1*b7c941bbSAndroid Build Coastguard Worker<?xml version="1.0" encoding="utf-8"?> 2*b7c941bbSAndroid Build Coastguard Worker<!-- Copyright (C) 2008 The Android Open Source Project 3*b7c941bbSAndroid Build Coastguard Worker 4*b7c941bbSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License"); 5*b7c941bbSAndroid Build Coastguard Worker you may not use this file except in compliance with the License. 6*b7c941bbSAndroid Build Coastguard Worker You may obtain a copy of the License at 7*b7c941bbSAndroid Build Coastguard Worker 8*b7c941bbSAndroid Build Coastguard Worker http://www.apache.org/licenses/LICENSE-2.0 9*b7c941bbSAndroid Build Coastguard Worker 10*b7c941bbSAndroid Build Coastguard Worker Unless required by applicable law or agreed to in writing, software 11*b7c941bbSAndroid Build Coastguard Worker distributed under the License is distributed on an "AS IS" BASIS, 12*b7c941bbSAndroid Build Coastguard Worker WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*b7c941bbSAndroid Build Coastguard Worker See the License for the specific language governing permissions and 14*b7c941bbSAndroid Build Coastguard Worker limitations under the License. 15*b7c941bbSAndroid Build Coastguard Worker--> 16*b7c941bbSAndroid Build Coastguard Worker 17*b7c941bbSAndroid Build Coastguard Worker<!-- This file is used to define the mappings between lower-level system 18*b7c941bbSAndroid Build Coastguard Worker user and group IDs and the higher-level permission names managed 19*b7c941bbSAndroid Build Coastguard Worker by the platform. 20*b7c941bbSAndroid Build Coastguard Worker 21*b7c941bbSAndroid Build Coastguard Worker Be VERY careful when editing this file! Mistakes made here can open 22*b7c941bbSAndroid Build Coastguard Worker big security holes. 23*b7c941bbSAndroid Build Coastguard Worker--> 24*b7c941bbSAndroid Build Coastguard Worker<permissions> 25*b7c941bbSAndroid Build Coastguard Worker 26*b7c941bbSAndroid Build Coastguard Worker <!-- ================================================================== --> 27*b7c941bbSAndroid Build Coastguard Worker <!-- ================================================================== --> 28*b7c941bbSAndroid Build Coastguard Worker <!-- ================================================================== --> 29*b7c941bbSAndroid Build Coastguard Worker 30*b7c941bbSAndroid Build Coastguard Worker <!-- The following tags are associating low-level group IDs with 31*b7c941bbSAndroid Build Coastguard Worker permission names. By specifying such a mapping, you are saying 32*b7c941bbSAndroid Build Coastguard Worker that any application process granted the given permission will 33*b7c941bbSAndroid Build Coastguard Worker also be running with the given group ID attached to its process, 34*b7c941bbSAndroid Build Coastguard Worker so it can perform any filesystem (read, write, execute) operations 35*b7c941bbSAndroid Build Coastguard Worker allowed for that group. --> 36*b7c941bbSAndroid Build Coastguard Worker 37*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.BLUETOOTH_ADMIN" > 38*b7c941bbSAndroid Build Coastguard Worker <group gid="net_bt_admin" /> 39*b7c941bbSAndroid Build Coastguard Worker </permission> 40*b7c941bbSAndroid Build Coastguard Worker 41*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.BLUETOOTH" > 42*b7c941bbSAndroid Build Coastguard Worker <group gid="net_bt" /> 43*b7c941bbSAndroid Build Coastguard Worker </permission> 44*b7c941bbSAndroid Build Coastguard Worker 45*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.BLUETOOTH_STACK" > 46*b7c941bbSAndroid Build Coastguard Worker <group gid="bluetooth" /> 47*b7c941bbSAndroid Build Coastguard Worker <group gid="wakelock" /> 48*b7c941bbSAndroid Build Coastguard Worker <group gid="uhid" /> 49*b7c941bbSAndroid Build Coastguard Worker </permission> 50*b7c941bbSAndroid Build Coastguard Worker 51*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.NET_TUNNELING" > 52*b7c941bbSAndroid Build Coastguard Worker <group gid="vpn" /> 53*b7c941bbSAndroid Build Coastguard Worker </permission> 54*b7c941bbSAndroid Build Coastguard Worker 55*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.INTERNET" > 