Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 1196d2a5763c9a99be99ba81a4a29d938a83cc06 / . / system_app.te
blob: 324d74ee69e68be9b39174f4b7603f7b6267cd68 [file] [log] [blame]
Stephen Smalley8840fa72013-09-11 11:37:46 -0400[diff] [blame]1#
2# Apps that run with the system UID, e.g. com.android.system.ui,
3# com.android.settings. These are not as privileged as the system
4# server.
5#
6type system_app, domain;
Stephen Smalley8840fa72013-09-11 11:37:46 -0400[diff] [blame]7app_domain(system_app)
Stephen Smalley85708ec2014-02-24 10:48:03 -0500[diff] [blame]8net_domain(system_app)
Nick Kralevich2e7a3012014-01-10 23:05:25 -0800[diff] [blame]9binder_service(system_app)
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]10
Stephen Smalley91a4f8d2014-05-07 13:10:02 -0400[diff] [blame]11# Read and write /data/data subdirectory.
12allow system_app system_app_data_file:dir create_dir_perms;
13allow system_app system_app_data_file:file create_file_perms;
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]14
Stephen Smalleyf1ea7072014-05-27 14:23:32 -0400[diff] [blame]15# Read and write to other system-owned /data directories, such as
16# /data/system/cache and /data/misc/keychain.
17allow system_app system_data_file:dir create_dir_perms;
18allow system_app system_data_file:file create_file_perms;
19# Audit writes to these directories and files so we can identify
20# and possibly move these directories into their own type in the future.
21auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
22auditallow system_app system_data_file:file { create setattr append write link unlink rename };
23
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]24# Read wallpaper file.
25allow system_app wallpaper_file:file r_file_perms;
26
27# Write to dalvikcache.
28allow system_app dalvikcache_data_file:file { write setattr };
29
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700[diff] [blame]30# Write to properties
Nick Kralevich3e780002013-12-10 16:40:49 -0800[diff] [blame]31unix_socket_connect(system_app, property, init)
32allow system_app debug_prop:property_service set;
Stephen Smalleyfee49152014-06-19 10:27:02 -0400[diff] [blame]33allow system_app net_radio_prop:property_service set;
34allow system_app system_radio_prop:property_service set;
35auditallow system_app net_radio_prop:property_service set;
36auditallow system_app system_radio_prop:property_service set;
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700[diff] [blame]37allow system_app system_prop:property_service set;
Stephen Smalley1c0c0102014-03-06 14:47:22 -0500[diff] [blame]38allow system_app ctl_bugreport_prop:property_service set;
Mark Salyzyn9e7bbf62014-06-12 12:47:22 -0700[diff] [blame]39allow system_app logd_prop:property_service set;
Stephen Smalley1c0c0102014-03-06 14:47:22 -0500[diff] [blame]40
41# Create /data/anr/traces.txt.
42allow system_app anr_data_file:dir ra_dir_perms;
43allow system_app anr_data_file:file create_file_perms;
Mark Salyzync52d7382014-05-09 17:47:19 -0700[diff] [blame]44
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame^]45allow system_app keystore:keystore_key {
46 test
47 get
48 insert
49 delete
50 exist
51 saw
52 reset
53 password
54 lock
55 unlock
56 zero
57 sign
58 verify
59 grant
60 duplicate
61 clear_uid
62};
63
64auditallow system_app keystore:keystore_key {
65 test
66 get
67 insert
68 delete
69 exist
70 reset
71 password
72 lock
73 unlock
74 sign
75 verify
76 grant
77 duplicate
78 clear_uid
79};
80
Mark Salyzync52d7382014-05-09 17:47:19 -0700[diff] [blame]81control_logd(system_app)