1 # 2 # Apps that run with the system UID, e.g. com.android.system.ui, 3 # com.android.settings. These are not as privileged as the system 4 # server. 5 # 6 type system_app, domain; 7 app_domain(system_app) 8 net_domain(system_app) 9 binder_service(system_app) 10 11 # Read and write /data/data subdirectory. 12 allow system_app system_app_data_file:dir create_dir_perms; 13 allow system_app system_app_data_file:file create_file_perms; 14 15 # Read /data/misc/keychain subdirectory. 16 allow system_app keychain_data_file:dir r_dir_perms; 17 allow system_app keychain_data_file:file r_file_perms; 18 19 # Read and write to other system-owned /data directories, such as 20 # /data/system/cache and /data/misc/user. 21 allow system_app system_data_file:dir create_dir_perms; 22 allow system_app system_data_file:file create_file_perms; 23 allow system_app misc_user_data_file:dir create_dir_perms; 24 allow system_app misc_user_data_file:file create_file_perms; 25 # Audit writes to these directories and files so we can identify 26 # and possibly move these directories into their own type in the future. 27 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; 28 auditallow system_app system_data_file:file { create setattr append write link unlink rename }; 29 30 # Read wallpaper file. 31 allow system_app wallpaper_file:file r_file_perms; 32 33 # Write to properties 34 unix_socket_connect(system_app, property, init) 35 allow system_app debug_prop:property_service set; 36 allow system_app net_radio_prop:property_service set; 37 allow system_app system_radio_prop:property_service set; 38 auditallow system_app net_radio_prop:property_service set; 39 auditallow system_app system_radio_prop:property_service set; 40 allow system_app system_prop:property_service set; 41 allow system_app ctl_bugreport_prop:property_service set; 42 allow system_app logd_prop:property_service set; 43 44 # Create /data/anr/traces.txt. 45 allow system_app anr_data_file:dir ra_dir_perms; 46 allow system_app anr_data_file:file create_file_perms; 47 48 # Settings need to access app name and icon from asec 49 allow system_app asec_apk_file:file r_file_perms; 50 51 allow system_app system_app_service:service_manager add; 52 53 allow system_app keystore:keystore_key { 54 test 55 get 56 insert 57 delete 58 exist 59 saw 60 reset 61 password 62 lock 63 unlock 64 zero 65 sign 66 verify 67 grant 68 duplicate 69 clear_uid 70 }; 71 72 control_logd(system_app) 73
