Blame - system.te - fp2-dev/platform/external/sepolicy

blob: 6389b0ee168d719688916c68233ba97fac4495f8 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Apps that run with the system UID, e.g. com.android.system.ui,
				3	# com.android.settings. These are not as privileged as the system
				4	# server.
				5	#
				6	type system_app, domain;
				7	app_domain(system_app)
				8
				9	# Perform binder IPC to any app domain.
				10	binder_call(system_app, appdomain)
				11	binder_transfer(system_app, appdomain)
				12
				13	# Read and write system data files.
				14	# May want to split into separate types.
				15	allow system_app system_data_file:dir create_dir_perms;
				16	allow system_app system_data_file:file create_file_perms;
				17
Stephen Smalley	f6cbbe2	2012-03-19 10:29:36 -0400	[diff] [blame]	18	# Read wallpaper file.
				19	allow system_app wallpaper_file:file r_file_perms;
				20
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	21	# Write to dalvikcache.
				22	allow system_app dalvikcache_data_file:file { write setattr };
				23
				24	# Talk to keystore.
				25	unix_socket_connect(system_app, keystore, keystore)
				26
				27	# Read SELinux enforcing status.
				28	selinux_getenforce(system_app)
				29
Stephen Smalley	4c6f1ce	2012-02-02 13:28:44 -0500	[diff] [blame]	30	bool settings_manage_selinux true;
				31	if (settings_manage_selinux) {
				32	# Allow settings app to set SELinux to enforcing
				33	selinux_setenforce(system_app)
				34
				35	# Allow settings app to set SELinux booleans
				36	selinux_setbool(system_app)
James Carter	a83fc37	2012-04-13 13:35:21 -0400	[diff] [blame^]	37
				38	# Allow settings app to read syslog to display AVC messages
				39	allow system_app kernel:system syslog_read;
				40
Stephen Smalley	4c6f1ce	2012-02-02 13:28:44 -0500	[diff] [blame]	41	}
				42
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	43	#
				44	# System Server aka system_server spawned by zygote.
				45	# Most of the framework services run in this process.
				46	#
				47	type system, domain, mlstrustedsubject;
				48
				49	# Child of the zygote.
				50	allow system zygote:fd use;
				51	allow system zygote:process sigchld;
				52	allow system zygote_tmpfs:file read;
				53
				54	# system server gets network and bluetooth permissions.
				55	net_domain(system)
				56	bluetooth_domain(system)
				57
				58	# These are the capabilities assigned by the zygote to the
				59	# system server.
				60	# XXX See if we can remove some of these.
				61	allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
				62
				63	# Use netlink uevent sockets.
				64	allow system self:netlink_kobject_uevent_socket *;
				65
				66	# Kill apps.
				67	allow system appdomain:process { sigkill signal };
				68
Stephen Smalley	0d76f4e	2012-01-10 13:21:28 -0500	[diff] [blame]	69	# Set scheduling info for apps.
				70	allow system appdomain:process setsched;
				71
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	72	# Read /proc data for apps.
				73	allow system appdomain:dir r_dir_perms;
				74	allow system appdomain:{ file lnk_file } rw_file_perms;
				75
				76	# Write to /proc/net/xt_qtaguid/ctrl.
				77	# XXX Split /proc/net into its own type.
				78	allow system proc:file write;
				79
				80	# Notify init of death.
				81	allow system init:process sigchld;
				82
				83	# Talk to init and various daemons via sockets.
				84	unix_socket_connect(system, property, init)
				85	unix_socket_connect(system, qemud, qemud)
				86	unix_socket_connect(system, installd, installd)
				87	unix_socket_connect(system, netd, netd)
				88	unix_socket_connect(system, vold, vold)
				89	unix_socket_connect(system, zygote, zygote)
				90	unix_socket_connect(system, keystore, keystore)
				91	unix_socket_connect(system, dbus, dbusd)
				92	unix_socket_connect(system, gps, gpsd)
				93	unix_socket_connect(system, bluetooth, bluetoothd)
				94	unix_socket_send(system, wpa, wpa)
				95
				96	# Perform Binder IPC.
