platform_system_sepolicy/system_app.te
William Roberts 2f5a6a96bd Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 10:32:06 -07:00

78 lines
2.5 KiB
Text

#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
app_domain(system_app)
net_domain(system_app)
binder_service(system_app)
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
# Read /data/misc/keychain subdirectory.
allow system_app keychain_data_file:dir r_dir_perms;
allow system_app keychain_data_file:file r_file_perms;
# Read and write to other system-owned /data directories, such as
# /data/system/cache and /data/misc/user.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to properties
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, ctl_bugreport_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list;
allow system_app mediaserver_service:service_manager find;
allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find;
allow system_app keystore:keystore_key {
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
};
control_logd(system_app)