1### 2### Apps that run with the system UID, e.g. com.android.system.ui, 3### com.android.settings. These are not as privileged as the system 4### server. 5### 6 7typeattribute system_app coredomain, mlstrustedsubject; 8 9app_domain(system_app) 10net_domain(system_app) 11binder_service(system_app) 12 13# android.ui and system.ui 14allow system_app rootfs:dir getattr; 15 16# Read and write /data/data subdirectory. 17allow system_app system_app_data_file:dir create_dir_perms; 18allow system_app system_app_data_file:{ file lnk_file } create_file_perms; 19 20# Read and write to /data/misc/user. 21allow system_app misc_user_data_file:dir create_dir_perms; 22allow system_app misc_user_data_file:file create_file_perms; 23 24# Access to apex files stored on /data (b/136063500) 25# Needed so that Settings can access NOTICE files inside apex 26# files located in the assets/ directory. 27allow system_app apex_data_file:dir search; 28allow system_app staging_data_file:file r_file_perms; 29 30# Read wallpaper file. 31allow system_app wallpaper_file:file r_file_perms; 32 33# Read icon file. 34allow system_app icon_file:file r_file_perms; 35 36# Write to properties 37set_prop(system_app, adaptive_haptics_prop) 38set_prop(system_app, arm64_memtag_prop) 39set_prop(system_app, bluetooth_a2dp_offload_prop) 40set_prop(system_app, bluetooth_audio_hal_prop) 41set_prop(system_app, bluetooth_prop) 42set_prop(system_app, debug_prop) 43set_prop(system_app, system_prop) 44set_prop(system_app, exported_bluetooth_prop) 45set_prop(system_app, exported_system_prop) 46set_prop(system_app, exported3_system_prop) 47set_prop(system_app, gesture_prop) 48set_prop(system_app, logd_prop) 49set_prop(system_app, net_radio_prop) 50set_prop(system_app, usb_control_prop) 51set_prop(system_app, usb_prop) 52set_prop(system_app, log_tag_prop) 53userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)') 54auditallow system_app net_radio_prop:property_service set; 55auditallow system_app usb_control_prop:property_service set; 56auditallow system_app usb_prop:property_service set; 57# Allow Settings to enable Dynamic System Update 58set_prop(system_app, dynamic_system_prop) 59 60# ctl interface 61set_prop(system_app, ctl_default_prop) 62set_prop(system_app, ctl_bugreport_prop) 63 64# Allow developer settings to query gsid status 65get_prop(system_app, gsid_prop) 66 67# Create /data/anr/traces.txt. 68allow system_app anr_data_file:dir ra_dir_perms; 69allow system_app anr_data_file:file create_file_perms; 70 71# Settings need to access app name and icon from asec 72allow system_app asec_apk_file:file r_file_perms; 73 74# Allow system apps (like Settings) to interact with statsd 75binder_call(system_app, statsd) 76 77# Allow system apps to interact with incidentd 78binder_call(system_app, incidentd) 79 80# Allow system app to interact with Dumpstate HAL 81hal_client_domain(system_app, hal_dumpstate) 82 83allow system_app servicemanager:service_manager list; 84# TODO: scope this down? Too broad? 85allow system_app { 86 service_manager_type 87 -apex_service 88 -dnsresolver_service 89 -dumpstate_service 90 -installd_service 91 -iorapd_service 92 -lpdump_service 93 -mdns_service 94 -netd_service 95 -system_suspend_control_internal_service 96 -system_suspend_control_service 97 -tracingproxy_service 98 -virtual_touchpad_service 99 -vold_service 100 -default_android_service 101}:service_manager find; 102# suppress denials for services system_app should not be accessing. 103dontaudit system_app { 104 dnsresolver_service 105 dumpstate_service 106 installd_service 107 iorapd_service 108 mdns_service 109 netd_service 110 virtual_touchpad_service 111 vold_service 112}:service_manager find; 113 114# suppress denials caused by debugfs_tracing 115dontaudit system_app debugfs_tracing:file rw_file_perms; 116 117allow system_app keystore:keystore_key { 118 get_state 119 get 120 insert 121 delete 122 exist 123 list 124 reset 125 password 126 lock 127 unlock 128 is_empty 129 sign 130 verify 131 grant 132 duplicate 133 clear_uid 134 user_changed 135}; 136 137allow system_app keystore:keystore2_key { 138 delete 139 get_info 140 grant 141 rebind 142 update 143 use 144}; 145 146# Allow Settings to manage WI-FI keys. 147allow system_app wifi_key:keystore2_key { 148 delete 149 get_info 150 rebind 151 update 152 use 153}; 154 155# settings app reads /proc/version 156allow system_app { 157 proc_version 158}:file r_file_perms; 159 160# Settings app writes to /dev/stune/foreground/tasks. 161allow system_app cgroup:file w_file_perms; 162allow system_app cgroup_v2:file w_file_perms; 163allow system_app cgroup_v2:dir w_dir_perms; 164 165control_logd(system_app) 166read_runtime_log_tags(system_app) 167get_prop(system_app, device_logging_prop) 168 169# allow system apps to use UDP sockets provided by the system server but not 170# modify them other than to connect 171allow system_app system_server:udp_socket { 172 connect getattr read recvfrom sendto write getopt setopt }; 173 174# Settings app reads ro.oem_unlock_supported 175get_prop(system_app, oem_unlock_prop) 176 177# Allow system apps to act as Perfetto producers. 178perfetto_producer(system_app) 179 180# Allow performance profiling by the platform itself. 181can_profile_heap(system_app) 182can_profile_perf(system_app) 183 184### 185### Neverallow rules 186### 187 188# app domains which access /dev/fuse should not run as system_app 189neverallow system_app fuse_device:chr_file *; 190 191# Apps which run as UID=system should not rely on any attacker controlled 192# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we 193# allow writes to files passed by file descriptor to support dumpstate and 194# bug reports, but not reads. 195neverallow system_app shell_data_file:dir { no_w_dir_perms open search read }; 196neverallow system_app shell_data_file:file { open read ioctl lock }; 197 198# system_app should be the only domain writing the adaptive haptics prop 199neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set; 200