1# 2# Apps that run with the system UID, e.g. com.android.system.ui, 3# com.android.settings. These are not as privileged as the system 4# server. 5# 6type system_app, domain; 7app_domain(system_app) 8net_domain(system_app) 9binder_service(system_app) 10 11# Read and write /data/data subdirectory. 12allow system_app system_app_data_file:dir create_dir_perms; 13allow system_app system_app_data_file:file create_file_perms; 14 15# Read /data/misc/keychain subdirectory. 16allow system_app keychain_data_file:dir r_dir_perms; 17allow system_app keychain_data_file:file r_file_perms; 18 19# Read and write to other system-owned /data directories, such as 20# /data/system/cache and /data/misc/user. 21allow system_app system_data_file:dir create_dir_perms; 22allow system_app system_data_file:file create_file_perms; 23allow system_app misc_user_data_file:dir create_dir_perms; 24allow system_app misc_user_data_file:file create_file_perms; 25# Audit writes to these directories and files so we can identify 26# and possibly move these directories into their own type in the future. 27auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; 28auditallow system_app system_data_file:file { create setattr append write link unlink rename }; 29 30# Read wallpaper file. 31allow system_app wallpaper_file:file r_file_perms; 32 33# Write to properties 34unix_socket_connect(system_app, property, init) 35allow system_app debug_prop:property_service set; 36allow system_app net_radio_prop:property_service set; 37allow system_app system_radio_prop:property_service set; 38auditallow system_app net_radio_prop:property_service set; 39auditallow system_app system_radio_prop:property_service set; 40allow system_app system_prop:property_service set; 41allow system_app ctl_bugreport_prop:property_service set; 42allow system_app logd_prop:property_service set; 43 44# Create /data/anr/traces.txt. 45allow system_app anr_data_file:dir ra_dir_perms; 46allow system_app anr_data_file:file create_file_perms; 47 48# Settings need to access app name and icon from asec 49allow system_app asec_apk_file:file r_file_perms; 50 51allow system_app system_app_service:service_manager add; 52 53allow system_app keystore:keystore_key { 54 test 55 get 56 insert 57 delete 58 exist 59 saw 60 reset 61 password 62 lock 63 unlock 64 zero 65 sign 66 verify 67 grant 68 duplicate 69 clear_uid 70}; 71 72control_logd(system_app) 73