| ### |
| ### Apps signed with the platform key. |
| ### |
| |
| type platform_app, domain; |
| permissive platform_app; |
| app_domain(platform_app) |
| platform_app_domain(platform_app) |
| # Access the network. |
| net_domain(platform_app) |
| # Access bluetooth. |
| bluetooth_domain(platform_app) |
| # Write to /cache. |
| allow platform_app cache_file:dir rw_dir_perms; |
| allow platform_app cache_file:file create_file_perms; |
| # Read from /data/local. |
| allow platform_app shell_data_file:dir search; |
| allow platform_app shell_data_file:file { open getattr read }; |
| allow platform_app shell_data_file:lnk_file read; |
| # Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files |
| # created by system server. |
| allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; |
| allow platform_app apk_private_data_file:dir search; |
| # ASEC |
| allow platform_app asec_apk_file:dir create_dir_perms; |
| allow platform_app asec_apk_file:file create_file_perms; |
| # Access download files. |
| allow platform_app download_file:file rw_file_perms; |
| # Allow BackupManagerService to backup all app domains |
| allow platform_app appdomain:fifo_file write; |
| |
| # |
| # Rules for all platform app domains. |
| # |
| |
| # App sandbox file accesses. |
| allow platformappdomain platform_app_data_file:dir create_dir_perms; |
| allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms; |
| # App sdcard file accesses |
| allow platformappdomain sdcard_type:dir create_dir_perms; |
| allow platformappdomain sdcard_type:file create_file_perms; |