56*b7c941bbSAndroid Build Coastguard Worker <group gid="inet" /> 57*b7c941bbSAndroid Build Coastguard Worker </permission> 58*b7c941bbSAndroid Build Coastguard Worker 59*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.READ_LOGS" > 60*b7c941bbSAndroid Build Coastguard Worker <group gid="log" /> 61*b7c941bbSAndroid Build Coastguard Worker </permission> 62*b7c941bbSAndroid Build Coastguard Worker 63*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.WRITE_MEDIA_STORAGE" > 64*b7c941bbSAndroid Build Coastguard Worker <group gid="media_rw" /> 65*b7c941bbSAndroid Build Coastguard Worker </permission> 66*b7c941bbSAndroid Build Coastguard Worker 67*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.ACCESS_MTP" > 68*b7c941bbSAndroid Build Coastguard Worker <group gid="mtp" /> 69*b7c941bbSAndroid Build Coastguard Worker </permission> 70*b7c941bbSAndroid Build Coastguard Worker 71*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.NET_ADMIN" > 72*b7c941bbSAndroid Build Coastguard Worker <group gid="net_admin" /> 73*b7c941bbSAndroid Build Coastguard Worker </permission> 74*b7c941bbSAndroid Build Coastguard Worker 75*b7c941bbSAndroid Build Coastguard Worker <!-- The group that /cache belongs to, linked to the permission 76*b7c941bbSAndroid Build Coastguard Worker set on the applications that can access /cache --> 77*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.ACCESS_CACHE_FILESYSTEM" > 78*b7c941bbSAndroid Build Coastguard Worker <group gid="cache" /> 79*b7c941bbSAndroid Build Coastguard Worker </permission> 80*b7c941bbSAndroid Build Coastguard Worker 81*b7c941bbSAndroid Build Coastguard Worker <!-- RW permissions to any system resources owned by group 'diag'. 82*b7c941bbSAndroid Build Coastguard Worker This is for carrier and manufacture diagnostics tools that must be 83*b7c941bbSAndroid Build Coastguard Worker installable from the framework. Be careful. --> 84*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.DIAGNOSTIC" > 85*b7c941bbSAndroid Build Coastguard Worker <group gid="input" /> 86*b7c941bbSAndroid Build Coastguard Worker <group gid="diag" /> 87*b7c941bbSAndroid Build Coastguard Worker </permission> 88*b7c941bbSAndroid Build Coastguard Worker 89*b7c941bbSAndroid Build Coastguard Worker <!-- Group that can read detailed network usage statistics --> 90*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"> 91*b7c941bbSAndroid Build Coastguard Worker <group gid="net_bw_stats" /> 92*b7c941bbSAndroid Build Coastguard Worker </permission> 93*b7c941bbSAndroid Build Coastguard Worker 94*b7c941bbSAndroid Build Coastguard Worker <!-- Group that can modify how network statistics are accounted --> 95*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.UPDATE_DEVICE_STATS"> 96*b7c941bbSAndroid Build Coastguard Worker <group gid="net_bw_acct" /> 97*b7c941bbSAndroid Build Coastguard Worker </permission> 98*b7c941bbSAndroid Build Coastguard Worker 99*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.LOOP_RADIO" > 100*b7c941bbSAndroid Build Coastguard Worker <group gid="loop_radio" /> 101*b7c941bbSAndroid Build Coastguard Worker </permission> 102*b7c941bbSAndroid Build Coastguard Worker 103*b7c941bbSAndroid Build Coastguard Worker <!-- Hotword training apps sometimes need a GID to talk with low-level 104*b7c941bbSAndroid Build Coastguard Worker hardware; give them audio for now until full HAL support is added. --> 105*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.MANAGE_VOICE_KEYPHRASES"> 106*b7c941bbSAndroid Build Coastguard Worker <group gid="audio" /> 107*b7c941bbSAndroid Build Coastguard Worker </permission> 108*b7c941bbSAndroid Build Coastguard Worker 109*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.ACCESS_BROADCAST_RADIO" > 110*b7c941bbSAndroid Build Coastguard Worker <!-- /dev/fm is gid media, not audio --> 111*b7c941bbSAndroid Build Coastguard Worker <group gid="media" /> 112*b7c941bbSAndroid Build Coastguard Worker </permission> 113*b7c941bbSAndroid Build Coastguard Worker 114*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.USE_RESERVED_DISK"> 115*b7c941bbSAndroid Build Coastguard Worker <group gid="reserved_disk" /> 116*b7c941bbSAndroid Build Coastguard Worker </permission> 117*b7c941bbSAndroid Build Coastguard Worker 118*b7c941bbSAndroid Build Coastguard Worker <!