1###
2### Apps that run with the system UID, e.g. com.android.system.ui,
3### com.android.settings.  These are not as privileged as the system
4### server.
5###
6
7typeattribute system_app coredomain;
8
9app_domain(system_app)
10net_domain(system_app)
11binder_service(system_app)
12
13# android.ui and system.ui
14allow system_app rootfs:dir getattr;
15
16# Read and write /data/data subdirectory.
17allow system_app system_app_data_file:dir create_dir_perms;
18allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
19
20# Read and write to /data/misc/user.
21allow system_app misc_user_data_file:dir create_dir_perms;
22allow system_app misc_user_data_file:file create_file_perms;
23
24# Access to vold-mounted storage for measuring free space
25allow system_app mnt_media_rw_file:dir search;
26
27# Access to apex files stored on /data (b/136063500)
28# Needed so that Settings can access NOTICE files inside apex
29# files located in the assets/ directory.
30allow system_app apex_data_file:dir search;
31allow system_app staging_data_file:file r_file_perms;
32
33# Read wallpaper file.
34allow system_app wallpaper_file:file r_file_perms;
35
36# Read icon file.
37allow system_app icon_file:file r_file_perms;
38
39# Write to properties
40set_prop(system_app, bluetooth_a2dp_offload_prop)
41set_prop(system_app, bluetooth_audio_hal_prop)
42set_prop(system_app, bluetooth_prop)
43set_prop(system_app, debug_prop)
44set_prop(system_app, system_prop)
45set_prop(system_app, exported_bluetooth_prop)
46set_prop(system_app, exported_system_prop)
47set_prop(system_app, exported2_system_prop)
48set_prop(system_app, exported3_system_prop)
49set_prop(system_app, logd_prop)
50set_prop(system_app, net_radio_prop)
51set_prop(system_app, system_radio_prop)
52set_prop(system_app, exported_system_radio_prop)
53set_prop(system_app, log_tag_prop)
54userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
55auditallow system_app net_radio_prop:property_service set;
56auditallow system_app system_radio_prop:property_service set;
57auditallow system_app exported_system_radio_prop:property_service set;
58# Allow Settings to enable Dynamic System Update
59set_prop(system_app, dynamic_system_prop)
60
61# ctl interface
62set_prop(system_app, ctl_default_prop)
63set_prop(system_app, ctl_bugreport_prop)
64
65# Allow developer settings to query gsid status
66get_prop(system_app, gsid_prop)
67
68# Create /data/anr/traces.txt.
69allow system_app anr_data_file:dir ra_dir_perms;
70allow system_app anr_data_file:file create_file_perms;
71
72# Settings need to access app name and icon from asec
73allow system_app asec_apk_file:file r_file_perms;
74
75# Allow system_app (adb data loader) to write data to /data/incremental
76allow system_app apk_data_file:file write;
77
78# Allow system app (adb data loader) to read logs
79allow system_app incremental_control_file:file r_file_perms;
80
81# Allow system apps (like Settings) to interact with statsd
82binder_call(system_app, statsd)
83
84# Allow system apps to interact with incidentd
85binder_call(system_app, incidentd)
86
87# Allow system apps to interact with gpuservice
88binder_call(system_app, gpuservice)
89
90# Allow system app to interact with Dumpstate HAL
91hal_client_domain(system_app, hal_dumpstate)
92
93allow system_app servicemanager:service_manager list;
94# TODO: scope this down? Too broad?
95allow system_app {
96  service_manager_type
97  -apex_service
98  -dnsresolver_service
99  -dumpstate_service
100  -installd_service
101  -iorapd_service
102  -lpdump_service
103  -netd_service
104  -system_suspend_control_service
105  -virtual_touchpad_service
106  -vold_service
107  -vr_hwc_service
108  -default_android_service
109}:service_manager find;
110# suppress denials for services system_app should not be accessing.
111dontaudit system_app {
112  dnsresolver_service
113  dumpstate_service
114  installd_service
115  iorapd_service
116  netd_service
117  virtual_touchpad_service
118  vold_service
119  vr_hwc_service
120}:service_manager find;
121
122allow system_app keystore:keystore_key {
123    get_state
124    get
125    insert
126    delete
127    exist
128    list
129    reset
130    password
131    lock
132    unlock
133    is_empty
134    sign
135    verify
136    grant
137    duplicate
138    clear_uid
139    user_changed
140};
141
142# settings app reads /proc/version
143allow system_app {
144  proc_version
145}:file r_file_perms;
146
147# Settings app writes to /dev/stune/foreground/tasks.
148allow system_app cgroup:file w_file_perms;
149
150control_logd(system_app)
151read_runtime_log_tags(system_app)
152get_prop(system_app, device_logging_prop)
153
154# allow system apps to use UDP sockets provided by the system server but not
155# modify them other than to connect
156allow system_app system_server:udp_socket {
157        connect getattr read recvfrom sendto write getopt setopt };
158
159###
160### Neverallow rules
161###
162
163# app domains which access /dev/fuse should not run as system_app
164neverallow system_app fuse_device:chr_file *;
165
166# Apps which run as UID=system should not rely on any attacker controlled
167# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
168# allow writes to files passed by file descriptor to support dumpstate and
169# bug reports, but not reads.
170neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
171neverallow system_app shell_data_file:file { open read ioctl lock };
172