Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / b1ec3dfacd604296b89df34050e2812133906d28 / . / system_app.te
blob: bada9051b42a76a3bb79f753c2b871bf93031a5e [file] [log] [blame]
Stephen Smalley8840fa72013-09-11 11:37:46 -0400[diff] [blame]1#
2# Apps that run with the system UID, e.g. com.android.system.ui,
3# com.android.settings. These are not as privileged as the system
4# server.
5#
6type system_app, domain;
Stephen Smalley8840fa72013-09-11 11:37:46 -0400[diff] [blame]7app_domain(system_app)
Stephen Smalley85708ec2014-02-24 10:48:03 -0500[diff] [blame]8net_domain(system_app)
Nick Kralevich2e7a3012014-01-10 23:05:25 -0800[diff] [blame]9binder_service(system_app)
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]10
Stephen Smalley91a4f8d2014-05-07 13:10:02 -0400[diff] [blame]11# Read and write /data/data subdirectory.
12allow system_app system_app_data_file:dir create_dir_perms;
13allow system_app system_app_data_file:file create_file_perms;
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]14
Stephen Smalleyf1ea7072014-05-27 14:23:32 -0400[diff] [blame]15# Read and write to other system-owned /data directories, such as
16# /data/system/cache and /data/misc/keychain.
17allow system_app system_data_file:dir create_dir_perms;
18allow system_app system_data_file:file create_file_perms;
19# Audit writes to these directories and files so we can identify
20# and possibly move these directories into their own type in the future.
21auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
22auditallow system_app system_data_file:file { create setattr append write link unlink rename };
23
Stephen Smalley56370992013-10-23 13:12:55 -0400[diff] [blame]24# Read wallpaper file.
25allow system_app wallpaper_file:file r_file_perms;
26
27# Write to dalvikcache.
28allow system_app dalvikcache_data_file:file { write setattr };
29
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700[diff] [blame]30# Write to properties
Nick Kralevich3e780002013-12-10 16:40:49 -0800[diff] [blame]31unix_socket_connect(system_app, property, init)
32allow system_app debug_prop:property_service set;
Stephen Smalleyfee49152014-06-19 10:27:02 -0400[diff] [blame]33allow system_app net_radio_prop:property_service set;
34allow system_app system_radio_prop:property_service set;
35auditallow system_app net_radio_prop:property_service set;
36auditallow system_app system_radio_prop:property_service set;
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -0700[diff] [blame]37allow system_app system_prop:property_service set;
Stephen Smalley1c0c0102014-03-06 14:47:22 -0500[diff] [blame]38allow system_app ctl_bugreport_prop:property_service set;
Mark Salyzyn9e7bbf62014-06-12 12:47:22 -0700[diff] [blame]39allow system_app logd_prop:property_service set;
Stephen Smalley1c0c0102014-03-06 14:47:22 -0500[diff] [blame]40
41# Create /data/anr/traces.txt.
42allow system_app anr_data_file:dir ra_dir_perms;
43allow system_app anr_data_file:file create_file_perms;
Mark Salyzync52d7382014-05-09 17:47:19 -0700[diff] [blame]44
Riley Spahnb1ec3df2014-07-01 08:38:56 -0700[diff] [blame^]45allow system_app system_app_service:service_manager add;
46
Riley Spahn1196d2a2014-06-17 14:58:52 -0700[diff] [blame]47allow system_app keystore:keystore_key {
48 test
49 get
50 insert
51 delete
52 exist
53 saw
54 reset
55 password
56 lock
57 unlock
58 zero
59 sign
60 verify
61 grant
62 duplicate
63 clear_uid
64};
65
66auditallow system_app keystore:keystore_key {
67 test
68 get
69 insert
70 delete
71 exist
72 reset
73 password
74 lock
75 unlock
76 sign
77 verify
78 grant
79 duplicate
80 clear_uid
81};
82
Mark Salyzync52d7382014-05-09 17:47:19 -0700[diff] [blame]83control_logd(system_app)