1# 2# Apps that run with the system UID, e.g. com.android.system.ui, 3# com.android.settings. These are not as privileged as the system 4# server. 5# 6type system_app, domain; 7app_domain(system_app) 8 9# Perform binder IPC to any app domain. 10binder_call(system_app, appdomain) 11binder_transfer(system_app, appdomain) 12 13# Read and write system data files. 14# May want to split into separate types. 15allow system_app system_data_file:dir create_dir_perms; 16allow system_app system_data_file:file create_file_perms; 17 18# Read wallpaper file. 19allow system_app wallpaper_file:file r_file_perms; 20 21# Write to dalvikcache. 22allow system_app dalvikcache_data_file:file { write setattr }; 23 24# Talk to keystore. 25unix_socket_connect(system_app, keystore, keystore) 26 27# Read SELinux enforcing status. 28selinux_getenforce(system_app) 29 30bool manage_selinux true; 31if (manage_selinux) { 32# Set SELinux enforcing status. 33selinux_setenforce(system_app) 34 35# Set SELinux booleans. 36selinux_setbool(system_app) 37 38# Read syslog to display AVC messages. 39allow system_app kernel:system syslog_read; 40} 41 42bool manage_mac true; 43if (manage_mac) { 44# Set properties via the init property service. 45unix_socket_connect(system_app, property, init) 46 47# Set the persist.mac_enforcing_mode property. 48allow system_app system_prop:property_service set; 49 50# Run logcat and read the logs for MAC denials. 51allow system_app system_file:file x_file_perms; 52allow system_app log_device:chr_file read; 53} 54 55# 56# System Server aka system_server spawned by zygote. 57# Most of the framework services run in this process. 58# 59type system, domain, mlstrustedsubject; 60 61# Child of the zygote. 62allow system zygote:fd use; 63allow system zygote:process sigchld; 64allow system zygote_tmpfs:file read; 65 66# system server gets network and bluetooth permissions. 67net_domain(system) 68bluetooth_domain(system) 69 70# These are the capabilities assigned by the zygote to the 71# system server. 72# XXX See if we can remove some of these. 73allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; 74 75# Trigger module auto-load. 76allow system kernel:system module_request; 77 78# Use netlink uevent sockets. 79allow system self:netlink_kobject_uevent_socket *; 80 81# Kill apps. 82allow system appdomain:process { sigkill signal }; 83 84# Set scheduling info for apps. 85allow system appdomain:process setsched; 86allow system mediaserver:process setsched; 87 88# Read /proc data for apps. 89allow system appdomain:dir r_dir_perms; 90allow system appdomain:{ file lnk_file } rw_file_perms; 91 92# Write to /proc/net/xt_qtaguid/ctrl. 93allow system qtaguid_proc:file rw_file_perms; 94allow system qtaguid_device:chr_file rw_file_perms; 95 96# Notify init of death. 97allow system init:process sigchld; 98 99# Talk to init and various daemons via sockets. 100unix_socket_connect(system, property, init) 101unix_socket_connect(system, qemud, qemud) 102unix_socket_connect(system, installd, installd) 103unix_socket_connect(system, netd, netd) 104unix_socket_connect(system, vold, vold) 105unix_socket_connect(system, zygote, zygote) 106unix_socket_connect(system, keystore, keystore) 107unix_socket_connect(system, dbus, dbusd) 108unix_socket_connect(system, gps, gpsd) 109unix_socket_send(system, wpa, wpa) 110 111# Communicate over a socket created by surfaceflinger. 112allow system surfaceflinger:unix_stream_socket { read write setopt }; 113 114# Perform Binder IPC. 115tmpfs_domain(system) 116binder_use(system) 117binder_call(system, binderservicedomain) 118binder_call(system, appdomain) 119binder_service(system) 120# Transfer other Binder references. 121binder_transfer(system, binderservicedomain) 122binder_transfer(system, appdomain) 123 124# Read /proc/pid files for Binder clients. 125r_dir_file(system, appdomain) 126r_dir_file(system, mediaserver) 127allow system appdomain:process getattr; 128allow system mediaserver:process getattr; 129 130# Specify any arguments to zygote. 131allow system self:zygote *; 132 133# Check SELinux permissions. 134selinux_check_access(system) 135 136# XXX Label sysfs files with a specific type? 137allow system sysfs:file rw_file_perms; 138allow system sysfs_nfc_power_writable:file rw_file_perms; 139 140# Access devices. 141allow system device:dir r_dir_perms; 142allow system device:chr_file rw_file_perms; 143allow system device:sock_file rw_file_perms; 144allow system akm_device:chr_file rw_file_perms; 145allow system accelerometer_device:chr_file rw_file_perms; 146allow system alarm_device:chr_file rw_file_perms; 147allow system graphics_device:dir search; 148allow system graphics_device:chr_file rw_file_perms; 149allow system input_device:dir r_dir_perms; 150allow system input_device:chr_file rw_file_perms; 151allow system tty_device:chr_file rw_file_perms; 152allow system urandom_device:chr_file rw_file_perms; 153allow system video_device:chr_file rw_file_perms; 154allow system qemu_device:chr_file rw_file_perms; 155 156# Manage data files. 157allow system data_file_type:dir create_dir_perms; 158allow system data_file_type:notdevfile_class_set create_file_perms; 159 160# Read /file_contexts. 161allow system rootfs:file r_file_perms; 162 163# Relabel apk files. 164allow system apk_tmp_file:file { relabelfrom relabelto }; 165allow system apk_data_file:file { relabelfrom relabelto }; 166 167# Relabel wallpaper. 168allow system system_data_file:file relabelfrom; 169allow system wallpaper_file:file relabelto; 170allow system wallpaper_file:file rw_file_perms; 171 172# Relabel /data/anr. 173allow system system_data_file:dir relabelfrom; 174allow system anr_data_file:dir relabelto; 175 176# Property Service write 177allow system system_prop:property_service set; 178allow system radio_prop:property_service set; 179 180# ctl interface 181allow system ctl_default_prop:property_service set; 182 183# Create a socket for receiving info from wpa. 184type_transition system wifi_data_file:sock_file system_wpa_socket; 185allow system system_wpa_socket:sock_file create_file_perms; 186 187# Manage cache files. 188allow system cache_file:dir create_dir_perms; 189allow system cache_file:file create_file_perms; 190 191# Run system programs, e.g. dexopt. 192allow system system_file:file x_file_perms; 193 194# Allow reading of /proc/pid data for other domains. 195# XXX dontaudit candidate 196allow system domain:dir r_dir_perms; 197allow system domain:file r_file_perms; 198 199# LocationManager(e.g, GPS) needs to read and write 200# to uart driver and ctrl proc entry 201allow system gps_device:chr_file rw_file_perms; 202allow system gps_control:file rw_file_perms; 203 204# system Read/Write udp_socket of untrusted_app 205allow system appdomain:udp_socket { read write }; 206# Allow abstract socket connection 207allow system rild:unix_stream_socket connectto; 208 209# connect to vpn tunnel 210allow system mtp:unix_stream_socket { connectto }; 211