system_app.te - LeafOS-Project/android_system_sepolicy - Gitiles

 #
 # Apps that run with the system UID, e.g. com.android.system.ui,
 # com.android.settings.  These are not as privileged as the system
 # server.
 #
 type system_app, domain;
 app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)

 # Read and write /data/data subdirectory.
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

 # Read /data/misc/keychain subdirectory.
 allow system_app keychain_data_file:dir r_dir_perms;
 allow system_app keychain_data_file:file r_file_perms;

 # Read and write to other system-owned /data directories, such as
 # /data/system/cache and /data/misc/user.
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
 # Audit writes to these directories and files so we can identify
 # and possibly move these directories into their own type in the future.
 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
 auditallow system_app system_data_file:file { create setattr append write link unlink rename };

 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;

 # Write to properties
 set_prop(system_app, debug_prop)
 set_prop(system_app, system_prop)
 set_prop(system_app, ctl_bugreport_prop)
 set_prop(system_app, logd_prop)
 set_prop(system_app, net_radio_prop)
 set_prop(system_app, system_radio_prop)
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;

 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;

 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;

 allow system_app servicemanager:service_manager list;
 allow system_app service_manager_type:service_manager find;

 allow system_app keystore:keystore_key {
 	get_state
 	get
 	insert
 	delete
 	exist
 	list
 	reset
 	password
 	lock
 	unlock
 	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
 	user_changed
 };

 control_logd(system_app)
	#
	# Apps that run with the system UID, e.g. com.android.system.ui,
	# com.android.settings. These are not as privileged as the system
	# server.
	#
	type system_app, domain;
	app_domain(system_app)
	net_domain(system_app)
	binder_service(system_app)

	# Read and write /data/data subdirectory.
	allow system_app system_app_data_file:dir create_dir_perms;
	allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

	# Read /data/misc/keychain subdirectory.
	allow system_app keychain_data_file:dir r_dir_perms;
	allow system_app keychain_data_file:file r_file_perms;

	# Read and write to other system-owned /data directories, such as
	# /data/system/cache and /data/misc/user.
	allow system_app system_data_file:dir create_dir_perms;
	allow system_app system_data_file:file create_file_perms;
	allow system_app misc_user_data_file:dir create_dir_perms;
	allow system_app misc_user_data_file:file create_file_perms;
	# Audit writes to these directories and files so we can identify
	# and possibly move these directories into their own type in the future.
	auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
	auditallow system_app system_data_file:file { create setattr append write link unlink rename };

	# Read wallpaper file.
	allow system_app wallpaper_file:file r_file_perms;

	# Write to properties
	set_prop(system_app, debug_prop)
	set_prop(system_app, system_prop)
	set_prop(system_app, ctl_bugreport_prop)
	set_prop(system_app, logd_prop)
	set_prop(system_app, net_radio_prop)
	set_prop(system_app, system_radio_prop)
	auditallow system_app net_radio_prop:property_service set;
	auditallow system_app system_radio_prop:property_service set;

	# Create /data/anr/traces.txt.
	allow system_app anr_data_file:dir ra_dir_perms;
	allow system_app anr_data_file:file create_file_perms;

	# Settings need to access app name and icon from asec
	allow system_app asec_apk_file:file r_file_perms;

	allow system_app servicemanager:service_manager list;
	allow system_app service_manager_type:service_manager find;

	allow system_app keystore:keystore_key {
	get_state
	get
	insert
	delete
	exist
	list
	reset
	password
	lock
	unlock
	is_empty
	sign
	verify
	grant
	duplicate
	clear_uid
	user_changed
	};

	control_logd(system_app)