1### 2### Apps that run with the system UID, e.g. com.android.system.ui, 3### com.android.settings. These are not as privileged as the system 4### server. 5### 6 7typeattribute system_app coredomain, mlstrustedsubject; 8 9app_domain(system_app) 10net_domain(system_app) 11binder_service(system_app) 12 13# android.ui and system.ui 14allow system_app rootfs:dir getattr; 15 16# Read and write /data/data subdirectory. 17allow system_app system_app_data_file:dir create_dir_perms; 18allow system_app system_app_data_file:{ file lnk_file } create_file_perms; 19 20# Read and write to /data/misc/user. 21allow system_app misc_user_data_file:dir create_dir_perms; 22allow system_app misc_user_data_file:file create_file_perms; 23 24# Access to apex files stored on /data (b/136063500) 25# Needed so that Settings can access NOTICE files inside apex 26# files located in the assets/ directory. 27allow system_app apex_data_file:dir search; 28allow system_app staging_data_file:file r_file_perms; 29 30# Read wallpaper file. 31allow system_app wallpaper_file:file r_file_perms; 32 33# Read icon file. 34allow system_app icon_file:file r_file_perms; 35 36# Write to properties 37set_prop(system_app, adaptive_haptics_prop) 38set_prop(system_app, arm64_memtag_prop) 39set_prop(system_app, bluetooth_a2dp_offload_prop) 40set_prop(system_app, bluetooth_audio_hal_prop) 41set_prop(system_app, bluetooth_prop) 42set_prop(system_app, debug_prop) 43set_prop(system_app, system_prop) 44set_prop(system_app, exported_bluetooth_prop) 45set_prop(system_app, exported_system_prop) 46set_prop(system_app, exported3_system_prop) 47set_prop(system_app, gesture_prop) 48set_prop(system_app, locale_prop) 49set_prop(system_app, logd_prop) 50set_prop(system_app, net_radio_prop) 51set_prop(system_app, timezone_prop) 52set_prop(system_app, usb_control_prop) 53set_prop(system_app, usb_prop) 54set_prop(system_app, log_tag_prop) 55userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)') 56auditallow system_app net_radio_prop:property_service set; 57auditallow system_app usb_control_prop:property_service set; 58auditallow system_app usb_prop:property_service set; 59# Allow Settings to enable Dynamic System Update 60set_prop(system_app, dynamic_system_prop) 61 62# ctl interface 63set_prop(system_app, ctl_default_prop) 64set_prop(system_app, ctl_bugreport_prop) 65 66# Allow developer settings to query gsid status 67get_prop(system_app, gsid_prop) 68 69# Create /data/anr/traces.txt. 70allow system_app anr_data_file:dir ra_dir_perms; 71allow system_app anr_data_file:file create_file_perms; 72 73# Settings need to access app name and icon from asec 74allow system_app asec_apk_file:file r_file_perms; 75 76# Allow system apps (like Settings) to interact with statsd 77binder_call(system_app, statsd) 78 79# Allow system apps to interact with incidentd 80binder_call(system_app, incidentd) 81 82# Allow system app to interact with Dumpstate HAL 83hal_client_domain(system_app, hal_dumpstate) 84 85allow system_app servicemanager:service_manager list; 86# TODO: scope this down? Too broad? 87allow system_app { 88 service_manager_type 89 -apex_service 90 -dnsresolver_service 91 -dumpstate_service 92 -installd_service 93 -lpdump_service 94 -mdns_service 95 -netd_service 96 -system_suspend_control_internal_service 97 -system_suspend_control_service 98 -tracingproxy_service 99 -virtual_touchpad_service 100 -vold_service 101 -default_android_service 102}:service_manager find; 103# suppress denials for services system_app should not be accessing. 104dontaudit system_app { 105 dnsresolver_service 106 dumpstate_service 107 installd_service 108 mdns_service 109 netd_service 110 virtual_touchpad_service 111 vold_service 112}:service_manager find; 113 114# suppress denials caused by debugfs_tracing 115dontaudit system_app debugfs_tracing:file rw_file_perms; 116 117# Ignore access to zram when Debug.getMemInfo is called. 118dontaudit system_app sysfs_zram:dir search; 119 120allow system_app keystore:keystore_key { 121 get_state 122 get 123 insert 124 delete 125 exist 126 list 127 reset 128 password 129 lock 130 unlock 131 is_empty 132 sign 133 verify 134 grant 135 duplicate 136 clear_uid 137 user_changed 138}; 139 140allow system_app keystore:keystore2_key { 141 delete 142 get_info 143 grant 144 rebind 145 update 146 use 147}; 148 149# Allow Settings to manage WI-FI keys. 150allow system_app wifi_key:keystore2_key { 151 delete 152 get_info 153 rebind 154 update 155 use 156}; 157 158# settings app reads /proc/version 159allow system_app { 160 proc_version 161}:file r_file_perms; 162 163# Settings app writes to /dev/stune/foreground/tasks. 164allow system_app cgroup:file w_file_perms; 165allow system_app cgroup_v2:file w_file_perms; 166allow system_app cgroup_v2:dir w_dir_perms; 167 168control_logd(system_app) 169read_runtime_log_tags(system_app) 170get_prop(system_app, device_logging_prop) 171 172# allow system apps to use UDP sockets provided by the system server but not 173# modify them other than to connect 174allow system_app system_server:udp_socket { 175 connect getattr read recvfrom sendto write getopt setopt }; 176 177# Settings app reads ro.oem_unlock_supported 178get_prop(system_app, oem_unlock_prop) 179 180# Settings app reads ro.usb.uvc.enabled 181get_prop(system_app, usb_uvc_enabled_prop) 182 183### 184### Neverallow rules 185### 186 187# app domains which access /dev/fuse should not run as system_app 188neverallow system_app fuse_device:chr_file *; 189 190# Apps which run as UID=system should not rely on any attacker controlled 191# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we 192# allow writes to files passed by file descriptor to support dumpstate and 193# bug reports, but not reads. 194neverallow system_app shell_data_file:dir { no_w_dir_perms open search read }; 195neverallow system_app shell_data_file:file { open read ioctl lock }; 196 197# system_app should be the only domain writing the adaptive haptics prop 198neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set; 199