| # |
| # Apps that run with the system UID, e.g. com.android.system.ui, |
| # com.android.settings. These are not as privileged as the system |
| # server. |
| # |
| type system_app, domain; |
| permissive_or_unconfined(system_app) |
| app_domain(system_app) |
| net_domain(system_app) |
| binder_service(system_app) |
| |
| # Read and write /data/data subdirectory. |
| allow system_app system_app_data_file:dir create_dir_perms; |
| allow system_app system_app_data_file:file create_file_perms; |
| |
| # Read and write to other system-owned /data directories, such as |
| # /data/system/cache and /data/misc/keychain. |
| allow system_app system_data_file:dir create_dir_perms; |
| allow system_app system_data_file:file create_file_perms; |
| # Audit writes to these directories and files so we can identify |
| # and possibly move these directories into their own type in the future. |
| auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; |
| auditallow system_app system_data_file:file { create setattr append write link unlink rename }; |
| |
| # Read wallpaper file. |
| allow system_app wallpaper_file:file r_file_perms; |
| |
| # Write to dalvikcache. |
| allow system_app dalvikcache_data_file:file { write setattr }; |
| |
| # Write to properties |
| unix_socket_connect(system_app, property, init) |
| allow system_app debug_prop:property_service set; |
| allow system_app radio_prop:property_service set; |
| allow system_app system_prop:property_service set; |
| allow system_app ctl_bugreport_prop:property_service set; |
| |
| # Create /data/anr/traces.txt. |
| allow system_app anr_data_file:dir ra_dir_perms; |
| allow system_app anr_data_file:file create_file_perms; |
| |
| control_logd(system_app) |