1# 2# Apps that run with the system UID, e.g. com.android.system.ui, 3# com.android.settings. These are not as privileged as the system 4# server. 5# 6type system_app, domain; 7app_domain(system_app) 8net_domain(system_app) 9binder_service(system_app) 10 11# Read and write /data/data subdirectory. 12allow system_app system_app_data_file:dir create_dir_perms; 13allow system_app system_app_data_file:{ file lnk_file } create_file_perms; 14 15# Read /data/misc/keychain subdirectory. 16allow system_app keychain_data_file:dir r_dir_perms; 17allow system_app keychain_data_file:file r_file_perms; 18 19# Read and write to other system-owned /data directories, such as 20# /data/system/cache and /data/misc/user. 21allow system_app system_data_file:dir create_dir_perms; 22allow system_app system_data_file:file create_file_perms; 23allow system_app misc_user_data_file:dir create_dir_perms; 24allow system_app misc_user_data_file:file create_file_perms; 25# Audit writes to these directories and files so we can identify 26# and possibly move these directories into their own type in the future. 27auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; 28auditallow system_app system_data_file:file { create setattr append write link unlink rename }; 29 30# Access to vold-mounted storage for measuring free space 31allow system_app mnt_media_rw_file:dir search; 32 33# Read wallpaper file. 34allow system_app wallpaper_file:file r_file_perms; 35 36# Write to properties 37set_prop(system_app, debug_prop) 38set_prop(system_app, system_prop) 39set_prop(system_app, ctl_bugreport_prop) 40set_prop(system_app, logd_prop) 41set_prop(system_app, net_radio_prop) 42set_prop(system_app, system_radio_prop) 43auditallow system_app net_radio_prop:property_service set; 44auditallow system_app system_radio_prop:property_service set; 45 46# Create /data/anr/traces.txt. 47allow system_app anr_data_file:dir ra_dir_perms; 48allow system_app anr_data_file:file create_file_perms; 49 50# Settings need to access app name and icon from asec 51allow system_app asec_apk_file:file r_file_perms; 52 53allow system_app servicemanager:service_manager list; 54allow system_app service_manager_type:service_manager find; 55 56allow system_app keystore:keystore_key { 57 get_state 58 get 59 insert 60 delete 61 exist 62 list 63 reset 64 password 65 lock 66 unlock 67 is_empty 68 sign 69 verify 70 grant 71 duplicate 72 clear_uid 73 user_changed 74}; 75 76control_logd(system_app) 77