| # |
| # Apps that run with the system UID, e.g. com.android.system.ui, |
| # com.android.settings. These are not as privileged as the system |
| # server. |
| # |
| type system_app, domain; |
| permissive system_app; |
| app_domain(system_app) |
| |
| # Perform binder IPC to any app domain. |
| binder_call(system_app, appdomain) |
| |
| # Read and write system data files. |
| # May want to split into separate types. |
| allow system_app system_data_file:dir create_dir_perms; |
| allow system_app system_data_file:file create_file_perms; |
| |
| # Read wallpaper file. |
| allow system_app wallpaper_file:file r_file_perms; |
| |
| # Write to dalvikcache. |
| allow system_app dalvikcache_data_file:file { write setattr }; |
| |
| # Talk to keystore. |
| unix_socket_connect(system_app, keystore, keystore) |
| |
| # Read SELinux enforcing status. |
| selinux_getenforce(system_app) |
| |
| # Settings app reads sdcard for storage stats |
| allow system_app sdcard_type:dir r_dir_perms; |
| |
| # Allow settings app to read from asec |
| allow system_app asec_apk_file:dir search; |
| allow system_app asec_apk_file:file r_file_perms; |
| |
| # Write to properties |
| allow system_app system_prop:property_service set; |