platform_system_sepolicy/system_app.te
Brian Carlstrom 09eae90890 Remove system_server create access from /data/dalvik-cache
Bug: 16875245

(cherry picked from commit 372d0df796)

Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7
2014-08-28 21:36:27 -07:00

74 lines
2.1 KiB
Text

#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
app_domain(system_app)
net_domain(system_app)
binder_service(system_app)
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:file create_file_perms;
# Read and write to other system-owned /data directories, such as
# /data/system/cache and /data/misc/keychain.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
allow system_app net_radio_prop:property_service set;
allow system_app system_radio_prop:property_service set;
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
allow system_app system_prop:property_service set;
allow system_app ctl_bugreport_prop:property_service set;
allow system_app logd_prop:property_service set;
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
allow system_app system_app_service:service_manager add;
allow system_app keystore:keystore_key {
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
};
control_logd(system_app)
# Audited locally.
service_manager_local_audit_domain(system_app)
auditallow system_app {
service_manager_type
-keystore_service
-nfc_service
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;