				97	tmpfs_domain(system)
				98	binder_use(system)
				99	binder_call(system, binderservicedomain)
				100	binder_call(system, appdomain)
				101	binder_service(system)
				102	# Transfer other Binder references.
				103	binder_transfer(system, binderservicedomain)
				104	binder_transfer(system, appdomain)
				105
				106	# Read /proc/pid files for Binder clients.
				107	r_dir_file(system, appdomain)
				108	r_dir_file(system, mediaserver)
				109	allow system appdomain:process getattr;
				110	allow system mediaserver:process getattr;
				111
				112	# Specify any arguments to zygote.
				113	allow system self:zygote *;
				114
				115	# Check SELinux permissions.
				116	selinux_check_access(system)
				117
				118	# XXX Label sysfs files with a specific type?
				119	allow system sysfs:file rw_file_perms;
Stephen Smalley	f794823	2012-03-19 15:56:01 -0400	[diff] [blame]	120	allow system sysfs_nfc_power_writable:file rw_file_perms;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	121
				122	# Access devices.
Stephen Smalley	c94e239	2012-01-06 10:25:53 -0500	[diff] [blame]	123	allow system device:dir r_dir_perms;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	124	allow system device:chr_file rw_file_perms;
				125	allow system akm_device:chr_file rw_file_perms;
				126	allow system accelerometer_device:chr_file rw_file_perms;
				127	allow system alarm_device:chr_file rw_file_perms;
				128	allow system graphics_device:dir search;
				129	allow system graphics_device:chr_file rw_file_perms;
				130	allow system input_device:dir r_dir_perms;
				131	allow system input_device:chr_file rw_file_perms;
				132	allow system tty_device:chr_file rw_file_perms;
				133	allow system urandom_device:chr_file rw_file_perms;
				134	allow system video_device:chr_file rw_file_perms;
				135	allow system qemu_device:chr_file rw_file_perms;
				136
				137	# Manage data files.
				138	allow system data_file_type:dir create_dir_perms;
				139	allow system data_file_type:notdevfile_class_set create_file_perms;
				140
Stephen Smalley	59d2803	2012-03-19 10:24:52 -0400	[diff] [blame]	141	# Read /file_contexts.
				142	allow system rootfs:file r_file_perms;
				143
				144	# Relabel apk files.
				145	allow system apk_tmp_file:file { relabelfrom relabelto };
				146	allow system apk_data_file:file { relabelfrom relabelto };
				147
Stephen Smalley	f6cbbe2	2012-03-19 10:29:36 -0400	[diff] [blame]	148	# Relabel wallpaper.
				149	allow system system_data_file:file relabelfrom;
				150	allow system wallpaper_file:file relabelto;
				151	allow system wallpaper_file:file r_file_perms;
				152
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	153	# Property Service write
				154	allow system system_prop:property_service set;
Stephen Smalley	730957a	2012-04-04 16:01:19 -0400	[diff] [blame]	155	allow system radio_prop:property_service set;
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	156
				157	# ctl interface
				158	allow system ctl_default_prop:property_service set;
				159
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	160	# Create a socket for receiving info from wpa.
				161	type_transition system wifi_data_file:sock_file system_wpa_socket;
				162	allow system system_wpa_socket:sock_file create_file_perms;
				163
				164	# Manage cache files.
				165	allow system cache_file:dir create_dir_perms;
				166	allow system cache_file:file create_file_perms;
				167
				168	# Run system programs, e.g. dexopt.
				169	allow system system_file:file x_file_perms;
				170
Stephen Smalley	c83d008	2012-03-07 14:59:01 -0500	[diff] [blame]	171	# Allow reading of /proc/pid data for other domains.
				172	# XXX dontaudit candidate
				173	allow system domain:dir r_dir_perms;
				174	allow system domain:file r_file_perms;