-- These are permissions that were mapped to gids but we need 119*b7c941bbSAndroid Build Coastguard Worker to keep them here until an upgrade from L to the current 120*b7c941bbSAndroid Build Coastguard Worker version is to be supported. These permissions are built-in 121*b7c941bbSAndroid Build Coastguard Worker and in L were not stored in packages.xml as a result if they 122*b7c941bbSAndroid Build Coastguard Worker are not defined here while parsing packages.xml we would 123*b7c941bbSAndroid Build Coastguard Worker ignore these permissions being granted to apps and not 124*b7c941bbSAndroid Build Coastguard Worker propagate the granted state. From N we are storing the 125*b7c941bbSAndroid Build Coastguard Worker built-in permissions in packages.xml as the saved storage 126*b7c941bbSAndroid Build Coastguard Worker is negligible (one tag with the permission) compared to 127*b7c941bbSAndroid Build Coastguard Worker the fragility as one can remove a built-in permission which 128*b7c941bbSAndroid Build Coastguard Worker no longer needs to be mapped to gids and break grant propagation. --> 129*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.READ_EXTERNAL_STORAGE" /> 130*b7c941bbSAndroid Build Coastguard Worker <permission name="android.permission.WRITE_EXTERNAL_STORAGE" /> 131*b7c941bbSAndroid Build Coastguard Worker 132*b7c941bbSAndroid Build Coastguard Worker <!-- ================================================================== --> 133*b7c941bbSAndroid Build Coastguard Worker <!-- ================================================================== --> 134*b7c941bbSAndroid Build Coastguard Worker <!-- ================================================================== --> 135*b7c941bbSAndroid Build Coastguard Worker 136*b7c941bbSAndroid Build Coastguard Worker <!-- The following tags are assigning high-level permissions to specific 137*b7c941bbSAndroid Build Coastguard Worker user IDs. These are used to allow specific core system users to 138*b7c941bbSAndroid Build Coastguard Worker perform the given operations with the higher-level framework. For 139*b7c941bbSAndroid Build Coastguard Worker example, we give a wide variety of permissions to the shell user 140*b7c941bbSAndroid Build Coastguard Worker since that is the user the adb shell runs under and developers and 141*b7c941bbSAndroid Build Coastguard Worker others should have a fairly open environment in which to 142*b7c941bbSAndroid Build Coastguard Worker interact with the system. --> 143*b7c941bbSAndroid Build Coastguard Worker 144*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="media" /> 145*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="media" /> 146*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.WAKE_LOCK" uid="media" /> 147*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="media" /> 148*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="media" /> 149*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.GET_PROCESS_STATE_AND_OOM_SCORE" uid="media" /> 150*b7c941bbSAndroid Build Coastguard Worker 151*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="audioserver" /> 152*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="audioserver" /> 153*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.WAKE_LOCK" uid="audioserver" /> 154*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="audioserver" /> 155*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="audioserver" /> 156*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="audioserver" /> 157*b7c941bbSAndroid Build Coastguard Worker 158*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="cameraserver" /> 159*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="cameraserver" /> 160*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.WAKE_LOCK" uid="cameraserver" /> 161*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="cameraserver" /> 162*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="cameraserver" /> 