platform_system_sepolicy/private/system_app.te

###
### Apps that run with the system UID, e.g. com.android.system.ui,
### com.android.settings.  These are not as privileged as the system
### server.
###

typeattribute system_app coredomain, mlstrustedsubject;

app_domain(system_app)
net_domain(system_app)
binder_service(system_app)

# android.ui and system.ui
allow system_app rootfs:dir getattr;

# read/write certain subdirectories of /data/data for system UID apps.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;

# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
allow system_app apex_data_file:dir search;
allow system_app staging_data_file:file r_file_perms;

# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;

# Read icon file.
allow system_app icon_file:file r_file_perms;

# Write to properties
set_prop(system_app, adaptive_haptics_prop)
set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, gesture_prop)
set_prop(system_app, locale_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, timezone_prop)
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
set_prop(system_app, drm_forcel3_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app usb_control_prop:property_service set;
auditallow system_app usb_prop:property_service set;
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)

# ctl interface
set_prop(system_app, ctl_default_prop)
set_prop(system_app, ctl_bugreport_prop)

# Allow developer settings to query gsid status
get_prop(system_app, gsid_prop)

# Allow developer settings to check 16k pages boot option status
get_prop(system_app, enable_16k_pages_prop)

# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;

# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;

# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)

# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)

# Allow system apps (Settings) to call into update_engine
# in order to apply update to switch from 4k kernel to 16K and vice-versa
binder_use(system_app)
allow system_app update_engine_stable_service:service_manager find;
binder_call(system_app, update_engine)

# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)

allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
  service_manager_type
  -apex_service
  -dnsresolver_service
  -dumpstate_service
  -installd_service
  -lpdump_service
  -mdns_service
  -netd_service
  -system_suspend_control_internal_service
  -system_suspend_control_service
  -tracingproxy_service
  -virtual_touchpad_service
  -vold_service
  -default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
  dnsresolver_service
  dumpstate_service
  installd_service
  mdns_service
  netd_service
  virtual_touchpad_service
  vold_service
}:service_manager find;

# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file rw_file_perms;

# Ignore access to memory properties for Settings.
dontaudit system_app proc_pagetypeinfo:file r_file_perms;
dontaudit system_app sysfs_zram:dir search;

allow system_app keystore:keystore2_key {
    delete
    get_info
    grant
    rebind
    update
    use
};

# Allow Settings to manage WI-FI keys.
allow system_app wifi_key:keystore2_key {
    delete
    get_info
    rebind
    update
    use
};

# settings app reads /proc/version
allow system_app {
  proc_version
}:file r_file_perms;

# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
allow system_app cgroup_v2:dir w_dir_perms;

control_logd(system_app)
read_runtime_log_tags(system_app)
get_prop(system_app, device_logging_prop)

# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow system_app system_server:udp_socket {
        connect getattr read recvfrom sendto write getopt setopt };

# allow system apps to read game manager related sysrops
get_prop(system_app, game_manager_config_prop)

# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)

# Settings app reads ro.usb.uvc.enabled
get_prop(system_app, usb_uvc_enabled_prop)

# Settings app reads and writes the wifi blob database
allow system_app connectivityblob_data_file:dir rw_dir_perms;
allow system_app connectivityblob_data_file:file create_file_perms;

###
### Neverallow rules
###

# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;

# Apps which run as UID=system should not rely on any attacker controlled
# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
# allow writes to files passed by file descriptor to support dumpstate and
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };

# system_app should be the only domain writing the adaptive haptics prop
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
# system_app should be the only domain writing the force l3 prop
neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;

allow system_app vendor_boot_ota_file:dir { r_dir_perms };
allow system_app vendor_boot_ota_file:file { r_file_perms };