Home | History | Annotate | Download | only in sepolicy 
      1 #
      2 # Apps that run with the system UID, e.g. com.android.system.ui,
      3 # com.android.settings.  These are not as privileged as the system
      4 # server.
      5 #
      6 type system_app, domain, domain_deprecated;
      7 app_domain(system_app)
      8 net_domain(system_app)
      9 binder_service(system_app)
     10 
     11 # Read and write /data/data subdirectory.
     12 allow system_app system_app_data_file:dir create_dir_perms;
     13 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
     14 
     15 # Read and write to /data/misc/user.
     16 allow system_app misc_user_data_file:dir create_dir_perms;
     17 allow system_app misc_user_data_file:file create_file_perms;
     18 
     19 # Access to vold-mounted storage for measuring free space
     20 allow system_app mnt_media_rw_file:dir search;
     21 
     22 # Read wallpaper file.
     23 allow system_app wallpaper_file:file r_file_perms;
     24 
     25 # Read icon file.
     26 allow system_app icon_file:file r_file_perms;
     27 
     28 # Write to properties
     29 set_prop(system_app, debug_prop)
     30 set_prop(system_app, system_prop)
     31 set_prop(system_app, logd_prop)
     32 set_prop(system_app, net_radio_prop)
     33 set_prop(system_app, system_radio_prop)
     34 set_prop(system_app, log_tag_prop)
     35 userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
     36 auditallow system_app net_radio_prop:property_service set;
     37 auditallow system_app system_radio_prop:property_service set;
     38 
     39 # ctl interface
     40 set_prop(system_app, ctl_default_prop)
     41 set_prop(system_app, ctl_bugreport_prop)
     42 
     43 # Create /data/anr/traces.txt.
     44 allow system_app anr_data_file:dir ra_dir_perms;
     45 allow system_app anr_data_file:file create_file_perms;
     46 
     47 # Settings need to access app name and icon from asec
     48 allow system_app asec_apk_file:file r_file_perms;
     49 
     50 allow system_app servicemanager:service_manager list;
     51 allow system_app { service_manager_type -netd_service }:service_manager find;
     52 
     53 allow system_app keystore:keystore_key {
     54 	get_state
     55 	get
     56 	insert
     57 	delete
     58 	exist
     59 	list
     60 	reset
     61 	password
     62 	lock
     63 	unlock
     64 	is_empty
     65 	sign
     66 	verify
     67 	grant
     68 	duplicate
     69 	clear_uid
     70 	user_changed
     71 };
     72 
     73 # /sys access
     74 allow system_app sysfs_zram:dir search;
     75 allow system_app sysfs_zram:file r_file_perms;
     76 
     77 control_logd(system_app)
     78