1 # 2 # Apps that run with the system UID, e.g. com.android.system.ui, 3 # com.android.settings. These are not as privileged as the system 4 # server. 5 # 6 type system_app, domain; 7 app_domain(system_app) 8 net_domain(system_app) 9 binder_service(system_app) 10 11 # Read and write /data/data subdirectory. 12 allow system_app system_app_data_file:dir create_dir_perms; 13 allow system_app system_app_data_file:{ file lnk_file } create_file_perms; 14 15 # Read /data/misc/keychain subdirectory. 16 allow system_app keychain_data_file:dir r_dir_perms; 17 allow system_app keychain_data_file:file r_file_perms; 18 19 # Read and write to other system-owned /data directories, such as 20 # /data/system/cache and /data/misc/user. 21 allow system_app system_data_file:dir create_dir_perms; 22 allow system_app system_data_file:file create_file_perms; 23 allow system_app misc_user_data_file:dir create_dir_perms; 24 allow system_app misc_user_data_file:file create_file_perms; 25 # Audit writes to these directories and files so we can identify 26 # and possibly move these directories into their own type in the future. 27 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; 28 auditallow system_app system_data_file:file { create setattr append write link unlink rename }; 29 30 # Access to vold-mounted storage for measuring free space 31 allow system_app mnt_media_rw_file:dir search; 32 33 # Read wallpaper file. 34 allow system_app wallpaper_file:file r_file_perms; 35 36 # Write to properties 37 set_prop(system_app, debug_prop) 38 set_prop(system_app, system_prop) 39 set_prop(system_app, ctl_bugreport_prop) 40 set_prop(system_app, logd_prop) 41 set_prop(system_app, net_radio_prop) 42 set_prop(system_app, system_radio_prop) 43 auditallow system_app net_radio_prop:property_service set; 44 auditallow system_app system_radio_prop:property_service set; 45 46 # Create /data/anr/traces.txt. 47 allow system_app anr_data_file:dir ra_dir_perms; 48 allow system_app anr_data_file:file create_file_perms; 49 50 # Settings need to access app name and icon from asec 51 allow system_app asec_apk_file:file r_file_perms; 52 53 allow system_app servicemanager:service_manager list; 54 allow system_app service_manager_type:service_manager find; 55 56 allow system_app keystore:keystore_key { 57 get_state 58 get 59 insert 60 delete 61 exist 62 list 63 reset 64 password 65 lock 66 unlock 67 is_empty 68 sign 69 verify 70 grant 71 duplicate 72 clear_uid 73 user_changed 74 }; 75 76 control_logd(system_app) 77