allow system_server staged_install_file:file create_file_perms;
1497 allow system_server watchdog_metadata_file:dir rw_dir_perms;
1498 allow system_server watchdog_metadata_file:file create_file_perms;
1500 allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
1501 allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
1502 allow system_server aconfig_storage_metadata_file:dir search;
1504 allow system_server aconfigd_socket:sock_file {read write};
1505 allow system_server aconfigd:unix_stream_socket connectto;
1507 allow system_server aconfig_test_mission_files:dir create_dir_perms;
1508 allow system_server aconfig_test_mission_files:file create_file_perms;
1510 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
1511 allow system_server repair_mode_metadata_file:file create_file_perms;
1513 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
1514 allow system_server gsi_persistent_data_file:file create_file_perms;
1517 allow system_server odrefresh_data_file:dir rw_dir_perms;
1518 allow system_server odrefresh_data_file:file { r_file_perms unlink };
1521 allow system_server surfaceflinger_exec:file r_file_perms;
1538 allow system_server proc_pressure_mem:file rw_file_perms;
1540 allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
1577 allow system_server self:perf_event { open write cpu kernel };
1581 allow system_server shutdown_checkpoints_system_data_file:dir create_dir_perms;
1582 allow system_server shutdown_checkpoints_system_data_file:file create_file_perms;
1584 # Do not allow any domain other than init or system server to set the property
1597 # Only allow system server to write uhid sysfs files
1617 allow system_server system_font_fallback_file:file r_file_perms;
1623 allow system_server binderfs_logs:dir r_dir_perms;
1624 allow system_server binderfs_logs_stats:file r_file_perms;
1628 allow system_server binderfs_logs_transactions:file r_file_perms;
1637 # Do not allow any domain other than init and system server to set the property
1648 allow system_server pre_reboot_dexopt_file:dir { getattr search };
1653 allow system_server system_server_tmpfs:file open;
1657 allow system_server postinstall:fifo_file read;
1661 allow system_server {
1669 # Do not allow any domain other than init or system server to get or set the property