Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 1f0f77fcdf95fefb5ac7737f33a891e0bff42455 / . / system.te
blob: 0b16246c74e2e67c15b22faadb0222b0d912cdca [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1#
2# Apps that run with the system UID, e.g. com.android.system.ui,
3# com.android.settings. These are not as privileged as the system
4# server.
5#
6type system_app, domain;
7app_domain(system_app)
8
9# Perform binder IPC to any app domain.
10binder_call(system_app, appdomain)
11binder_transfer(system_app, appdomain)
12
13# Read and write system data files.
14# May want to split into separate types.
15allow system_app system_data_file:dir create_dir_perms;
16allow system_app system_data_file:file create_file_perms;
17
Stephen Smalleyf6cbbe22012-03-19 10:29:36 -0400[diff] [blame]18# Read wallpaper file.
19allow system_app wallpaper_file:file r_file_perms;
20
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]21# Write to dalvikcache.
22allow system_app dalvikcache_data_file:file { write setattr };
23
24# Talk to keystore.
25unix_socket_connect(system_app, keystore, keystore)
26
27# Read SELinux enforcing status.
28selinux_getenforce(system_app)
29
Stephen Smalley965f2ff2012-06-14 12:33:38 -0400[diff] [blame]30bool manage_selinux true;
31if (manage_selinux) {
32# Set SELinux enforcing status.
Stephen Smalley4c6f1ce2012-02-02 13:28:44 -0500[diff] [blame]33selinux_setenforce(system_app)
34
Stephen Smalley965f2ff2012-06-14 12:33:38 -0400[diff] [blame]35# Set SELinux booleans.
Stephen Smalley4c6f1ce2012-02-02 13:28:44 -0500[diff] [blame]36selinux_setbool(system_app)
James Cartera83fc372012-04-13 13:35:21 -0400[diff] [blame]37
Stephen Smalley965f2ff2012-06-14 12:33:38 -0400[diff] [blame]38# Read syslog to display AVC messages.
James Cartera83fc372012-04-13 13:35:21 -0400[diff] [blame]39allow system_app kernel:system syslog_read;
Stephen Smalley965f2ff2012-06-14 12:33:38 -0400[diff] [blame]40}
James Cartera83fc372012-04-13 13:35:21 -0400[diff] [blame]41
Stephen Smalley965f2ff2012-06-14 12:33:38 -0400[diff] [blame]42bool manage_mac true;
43if (manage_mac) {
44# Set properties via the init property service.
45unix_socket_connect(system_app, property, init)
46
47# Set the persist.mac_enforcing_mode property.
48allow system_app system_prop:property_service set;
49
50# Run logcat and read the logs for MAC denials.
51allow system_app system_file:file x_file_perms;
52allow system_app log_device:chr_file read;
Stephen Smalley4c6f1ce2012-02-02 13:28:44 -0500[diff] [blame]53}
54
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]55#
56# System Server aka system_server spawned by zygote.
57# Most of the framework services run in this process.
58#
59type system, domain, mlstrustedsubject;
60
61# Child of the zygote.
62allow system zygote:fd use;
63allow system zygote:process sigchld;
64allow system zygote_tmpfs:file read;
65
66# system server gets network and bluetooth permissions.
67net_domain(system)
68bluetooth_domain(system)
69
70# These are the capabilities assigned by the zygote to the
71# system server.
72# XXX See if we can remove some of these.
73allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
74
Stephen Smalley60e4f112012-06-28 14:28:24 -0400[diff] [blame]75# Trigger module auto-load.
76allow system kernel:system module_request;
77
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]78# Use netlink uevent sockets.
79allow system self:netlink_kobject_uevent_socket *;
80
81# Kill apps.
82allow system appdomain:process { sigkill signal };
83
Stephen Smalley0d76f4e2012-01-10 13:21:28 -0500[diff] [blame]84# Set scheduling info for apps.
85allow system appdomain:process setsched;
86
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]87# Read /proc data for apps.
88allow system appdomain:dir r_dir_perms;
89allow system appdomain:{ file lnk_file } rw_file_perms;
90
91# Write to /proc/net/xt_qtaguid/ctrl.
hqjiang4c06d272012-07-19 11:07:04 -0700[diff] [blame]92allow system qtaguid_proc:file rw_file_perms;
93allow system qtaguid_device:chr_file rw_file_perms;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]94
95# Notify init of death.
96allow system init:process sigchld;
97
98# Talk to init and various daemons via sockets.
99unix_socket_connect(system, property, init)
100unix_socket_connect(system, qemud, qemud)
101unix_socket_connect(system, installd, installd)
102unix_socket_connect(system, netd, netd)
103unix_socket_connect(system, vold, vold)
104unix_socket_connect(system, zygote, zygote)
105unix_socket_connect(system, keystore, keystore)
106unix_socket_connect(system, dbus, dbusd)
107unix_socket_connect(system, gps, gpsd)
108unix_socket_connect(system, bluetooth, bluetoothd)
109unix_socket_send(system, wpa, wpa)
110
Stephen Smalley1c735162012-07-12 13:26:15 -0400[diff] [blame]111# Communicate over a socket created by surfaceflinger.
