1###
2### Apps that run with the system UID, e.g. com.android.system.ui,
3### com.android.settings.  These are not as privileged as the system
4### server.
5###
6
7typeattribute system_app coredomain, mlstrustedsubject;
8
9app_domain(system_app)
10net_domain(system_app)
11binder_service(system_app)
12
13# android.ui and system.ui
14allow system_app rootfs:dir getattr;
15
16# Read and write /data/data subdirectory.
17allow system_app system_app_data_file:dir create_dir_perms;
18allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
19
20# Read and write to /data/misc/user.
21allow system_app misc_user_data_file:dir create_dir_perms;
22allow system_app misc_user_data_file:file create_file_perms;
23
24# Access to apex files stored on /data (b/136063500)
25# Needed so that Settings can access NOTICE files inside apex
26# files located in the assets/ directory.
27allow system_app apex_data_file:dir search;
28allow system_app staging_data_file:file r_file_perms;
29
30# Read wallpaper file.
31allow system_app wallpaper_file:file r_file_perms;
32
33# Read icon file.
34allow system_app icon_file:file r_file_perms;
35
36# Write to properties
37set_prop(system_app, bluetooth_a2dp_offload_prop)
38set_prop(system_app, bluetooth_audio_hal_prop)
39set_prop(system_app, bluetooth_prop)
40set_prop(system_app, debug_prop)
41set_prop(system_app, system_prop)
42set_prop(system_app, exported_bluetooth_prop)
43set_prop(system_app, exported_system_prop)
44set_prop(system_app, exported3_system_prop)
45set_prop(system_app, logd_prop)
46set_prop(system_app, net_radio_prop)
47set_prop(system_app, usb_control_prop)
48set_prop(system_app, usb_prop)
49set_prop(system_app, log_tag_prop)
50userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
51auditallow system_app net_radio_prop:property_service set;
52auditallow system_app usb_control_prop:property_service set;
53auditallow system_app usb_prop:property_service set;
54# Allow Settings to enable Dynamic System Update
55set_prop(system_app, dynamic_system_prop)
56
57# ctl interface
58set_prop(system_app, ctl_default_prop)
59set_prop(system_app, ctl_bugreport_prop)
60
61# Allow developer settings to query gsid status
62get_prop(system_app, gsid_prop)
63
64# Create /data/anr/traces.txt.
65allow system_app anr_data_file:dir ra_dir_perms;
66allow system_app anr_data_file:file create_file_perms;
67
68# Settings need to access app name and icon from asec
69allow system_app asec_apk_file:file r_file_perms;
70
71# Allow system apps (like Settings) to interact with statsd
72binder_call(system_app, statsd)
73
74# Allow system apps to interact with incidentd
75binder_call(system_app, incidentd)
76
77# Allow system app to interact with Dumpstate HAL
78hal_client_domain(system_app, hal_dumpstate)
79
80allow system_app servicemanager:service_manager list;
81# TODO: scope this down? Too broad?
82allow system_app {
83  service_manager_type
84  -apex_service
85  -dnsresolver_service
86  -dumpstate_service
87  -installd_service
88  -iorapd_service
89  -lpdump_service
90  -netd_service
91  -system_suspend_control_internal_service
92  -system_suspend_control_service
93  -tracingproxy_service
94  -virtual_touchpad_service
95  -vold_service
96  -vr_hwc_service
97  -default_android_service
98}:service_manager find;
99# suppress denials for services system_app should not be accessing.
100dontaudit system_app {
101  dnsresolver_service
102  dumpstate_service
103  installd_service
104  iorapd_service
105  netd_service
106  virtual_touchpad_service
107  vold_service
108  vr_hwc_service
109}:service_manager find;
110
111# suppress denials caused by debugfs_tracing
112dontaudit system_app debugfs_tracing:file rw_file_perms;
113
114allow system_app keystore:keystore_key {
115    get_state
116    get
117    insert
118    delete
119    exist
120    list
121    reset
122    password
123    lock
124    unlock
125    is_empty
126    sign
127    verify
128    grant
129    duplicate
130    clear_uid
131    user_changed
132};
133
134allow system_app keystore:keystore2_key {
135    delete
136    get_info
137    grant
138    rebind
139    update
140    use
141};
142
143# Allow Settings to manage WI-FI keys.
144allow system_app wifi_key:keystore2_key {
145    delete
146    get_info
147    rebind
148    update
149    use
150};
151
152# settings app reads /proc/version
153allow system_app {
154  proc_version
155}:file r_file_perms;
156
157# Settings app writes to /dev/stune/foreground/tasks.
158allow system_app cgroup:file w_file_perms;
159allow system_app cgroup_v2:file w_file_perms;
160
161control_logd(system_app)
162read_runtime_log_tags(system_app)
163get_prop(system_app, device_logging_prop)
164
165# allow system apps to use UDP sockets provided by the system server but not
166# modify them other than to connect
167allow system_app system_server:udp_socket {
168        connect getattr read recvfrom sendto write getopt setopt };
169
170# Settings app reads ro.oem_unlock_supported
171get_prop(system_app, oem_unlock_prop)
172
173# Allow system apps to act as Perfetto producers.
174perfetto_producer(system_app)
175
176###
177### Neverallow rules
178###
179
180# app domains which access /dev/fuse should not run as system_app
181neverallow system_app fuse_device:chr_file *;
182
183# Apps which run as UID=system should not rely on any attacker controlled
184# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
185# allow writes to files passed by file descriptor to support dumpstate and
186# bug reports, but not reads.
187neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
188neverallow system_app shell_data_file:file { open read ioctl lock };
189