| # |
| # Apps that run with the system UID, e.g. com.android.system.ui, |
| # com.android.settings. These are not as privileged as the system |
| # server. |
| # |
| type system_app, domain; |
| app_domain(system_app) |
| net_domain(system_app) |
| binder_service(system_app) |
| |
| # Read and write /data/data subdirectory. |
| allow system_app system_app_data_file:dir create_dir_perms; |
| allow system_app system_app_data_file:{ file lnk_file } create_file_perms; |
| |
| # Read /data/misc/keychain subdirectory. |
| allow system_app keychain_data_file:dir r_dir_perms; |
| allow system_app keychain_data_file:file r_file_perms; |
| |
| # Read and write to other system-owned /data directories, such as |
| # /data/system/cache and /data/misc/user. |
| allow system_app system_data_file:dir create_dir_perms; |
| allow system_app system_data_file:file create_file_perms; |
| allow system_app misc_user_data_file:dir create_dir_perms; |
| allow system_app misc_user_data_file:file create_file_perms; |
| # Audit writes to these directories and files so we can identify |
| # and possibly move these directories into their own type in the future. |
| auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; |
| auditallow system_app system_data_file:file { create setattr append write link unlink rename }; |
| |
| # Read wallpaper file. |
| allow system_app wallpaper_file:file r_file_perms; |
| |
| # Write to properties |
| unix_socket_connect(system_app, property, init) |
| allow system_app debug_prop:property_service set; |
| allow system_app net_radio_prop:property_service set; |
| allow system_app system_radio_prop:property_service set; |
| auditallow system_app net_radio_prop:property_service set; |
| auditallow system_app system_radio_prop:property_service set; |
| allow system_app system_prop:property_service set; |
| allow system_app ctl_bugreport_prop:property_service set; |
| allow system_app logd_prop:property_service set; |
| |
| # Create /data/anr/traces.txt. |
| allow system_app anr_data_file:dir ra_dir_perms; |
| allow system_app anr_data_file:file create_file_perms; |
| |
| # Settings need to access app name and icon from asec |
| allow system_app asec_apk_file:file r_file_perms; |
| |
| allow system_app mediaserver_service:service_manager find; |
| allow system_app nfc_service:service_manager find; |
| allow system_app radio_service:service_manager find; |
| allow system_app surfaceflinger_service:service_manager find; |
| allow system_app system_app_service:service_manager add; |
| allow system_app tmp_system_server_service:service_manager find; |
| allow system_app app_api_service:service_manager find; |
| allow system_app system_api_service:service_manager find; |
| |
| service_manager_local_audit_domain(system_app) |
| auditallow system_app { |
| tmp_system_server_service |
| -appwidget_service |
| -assetatlas_service |
| -audio_service |
| -backup_service |
| -bluetooth_manager_service |
| -connectivity_service |
| -content_service |
| -device_policy_service |
| -display_service |
| -dreams_service |
| -dropbox_service |
| -fingerprint_service |
| -graphicsstats_service |
| -input_method_service |
| -input_service |
| -lock_settings_service |
| -media_session_service |
| -mount_service |
| -netstats_service |
| -network_management_service |
| -network_score_service |
| -notification_service |
| -power_service |
| -print_service |
| -registry_service |
| -restrictions_service |
| -sensorservice_service |
| -textservices_service |
| -uimode_service |
| -usagestats_service |
| -usb_service |
| -user_service |
| -vibrator_service |
| -wifi_service |
| }:service_manager find; |
| |
| allow system_app keystore:keystore_key { |
| test |
| get |
| insert |
| delete |
| exist |
| saw |
| reset |
| password |
| lock |
| unlock |
| zero |
| sign |
| verify |
| grant |
| duplicate |
| clear_uid |
| }; |
| |
| control_logd(system_app) |