Stephen Smalley | 8840fa7 | 2013-09-11 11:37:46 -0400 | [diff] [blame] | 1 | # |
| 2 | # Apps that run with the system UID, e.g. com.android.system.ui, |
| 3 | # com.android.settings. These are not as privileged as the system |
| 4 | # server. |
| 5 | # |
| 6 | type system_app, domain; |
Stephen Smalley | 8840fa7 | 2013-09-11 11:37:46 -0400 | [diff] [blame] | 7 | app_domain(system_app) |
Stephen Smalley | 85708ec | 2014-02-24 10:48:03 -0500 | [diff] [blame] | 8 | net_domain(system_app) |
Nick Kralevich | 2e7a301 | 2014-01-10 23:05:25 -0800 | [diff] [blame] | 9 | binder_service(system_app) |
Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 10 | |
Stephen Smalley | 91a4f8d | 2014-05-07 13:10:02 -0400 | [diff] [blame] | 11 | # Read and write /data/data subdirectory. |
| 12 | allow system_app system_app_data_file:dir create_dir_perms; |
| 13 | allow system_app system_app_data_file:file create_file_perms; |
Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 14 | |
Stephen Smalley | f1ea707 | 2014-05-27 14:23:32 -0400 | [diff] [blame] | 15 | # Read and write to other system-owned /data directories, such as |
| 16 | # /data/system/cache and /data/misc/keychain. |
| 17 | allow system_app system_data_file:dir create_dir_perms; |
| 18 | allow system_app system_data_file:file create_file_perms; |
| 19 | # Audit writes to these directories and files so we can identify |
| 20 | # and possibly move these directories into their own type in the future. |
| 21 | auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; |
| 22 | auditallow system_app system_data_file:file { create setattr append write link unlink rename }; |
| 23 | |
Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 24 | # Read wallpaper file. |
| 25 | allow system_app wallpaper_file:file r_file_perms; |
| 26 | |
| 27 | # Write to dalvikcache. |
| 28 | allow system_app dalvikcache_data_file:file { write setattr }; |
| 29 | |
Nick Kralevich | dd1ec6d | 2013-11-01 10:45:03 -0700 | [diff] [blame] | 30 | # Write to properties |
Nick Kralevich | 3e78000 | 2013-12-10 16:40:49 -0800 | [diff] [blame] | 31 | unix_socket_connect(system_app, property, init) |
| 32 | allow system_app debug_prop:property_service set; |
| 33 | allow system_app radio_prop:property_service set; |
Nick Kralevich | dd1ec6d | 2013-11-01 10:45:03 -0700 | [diff] [blame] | 34 | allow system_app system_prop:property_service set; |
Stephen Smalley | 1c0c010 | 2014-03-06 14:47:22 -0500 | [diff] [blame] | 35 | allow system_app ctl_bugreport_prop:property_service set; |
Mark Salyzyn | 9e7bbf6 | 2014-06-12 12:47:22 -0700 | [diff] [blame^] | 36 | allow system_app logd_prop:property_service set; |
Stephen Smalley | 1c0c010 | 2014-03-06 14:47:22 -0500 | [diff] [blame] | 37 | |
| 38 | # Create /data/anr/traces.txt. |
| 39 | allow system_app anr_data_file:dir ra_dir_perms; |
| 40 | allow system_app anr_data_file:file create_file_perms; |
Mark Salyzyn | c52d738 | 2014-05-09 17:47:19 -0700 | [diff] [blame] | 41 | |
| 42 | control_logd(system_app) |