| Stephen Smalley | 8840fa7 | 2013-09-11 11:37:46 -0400 | [diff] [blame] | 1 | # |
| 2 | # Apps that run with the system UID, e.g. com.android.system.ui, |
| 3 | # com.android.settings. These are not as privileged as the system |
| 4 | # server. |
| 5 | # |
| 6 | type system_app, domain; |
| Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 7 | permissive system_app; |
| Stephen Smalley | 8840fa7 | 2013-09-11 11:37:46 -0400 | [diff] [blame] | 8 | app_domain(system_app) |
| Stephen Smalley | 5637099 | 2013-10-23 13:12:55 -0400 | [diff] [blame] | 9 | |
| 10 | # Perform binder IPC to any app domain. |
| 11 | binder_call(system_app, appdomain) |
| 12 | |
| 13 | # Read and write system data files. |
| 14 | # May want to split into separate types. |
| 15 | allow system_app system_data_file:dir create_dir_perms; |
| 16 | allow system_app system_data_file:file create_file_perms; |
| 17 | |
| 18 | # Read wallpaper file. |
| 19 | allow system_app wallpaper_file:file r_file_perms; |
| 20 | |
| 21 | # Write to dalvikcache. |
| 22 | allow system_app dalvikcache_data_file:file { write setattr }; |
| 23 | |
| 24 | # Talk to keystore. |
| 25 | unix_socket_connect(system_app, keystore, keystore) |
| 26 | |
| 27 | # Read SELinux enforcing status. |
| 28 | selinux_getenforce(system_app) |
| 29 | |
| 30 | # Settings app reads sdcard for storage stats |
| 31 | allow system_app sdcard_type:dir r_dir_perms; |
| 32 | |
| 33 | # Allow settings app to read from asec |
| 34 | allow system_app asec_apk_file:dir search; |
| 35 | allow system_app asec_apk_file:file r_file_perms; |
| Nick Kralevich | dd1ec6d | 2013-11-01 10:45:03 -0700 | [diff] [blame^] | 36 | |
| 37 | # Write to properties |
| 38 | allow system_app system_prop:property_service set; |