platform_system_sepolicy/system_app.te
dcashman 23f336156d Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:38:07 -08:00

112 lines
3.4 KiB
Text

#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
app_domain(system_app)
net_domain(system_app)
binder_service(system_app)
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
# Read /data/misc/keychain subdirectory.
allow system_app keychain_data_file:dir r_dir_perms;
allow system_app keychain_data_file:file r_file_perms;
# Read and write to other system-owned /data directories, such as
# /data/system/cache and /data/misc/user.
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
allow system_app net_radio_prop:property_service set;
allow system_app system_radio_prop:property_service set;
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
allow system_app system_prop:property_service set;
allow system_app ctl_bugreport_prop:property_service set;
allow system_app logd_prop:property_service set;
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
allow system_app mediaserver_service:service_manager find;
allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app system_server_service:service_manager find;
allow system_app tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
-accessibility_service
-activity_service
-appops_service
-appwidget_service
-assetatlas_service
-audio_service
-backup_service
-bluetooth_manager_service
-connectivity_service
-content_service
-device_policy_service
-display_service
-dreams_service
-dropbox_service
-input_method_service
-input_service
-lock_settings_service
-mount_service
-network_management_service
-notification_service
-power_service
-print_service
-registry_service
-sensorservice_service
-usagestats_service
-usb_service
-user_service
-vibrator_service
-wifi_service
}:service_manager find;
allow system_app keystore:keystore_key {
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
};
control_logd(system_app)