Home | History | Annotate | Download | only in sepolicy 
      1 #
      2 # Apps that run with the system UID, e.g. com.android.system.ui,
      3 # com.android.settings.  These are not as privileged as the system
      4 # server.
      5 #
      6 type system_app, domain;
      7 app_domain(system_app)
      8 net_domain(system_app)
      9 binder_service(system_app)
     10 
     11 # Read and write /data/data subdirectory.
     12 allow system_app system_app_data_file:dir create_dir_perms;
     13 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
     14 
     15 # Read /data/misc/keychain subdirectory.
     16 allow system_app keychain_data_file:dir r_dir_perms;
     17 allow system_app keychain_data_file:file r_file_perms;
     18 
     19 # Read and write to other system-owned /data directories, such as
     20 # /data/system/cache and /data/misc/user.
     21 allow system_app system_data_file:dir create_dir_perms;
     22 allow system_app system_data_file:file create_file_perms;
     23 allow system_app misc_user_data_file:dir create_dir_perms;
     24 allow system_app misc_user_data_file:file create_file_perms;
     25 # Audit writes to these directories and files so we can identify
     26 # and possibly move these directories into their own type in the future.
     27 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
     28 auditallow system_app system_data_file:file { create setattr append write link unlink rename };
     29 
     30 # Access to vold-mounted storage for measuring free space
     31 allow system_app mnt_media_rw_file:dir search;
     32 
     33 # Read wallpaper file.
     34 allow system_app wallpaper_file:file r_file_perms;
     35 
     36 # Write to properties
     37 set_prop(system_app, debug_prop)
     38 set_prop(system_app, system_prop)
     39 set_prop(system_app, ctl_bugreport_prop)
     40 set_prop(system_app, logd_prop)
     41 set_prop(system_app, net_radio_prop)
     42 set_prop(system_app, system_radio_prop)
     43 auditallow system_app net_radio_prop:property_service set;
     44 auditallow system_app system_radio_prop:property_service set;
     45 
     46 # Create /data/anr/traces.txt.
     47 allow system_app anr_data_file:dir ra_dir_perms;
     48 allow system_app anr_data_file:file create_file_perms;
     49 
     50 # Settings need to access app name and icon from asec
     51 allow system_app asec_apk_file:file r_file_perms;
     52 
     53 allow system_app servicemanager:service_manager list;
     54 allow system_app service_manager_type:service_manager find;
     55 
     56 allow system_app keystore:keystore_key {
     57 	get_state
     58 	get
     59 	insert
     60 	delete
     61 	exist
     62 	list
     63 	reset
     64 	password
     65 	lock
     66 	unlock
     67 	is_empty
     68 	sign
     69 	verify
     70 	grant
     71 	duplicate
     72 	clear_uid
     73 	user_changed
     74 };
     75 
     76 control_logd(system_app)
     77