Home | History | Annotate | Download | only in etc 
      1 <?xml version="1.0" encoding="utf-8"?>
      2 <!-- Copyright (C) 2008 The Android Open Source Project
      3 
      4      Licensed under the Apache License, Version 2.0 (the "License");
      5      you may not use this file except in compliance with the License.
      6      You may obtain a copy of the License at
      7 
      8           http://www.apache.org/licenses/LICENSE-2.0
      9 
     10      Unless required by applicable law or agreed to in writing, software
     11      distributed under the License is distributed on an "AS IS" BASIS,
     12      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13      See the License for the specific language governing permissions and
     14      limitations under the License.
     15 -->
     16 
     17 <!-- This file is used to define the mappings between lower-level system
     18      user and group IDs and the higher-level permission names managed
     19      by the platform.
     20 
     21      Be VERY careful when editing this file!  Mistakes made here can open
     22      big security holes.
     23 -->
     24 <permissions>
     25 
     26     <!-- ================================================================== -->
     27     <!-- ================================================================== -->
     28     <!-- ================================================================== -->
     29 
     30     <!-- The following tags are associating low-level group IDs with
     31          permission names.  By specifying such a mapping, you are saying
     32          that any application process granted the given permission will
     33          also be running with the given group ID attached to its process,
     34          so it can perform any filesystem (read, write, execute) operations
     35          allowed for that group. -->
     36 
     37     <permission name="android.permission.BLUETOOTH_ADMIN" >
     38         <group gid="net_bt_admin" />
     39     </permission>
     40 
     41     <permission name="android.permission.BLUETOOTH" >
     42         <group gid="net_bt" />
     43     </permission>
     44 
     45     <permission name="android.permission.BLUETOOTH_STACK" >
     46         <group gid="net_bt_stack" />
     47         <group gid="wakelock" />
     48     </permission>
     49 
     50     <permission name="android.permission.NET_TUNNELING" >
     51         <group gid="vpn" />
     52     </permission>
     53 
     54     <permission name="android.permission.INTERNET" >
     55         <group gid="inet" />
     56     </permission>
     57 
     58     <permission name="android.permission.READ_LOGS" >
     59         <group gid="log" />
     60     </permission>
     61 
     62     <permission name="android.permission.WRITE_MEDIA_STORAGE" >
     63         <group gid="media_rw" />
     64         <group gid="sdcard_rw" />
     65     </permission>
     66 
     67     <permission name="android.permission.ACCESS_MTP" >
     68         <group gid="mtp" />
     69     </permission>
     70 
     71     <permission name="android.permission.NET_ADMIN" >
     72         <group gid="net_admin" />
     73     </permission>
     74 
     75     <!-- The group that /cache belongs to, linked to the permission
     76          set on the applications that can access /cache -->
     77     <permission name="android.permission.ACCESS_CACHE_FILESYSTEM" >
     78         <group gid="cache" />
     79     </permission>
     80 
     81     <!-- RW permissions to any system resources owned by group 'diag'.
     82          This is for carrier and manufacture diagnostics tools that must be
     83          installable from the framework. Be careful. -->
     84     <permission name="android.permission.DIAGNOSTIC" >
     85         <group gid="input" />
     86         <group gid="diag" />
     87     </permission>
     88 
     89     <!-- Group that can read detailed network usage statistics -->
     90     <permission name="android.permission.READ_NETWORK_USAGE_HISTORY">
     91         <group gid="net_bw_stats" />
     92     </permission>
     93 
     94     <!-- Group that can modify how network statistics are accounted -->
     95     <permission name="android.permission.MODIFY_NETWORK_ACCOUNTING">
     96         <group gid="net_bw_acct" />
     97     </permission>
     98 
     99     <permission name="android.permission.LOOP_RADIO" >
    100         <group gid="loop_radio" />
    101     </permission>
    102 
    103     <!-- Hotword training apps sometimes need a GID to talk with low-level
    104          hardware; give them audio for now until full HAL support is added. -->
    105     <permission name="android.permission.MANAGE_VOICE_KEYPHRASES">
    106         <group gid="audio" />
    107     </permission>
    108 
    109     <permission name="android.permission.ACCESS_FM_RADIO" >
    110         <!-- /dev/fm is gid media, not audio -->
    111         <group gid="media" />
    112     </permission>
    113 
    114     <!-- These are permissions that were mapped to gids but we need
    115          to keep them here until an upgrade from L to the current
    116          version is to be supported. These permissions are built-in
    117          and in L were not stored in packages.xml as a result if they
    118          are not defined here while parsing packages.xml we would
    119          ignore these permissions being granted to apps and not
    120          propagate the granted state. From N we are storing the
    121          built-in permissions in packages.xml as the saved storage
    122          is negligible (one tag with the permission) compared to
    123          the fragility as one can remove a built-in permission which
    124          no longer needs to be mapped to gids and break grant propagation. -->
    125     <permission name="android.permission.READ_EXTERNAL_STORAGE" />
    126     <permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
    127 
    128     <!-- ================================================================== -->
    129     <!-- ================================================================== -->
    130     <!-- ================================================================== -->
    131 
    132     <!-- The following tags are assigning high-level permissions to specific
    133          user IDs.  These are used to allow specific core system users to
    134          perform the given operations with the higher-level framework.  For
    135          example, we give a wide variety of permissions to the shell user
    136          since that is the user the adb shell runs under and developers and
    137          others should have a fairly open environment in which to
    138          interact with the system. -->
    139 
    140     <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="media" />
    141     <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="media" />
    142     <assign-permission name="android.permission.WAKE_LOCK" uid="media" />
    143     <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="media" />
    144     <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="media" />
    145     <assign-permission name="android.permission.GET_PROCESS_STATE_AND_OOM_SCORE" uid="media" />
    146 
    147     <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="audioserver" />
    148     <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="audioserver" />
    149     <assign-permission name="android.permission.WAKE_LOCK" uid="audioserver" />
    150     <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="audioserver" />
    151     <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="audioserver" />
    152 
    153     <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="cameraserver" />
    154     <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="cameraserver" />
    155     <assign-permission name="android.permission.WAKE_LOCK" uid="cameraserver" />
    156     <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="cameraserver" />
    157     <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="cameraserver" />
    158 
    159     <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="graphics" />
    160 
    161     <!-- This is a list of all the libraries available for application
    162          code to link against. -->
    163 
    164     <library name="android.test.runner"
    165             file="/system/framework/android.test.runner.jar" />
    166     <library name="javax.obex"
    167             file="/system/framework/javax.obex.jar" />
    168     <library name="org.apache.http.legacy"
    169             file="/system/framework/org.apache.http.legacy.jar" />
    170 
    171     <!-- These are the standard packages that are white-listed to always have internet
    172          access while in power save mode, even if they aren't in the foreground. -->
    173     <allow-in-power-save package="com.android.providers.downloads" />
    174 
    175     <!-- These are the standard packages that are white-listed to always have internet
    176          access while in data mode, even if they aren't in the foreground. -->
    177     <allow-in-data-usage-save package="com.android.providers.downloads" />
    178 
    179     <!-- These are the packages that are white-listed to be able to run as system user -->
    180     <system-user-whitelisted-app package="com.android.settings" />
    181 
    182     <!-- These are the packages that shouldn't run as system user -->
    183     <system-user-blacklisted-app package="com.android.wallpaper.livepicker" />
    184 </permissions>
    185