c631ede7dc
Address observed audit logs of the form:
granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager
in order to record existing relationships with services.
Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
96 lines
3 KiB
Text
96 lines
3 KiB
Text
#
|
|
# Apps that run with the system UID, e.g. com.android.system.ui,
|
|
# com.android.settings. These are not as privileged as the system
|
|
# server.
|
|
#
|
|
type system_app, domain;
|
|
app_domain(system_app)
|
|
net_domain(system_app)
|
|
binder_service(system_app)
|
|
|
|
# Read and write /data/data subdirectory.
|
|
allow system_app system_app_data_file:dir create_dir_perms;
|
|
allow system_app system_app_data_file:file create_file_perms;
|
|
|
|
# Read /data/misc/keychain subdirectory.
|
|
allow system_app keychain_data_file:dir r_dir_perms;
|
|
allow system_app keychain_data_file:file r_file_perms;
|
|
|
|
# Read and write to other system-owned /data directories, such as
|
|
# /data/system/cache and /data/misc/user.
|
|
allow system_app system_data_file:dir create_dir_perms;
|
|
allow system_app system_data_file:file create_file_perms;
|
|
allow system_app misc_user_data_file:dir create_dir_perms;
|
|
allow system_app misc_user_data_file:file create_file_perms;
|
|
# Audit writes to these directories and files so we can identify
|
|
# and possibly move these directories into their own type in the future.
|
|
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
|
|
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
|
|
|
|
# Read wallpaper file.
|
|
allow system_app wallpaper_file:file r_file_perms;
|
|
|
|
# Write to properties
|
|
unix_socket_connect(system_app, property, init)
|
|
allow system_app debug_prop:property_service set;
|
|
allow system_app net_radio_prop:property_service set;
|
|
allow system_app system_radio_prop:property_service set;
|
|
auditallow system_app net_radio_prop:property_service set;
|
|
auditallow system_app system_radio_prop:property_service set;
|
|
allow system_app system_prop:property_service set;
|
|
allow system_app ctl_bugreport_prop:property_service set;
|
|
allow system_app logd_prop:property_service set;
|
|
|
|
# Create /data/anr/traces.txt.
|
|
allow system_app anr_data_file:dir ra_dir_perms;
|
|
allow system_app anr_data_file:file create_file_perms;
|
|
|
|
# Settings need to access app name and icon from asec
|
|
allow system_app asec_apk_file:file r_file_perms;
|
|
|
|
allow system_app keystore_service:service_manager find;
|
|
allow system_app mediaserver_service:service_manager find;
|
|
allow system_app nfc_service:service_manager find;
|
|
allow system_app radio_service:service_manager find;
|
|
allow system_app surfaceflinger_service:service_manager find;
|
|
allow system_app system_app_service:service_manager add;
|
|
allow system_app system_server_service:service_manager find;
|
|
allow system_app tmp_system_server_service:service_manager find;
|
|
|
|
# address tmp_system_server_service accesses
|
|
allow system_app {
|
|
activity_service
|
|
connectivity_service
|
|
display_service
|
|
dropbox_service
|
|
}:service_manager find;
|
|
|
|
service_manager_local_audit_domain(system_app)
|
|
auditallow system_app {
|
|
tmp_system_server_service
|
|
-activity_service
|
|
-connectivity_service
|
|
-display_service
|
|
-dropbox_service
|
|
}:service_manager find;
|
|
|
|
allow system_app keystore:keystore_key {
|
|
test
|
|
get
|
|
insert
|
|
delete
|
|
exist
|
|
saw
|
|
reset
|
|
password
|
|
lock
|
|
unlock
|
|
zero
|
|
sign
|
|
verify
|
|
grant
|
|
duplicate
|
|
clear_uid
|
|
};
|
|
|
|
control_logd(system_app)
|