blob: 0930ca076a052c35c58b8b5082d4711b1db84a2f [file] [log] [blame]
Stephen Smalley8840fa72013-09-11 11:37:46 -04001#
2# Apps that run with the system UID, e.g. com.android.system.ui,
3# com.android.settings. These are not as privileged as the system
4# server.
5#
6type system_app, domain;
Stephen Smalley8840fa72013-09-11 11:37:46 -04007app_domain(system_app)
Stephen Smalley85708ec2014-02-24 10:48:03 -05008net_domain(system_app)
Nick Kralevich2e7a3012014-01-10 23:05:25 -08009binder_service(system_app)
Stephen Smalley56370992013-10-23 13:12:55 -040010
Stephen Smalley91a4f8d2014-05-07 13:10:02 -040011# Read and write /data/data subdirectory.
12allow system_app system_app_data_file:dir create_dir_perms;
13allow system_app system_app_data_file:file create_file_perms;
Stephen Smalley56370992013-10-23 13:12:55 -040014
Robin Lee51bfecf2014-10-13 12:10:08 +010015# Read /data/misc/keychain subdirectory.
16allow system_app keychain_data_file:dir r_dir_perms;
17allow system_app keychain_data_file:file r_file_perms;
18
Stephen Smalleyf1ea7072014-05-27 14:23:32 -040019# Read and write to other system-owned /data directories, such as
Robin Lee51bfecf2014-10-13 12:10:08 +010020# /data/system/cache and /data/misc/user.
Stephen Smalleyf1ea7072014-05-27 14:23:32 -040021allow system_app system_data_file:dir create_dir_perms;
22allow system_app system_data_file:file create_file_perms;
Robin Lee51bfecf2014-10-13 12:10:08 +010023allow system_app misc_user_data_file:dir create_dir_perms;
24allow system_app misc_user_data_file:file create_file_perms;
Stephen Smalleyf1ea7072014-05-27 14:23:32 -040025# Audit writes to these directories and files so we can identify
26# and possibly move these directories into their own type in the future.
27auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
28auditallow system_app system_data_file:file { create setattr append write link unlink rename };
29
Stephen Smalley56370992013-10-23 13:12:55 -040030# Read wallpaper file.
31allow system_app wallpaper_file:file r_file_perms;
32
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -070033# Write to properties
Nick Kralevich3e780002013-12-10 16:40:49 -080034unix_socket_connect(system_app, property, init)
35allow system_app debug_prop:property_service set;
Stephen Smalleyfee49152014-06-19 10:27:02 -040036allow system_app net_radio_prop:property_service set;
37allow system_app system_radio_prop:property_service set;
38auditallow system_app net_radio_prop:property_service set;
39auditallow system_app system_radio_prop:property_service set;
Nick Kralevichdd1ec6d2013-11-01 10:45:03 -070040allow system_app system_prop:property_service set;
Stephen Smalley1c0c0102014-03-06 14:47:22 -050041allow system_app ctl_bugreport_prop:property_service set;
Mark Salyzyn9e7bbf62014-06-12 12:47:22 -070042allow system_app logd_prop:property_service set;
Stephen Smalley1c0c0102014-03-06 14:47:22 -050043
44# Create /data/anr/traces.txt.
45allow system_app anr_data_file:dir ra_dir_perms;
46allow system_app anr_data_file:file create_file_perms;
Mark Salyzync52d7382014-05-09 17:47:19 -070047
Pawit Pornkitprasan9d942042014-12-11 22:33:49 +070048# Settings need to access app name and icon from asec
49allow system_app asec_apk_file:file r_file_perms;
50
Riley Spahnb1ec3df2014-07-01 08:38:56 -070051allow system_app system_app_service:service_manager add;
52
Riley Spahn1196d2a2014-06-17 14:58:52 -070053allow system_app keystore:keystore_key {
54 test
55 get
56 insert
57 delete
58 exist
59 saw
60 reset
61 password
62 lock
63 unlock
64 zero
65 sign
66 verify
67 grant
68 duplicate
69 clear_uid
70};
71
Mark Salyzync52d7382014-05-09 17:47:19 -070072control_logd(system_app)