112allow system surfaceflinger:unix_stream_socket { read write setopt };
113
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]114# Perform Binder IPC.
115tmpfs_domain(system)
116binder_use(system)
117binder_call(system, binderservicedomain)
118binder_call(system, appdomain)
119binder_service(system)
120# Transfer other Binder references.
121binder_transfer(system, binderservicedomain)
122binder_transfer(system, appdomain)
123
124# Read /proc/pid files for Binder clients.
125r_dir_file(system, appdomain)
126r_dir_file(system, mediaserver)
127allow system appdomain:process getattr;
128allow system mediaserver:process getattr;
129
130# Specify any arguments to zygote.
131allow system self:zygote *;
132
133# Check SELinux permissions.
134selinux_check_access(system)
135
136# XXX Label sysfs files with a specific type?
137allow system sysfs:file rw_file_perms;
Stephen Smalleyf7948232012-03-19 15:56:01 -0400[diff] [blame]138allow system sysfs_nfc_power_writable:file rw_file_perms;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]139
140# Access devices.
Stephen Smalleyc94e2392012-01-06 10:25:53 -0500[diff] [blame]141allow system device:dir r_dir_perms;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]142allow system device:chr_file rw_file_perms;
Stephen Smalley60e4f112012-06-28 14:28:24 -0400[diff] [blame]143allow system device:sock_file rw_file_perms;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]144allow system akm_device:chr_file rw_file_perms;
145allow system accelerometer_device:chr_file rw_file_perms;
146allow system alarm_device:chr_file rw_file_perms;
147allow system graphics_device:dir search;
148allow system graphics_device:chr_file rw_file_perms;
149allow system input_device:dir r_dir_perms;
150allow system input_device:chr_file rw_file_perms;
151allow system tty_device:chr_file rw_file_perms;
152allow system urandom_device:chr_file rw_file_perms;
153allow system video_device:chr_file rw_file_perms;
154allow system qemu_device:chr_file rw_file_perms;
155
156# Manage data files.
157allow system data_file_type:dir create_dir_perms;
158allow system data_file_type:notdevfile_class_set create_file_perms;
159
Stephen Smalley59d28032012-03-19 10:24:52 -0400[diff] [blame]160# Read /file_contexts.
161allow system rootfs:file r_file_perms;
162
163# Relabel apk files.
164allow system apk_tmp_file:file { relabelfrom relabelto };
165allow system apk_data_file:file { relabelfrom relabelto };
166
Stephen Smalleyf6cbbe22012-03-19 10:29:36 -0400[diff] [blame]167# Relabel wallpaper.
168allow system system_data_file:file relabelfrom;
169allow system wallpaper_file:file relabelto;
Stephen Smalley6c39ee02012-06-27 08:50:27 -0400[diff] [blame]170allow system wallpaper_file:file rw_file_perms;
Stephen Smalleyf6cbbe22012-03-19 10:29:36 -0400[diff] [blame]171
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]172# Property Service write
173allow system system_prop:property_service set;
Stephen Smalley730957a2012-04-04 16:01:19 -0400[diff] [blame]174allow system radio_prop:property_service set;
Stephen Smalley124720a2012-04-04 10:11:16 -0400[diff] [blame]175
176# ctl interface
177allow system ctl_default_prop:property_service set;
178
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]179# Create a socket for receiving info from wpa.
180type_transition system wifi_data_file:sock_file system_wpa_socket;
181allow system system_wpa_socket:sock_file create_file_perms;
182
183# Manage cache files.
184allow system cache_file:dir create_dir_perms;
185allow system cache_file:file create_file_perms;
186
187# Run system programs, e.g. dexopt.
188allow system system_file:file x_file_perms;
189
Stephen Smalleyc83d0082012-03-07 14:59:01 -0500[diff] [blame]190# Allow reading of /proc/pid data for other domains.
191# XXX dontaudit candidate
192allow system domain:dir r_dir_perms;
193allow system domain:file r_file_perms;
hqjiang81039ab2012-07-10 14:36:22 -0700[diff] [blame]194
195# LocationManager(e.g, GPS) needs to read and write
196# to uart driver and ctrl proc entry
197allow system gps_device:chr_file rw_file_perms;
198allow system gps_control:file rw_file_perms;
hqjiang569f5892012-07-23 14:20:59 -0700[diff] [blame]199
200# system Read/Write udp_socket of untrusted_app
201allow system appdomain:udp_socket { read write };
Haiqing Jiang19e7fbe2012-07-27 13:20:20 -0700[diff] [blame]202# Allow abstract socket connection
203allow system rild:unix_stream_socket connectto;