Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 85708ec4f91fd70b215dc69e00b80e0e7a7d4686 / . / system_app.te
blob: 702c5563540422645da6416b169ed09e47977fc2 [file] [log] [blame]
Stephen Smalley8840fa72013-09-11 11:37:46 -0400[diff] [blame]1#
2# Apps that run with the system UID, e.g. com.android.system.ui,
3# com.android.settings. These are not as privileged as the system
4# server.
5#
6type system_app, domain;
Nick Kralevich623975f2014-01-11 01:31:03 -0800[diff] [blame]7permissive_or_unconfined(system_app)
Stephen Smalley8840fa72013-09-11 11:37:46 -0400[diff] [blame]8app_domain(system_app)
Stephen Smalley85708ec2014-02-24 10:48:03 -0500[diff] [blame^]9net_domain(system_app)
Nick Kralevich2e7a3012014-01-10 23:05:25 -0800[diff] [blame]10binder_service(system_app)
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]11
12# Perform binder IPC to any app domain.
13binder_call(system_app, appdomain)
14
15# Read and write system data files.
16# May want to split into separate types.
17allow system_app system_data_file:dir create_dir_perms;
18allow system_app system_data_file:file create_file_perms;
19
20# Read wallpaper file.
21allow system_app wallpaper_file:file r_file_perms;
22
23# Write to dalvikcache.
24allow system_app dalvikcache_data_file:file { write setattr };
25
26# Talk to keystore.
27unix_socket_connect(system_app, keystore, keystore)
28
29# Read SELinux enforcing status.
30selinux_getenforce(system_app)
31
32# Settings app reads sdcard for storage stats
33allow system_app sdcard_type:dir r_dir_perms;
34
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700[diff] [blame]35# Write to properties
Nick Kralevich3e780002013-12-10 16:40:49 -0800[diff] [blame]36unix_socket_connect(system_app, property, init)
37allow system_app debug_prop:property_service set;
38allow system_app radio_prop:property_service set;
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700[diff] [blame]39allow system_app system_prop:property_service set;