• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# Apps that run with the system UID, e.g. com.android.system.ui,
3# com.android.settings.  These are not as privileged as the system
4# server.
5#
6type system_app, domain;
7app_domain(system_app)
8
9# Perform binder IPC to any app domain.
10binder_call(system_app, appdomain)
11binder_transfer(system_app, appdomain)
12
13# Read and write system data files.
14# May want to split into separate types.
15allow system_app system_data_file:dir create_dir_perms;
16allow system_app system_data_file:file create_file_perms;
17
18# Read wallpaper file.
19allow system_app wallpaper_file:file r_file_perms;
20
21# Write to dalvikcache.
22allow system_app dalvikcache_data_file:file { write setattr };
23
24# Talk to keystore.
25unix_socket_connect(system_app, keystore, keystore)
26
27# Read SELinux enforcing status.
28selinux_getenforce(system_app)
29
30bool settings_manage_selinux true;
31if (settings_manage_selinux) {
32# Allow settings app to set SELinux to enforcing
33selinux_setenforce(system_app)
34
35# Allow settings app to set SELinux booleans
36selinux_setbool(system_app)
37}
38
39#
40# System Server aka system_server spawned by zygote.
41# Most of the framework services run in this process.
42#
43type system, domain, mlstrustedsubject;
44
45# Child of the zygote.
46allow system zygote:fd use;
47allow system zygote:process sigchld;
48allow system zygote_tmpfs:file read;
49
50# system server gets network and bluetooth permissions.
51net_domain(system)
52bluetooth_domain(system)
53
54# These are the capabilities assigned by the zygote to the
55# system server.
56# XXX See if we can remove some of these.
57allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
58
59# Use netlink uevent sockets.
60allow system self:netlink_kobject_uevent_socket *;
61
62# Kill apps.
63allow system appdomain:process { sigkill signal };
64
65# Set scheduling info for apps.
66allow system appdomain:process setsched;
67
68# Read /proc data for apps.
69allow system appdomain:dir r_dir_perms;
70allow system appdomain:{ file lnk_file } rw_file_perms;
71
72# Write to /proc/net/xt_qtaguid/ctrl.
73# XXX Split /proc/net into its own type.
74allow system proc:file write;
75
76# Notify init of death.
77allow system init:process sigchld;
78
79# Talk to init and various daemons via sockets.
80unix_socket_connect(system, property, init)
81unix_socket_connect(system, qemud, qemud)
82unix_socket_connect(system, installd, installd)
83unix_socket_connect(system, netd, netd)
84unix_socket_connect(system, vold, vold)
85unix_socket_connect(system, zygote, zygote)
86unix_socket_connect(system, keystore, keystore)
87unix_socket_connect(system, dbus, dbusd)
88unix_socket_connect(system, gps, gpsd)
89unix_socket_connect(system, bluetooth, bluetoothd)
90unix_socket_send(system, wpa, wpa)
91
92# Perform Binder IPC.
93tmpfs_domain(system)
94binder_use(system)
95binder_call(system, binderservicedomain)
96binder_call(system, appdomain)
97binder_service(system)
98# Transfer other Binder references.
99binder_transfer(system, binderservicedomain)
100binder_transfer(system, appdomain)
101
102# Read /proc/pid files for Binder clients.
103r_dir_file(system, appdomain)
104r_dir_file(system, mediaserver)
105allow system appdomain:process getattr;
106allow system mediaserver:process getattr;
107
108# Specify any arguments to zygote.
109allow system self:zygote *;
110
111# Check SELinux permissions.
112selinux_check_access(system)
113
114# XXX Label sysfs files with a specific type?
115allow system sysfs:file rw_file_perms;
116allow system sysfs_nfc_power_writable:file rw_file_perms;
117
118# Access devices.
119allow system device:dir r_dir_perms;
120allow system device:chr_file rw_file_perms;
121allow system akm_device:chr_file rw_file_perms;
122allow system accelerometer_device:chr_file rw_file_perms;
123allow system alarm_device:chr_file rw_file_perms;
124allow system graphics_device:dir search;
125allow system graphics_device:chr_file rw_file_perms;
126allow system input_device:dir r_dir_perms;
127allow system input_device:chr_file rw_file_perms;
128allow system tty_device:chr_file rw_file_perms;
129allow system urandom_device:chr_file rw_file_perms;
130allow system video_device:chr_file rw_file_perms;
131allow system qemu_device:chr_file rw_file_perms;
132
133# Manage data files.
134allow system data_file_type:dir create_dir_perms;
135allow system data_file_type:notdevfile_class_set create_file_perms;
136
137# Read /file_contexts.
138allow system rootfs:file r_file_perms;
139
140# Relabel apk files.
141allow system apk_tmp_file:file { relabelfrom relabelto };
142allow system apk_data_file:file { relabelfrom relabelto };
143
144# Relabel wallpaper.
145allow system system_data_file:file relabelfrom;
146allow system wallpaper_file:file relabelto;
147allow system wallpaper_file:file r_file_perms;
148
149# Property Service write
150allow system system_prop:property_service set;
151allow system radio_prop:property_service set;
152
153# ctl interface
154allow system ctl_default_prop:property_service set;
155
156# Create a socket for receiving info from wpa.
157type_transition system wifi_data_file:sock_file system_wpa_socket;
158allow system system_wpa_socket:sock_file create_file_perms;
159
160# Manage cache files.
161allow system cache_file:dir create_dir_perms;
162allow system cache_file:file create_file_perms;
163
164# Run system programs, e.g. dexopt.
165allow system system_file:file x_file_perms;
166
167# Allow reading of /proc/pid data for other domains.
168# XXX dontaudit candidate
169allow system domain:dir r_dir_perms;
170allow system domain:file r_file_perms;
171