163*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.GET_PROCESS_STATE_AND_OOM_SCORE" uid="cameraserver" /> 164*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="cameraserver" /> 165*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.WATCH_APPOPS" uid="cameraserver" /> 166*b7c941bbSAndroid Build Coastguard Worker 167*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="graphics" /> 168*b7c941bbSAndroid Build Coastguard Worker 169*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.DUMP" uid="incidentd" /> 170*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="incidentd" /> 171*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.INTERACT_ACROSS_USERS" uid="incidentd" /> 172*b7c941bbSAndroid Build Coastguard Worker 173*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.ACCESS_LOWPAN_STATE" uid="lowpan" /> 174*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.MANAGE_LOWPAN_INTERFACES" uid="lowpan" /> 175*b7c941bbSAndroid Build Coastguard Worker 176*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.DUMP" uid="statsd" /> 177*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="statsd" /> 178*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.STATSCOMPANION" uid="statsd" /> 179*b7c941bbSAndroid Build Coastguard Worker <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="statsd" /> 180*b7c941bbSAndroid Build Coastguard Worker 181*b7c941bbSAndroid Build Coastguard Worker <!-- This is a list of all the libraries available for application 182*b7c941bbSAndroid Build Coastguard Worker code to link against. --> 183*b7c941bbSAndroid Build Coastguard Worker 184*b7c941bbSAndroid Build Coastguard Worker <library name="android.test.base" 185*b7c941bbSAndroid Build Coastguard Worker file="/system/framework/android.test.base.jar" /> 186*b7c941bbSAndroid Build Coastguard Worker <library name="android.test.mock" 187*b7c941bbSAndroid Build Coastguard Worker file="/system/framework/android.test.mock.jar" /> 188*b7c941bbSAndroid Build Coastguard Worker <library name="android.test.runner" 189*b7c941bbSAndroid Build Coastguard Worker file="/system/framework/android.test.runner.jar" /> 190*b7c941bbSAndroid Build Coastguard Worker <library name="javax.obex" 191*b7c941bbSAndroid Build Coastguard Worker file="/system/framework/javax.obex.jar" /> 192*b7c941bbSAndroid Build Coastguard Worker <library name="org.apache.http.legacy" 193*b7c941bbSAndroid Build Coastguard Worker file="/system/framework/org.apache.http.legacy.boot.jar" /> 194*b7c941bbSAndroid Build Coastguard Worker 195*b7c941bbSAndroid Build Coastguard Worker <!-- These are the standard packages that are allow-listed to always have internet 196*b7c941bbSAndroid Build Coastguard Worker access while in power save mode, even if they aren't in the foreground. --> 197*b7c941bbSAndroid Build Coastguard Worker <allow-in-power-save package="com.android.providers.downloads" /> 198*b7c941bbSAndroid Build Coastguard Worker 199*b7c941bbSAndroid Build Coastguard Worker <!-- These are the standard packages that are allow-listed to always have internet 200*b7c941bbSAndroid Build Coastguard Worker access while in data mode, even if they aren't in the foreground. --> 201*b7c941bbSAndroid Build Coastguard Worker <allow-in-data-usage-save package="com.android.providers.downloads" /> 202*b7c941bbSAndroid Build Coastguard Worker 203*b7c941bbSAndroid Build Coastguard Worker <!-- This is a core platform component that needs to freely run in the background --> 204*b7c941bbSAndroid Build Coastguard Worker <allow-in-power-save package="com.android.cellbroadcastreceiver" /> 205*b7c941bbSAndroid Build Coastguard Worker <allow-in-power-save package="com.android.shell" /> 206*b7c941bbSAndroid Build Coastguard Worker 207*b7c941bbSAndroid Build Coastguard Worker <!-- Allowlist system providers --> 208*b7c941bbSAndroid Build Coastguard Worker <allow-in-power-save-except-idle package="com.android.providers.calendar" /> 209*b7c941bbSAndroid Build Coastguard Worker <allow-in-power-save-except-idle package="com.android.providers.contacts" /> 210*b7c941bbSAndroid Build Coastguard Worker</permissions> 211