dd1ec6d557
Allow writing to persist.sys and debug.
This addresses the following denials (which are actually being enforced):
<4>[ 131.700473] avc: denied { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[ 131.700625] init: sys_prop: permission denied uid:1000 name:debug.force_rtl
<4>[ 132.630062] avc: denied { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[ 132.630184] init: sys_prop: permission denied uid:1000 name:persist.sys.dalvik.vm.lib
Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
38 lines
1.1 KiB
Text
38 lines
1.1 KiB
Text
#
|
|
# Apps that run with the system UID, e.g. com.android.system.ui,
|
|
# com.android.settings. These are not as privileged as the system
|
|
# server.
|
|
#
|
|
type system_app, domain;
|
|
permissive system_app;
|
|
app_domain(system_app)
|
|
|
|
# Perform binder IPC to any app domain.
|
|
binder_call(system_app, appdomain)
|
|
|
|
# Read and write system data files.
|
|
# May want to split into separate types.
|
|
allow system_app system_data_file:dir create_dir_perms;
|
|
allow system_app system_data_file:file create_file_perms;
|
|
|
|
# Read wallpaper file.
|
|
allow system_app wallpaper_file:file r_file_perms;
|
|
|
|
# Write to dalvikcache.
|
|
allow system_app dalvikcache_data_file:file { write setattr };
|
|
|
|
# Talk to keystore.
|
|
unix_socket_connect(system_app, keystore, keystore)
|
|
|
|
# Read SELinux enforcing status.
|
|
selinux_getenforce(system_app)
|
|
|
|
# Settings app reads sdcard for storage stats
|
|
allow system_app sdcard_type:dir r_dir_perms;
|
|
|
|
# Allow settings app to read from asec
|
|
allow system_app asec_apk_file:dir search;
|
|
allow system_app asec_apk_file:file r_file_perms;
|
|
|
|
# Write to properties
|
|
allow system_app system_prop:property_service set;
|