xref: /aosp_15_r20/system/sepolicy/private/system_app.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1###
2### Apps that run with the system UID, e.g. com.android.system.ui,
3### com.android.settings.  These are not as privileged as the system
4### server.
5###
6
7typeattribute system_app coredomain, mlstrustedsubject;
8
9app_domain(system_app)
10net_domain(system_app)
11binder_service(system_app)
12
13# android.ui and system.ui
14allow system_app rootfs:dir getattr;
15
16# read/write certain subdirectories of /data/data for system UID apps.
17allow system_app system_app_data_file:dir create_dir_perms;
18allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
19
20# Read and write to /data/misc/user.
21allow system_app misc_user_data_file:dir create_dir_perms;
22allow system_app misc_user_data_file:file create_file_perms;
23
24# Access to apex files stored on /data (b/136063500)
25# Needed so that Settings can access NOTICE files inside apex
26# files located in the assets/ directory.
27allow system_app apex_data_file:dir search;
28allow system_app staging_data_file:file r_file_perms;
29
30# Read wallpaper file.
31allow system_app wallpaper_file:file r_file_perms;
32
33# Read icon file.
34allow system_app icon_file:file r_file_perms;
35
36# Write to properties
37set_prop(system_app, adaptive_haptics_prop)
38set_prop(system_app, arm64_memtag_prop)
39set_prop(system_app, bluetooth_a2dp_offload_prop)
40set_prop(system_app, bluetooth_audio_hal_prop)
41set_prop(system_app, bluetooth_prop)
42set_prop(system_app, debug_prop)
43set_prop(system_app, system_prop)
44set_prop(system_app, exported_bluetooth_prop)
45set_prop(system_app, exported_system_prop)
46set_prop(system_app, exported3_system_prop)
47set_prop(system_app, gesture_prop)
48set_prop(system_app, locale_prop)
49set_prop(system_app, logd_prop)
50set_prop(system_app, net_radio_prop)
51set_prop(system_app, timezone_prop)
52set_prop(system_app, usb_control_prop)
53set_prop(system_app, usb_prop)
54set_prop(system_app, log_tag_prop)
55set_prop(system_app, drm_forcel3_prop)
56userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
57auditallow system_app net_radio_prop:property_service set;
58auditallow system_app usb_control_prop:property_service set;
59auditallow system_app usb_prop:property_service set;
60# Allow Settings to enable Dynamic System Update
61set_prop(system_app, dynamic_system_prop)
62
63# ctl interface
64set_prop(system_app, ctl_default_prop)
65set_prop(system_app, ctl_bugreport_prop)
66
67# Allow developer settings to query gsid status
68get_prop(system_app, gsid_prop)
69
70# Allow developer settings to check 16k pages boot option status
71get_prop(system_app, enable_16k_pages_prop)
72
73# Create /data/anr/traces.txt.
74allow system_app anr_data_file:dir ra_dir_perms;
75allow system_app anr_data_file:file create_file_perms;
76
77# Settings need to access app name and icon from asec
78allow system_app asec_apk_file:file r_file_perms;
79
80# Allow system apps (like Settings) to interact with statsd
81binder_call(system_app, statsd)
82
83# Allow system apps to interact with incidentd
84binder_call(system_app, incidentd)
85
86# Allow system apps (Settings) to call into update_engine
87# in order to apply update to switch from 4k kernel to 16K and vice-versa
88binder_use(system_app)
89allow system_app update_engine_stable_service:service_manager find;
90binder_call(system_app, update_engine)
91
92# Allow system app to interact with Dumpstate HAL
93hal_client_domain(system_app, hal_dumpstate)
94
95allow system_app servicemanager:service_manager list;
96# TODO: scope this down? Too broad?
97allow system_app {
98  service_manager_type
99  -apex_service
100  -dnsresolver_service
101  -dumpstate_service
102  -installd_service
103  -lpdump_service
104  -mdns_service
105  -netd_service
106  -system_suspend_control_internal_service
107  -system_suspend_control_service
108  -tracingproxy_service
109  -virtual_touchpad_service
110  -vold_service
111  -default_android_service
112}:service_manager find;
113# suppress denials for services system_app should not be accessing.
114dontaudit system_app {
115  dnsresolver_service
116  dumpstate_service
117  installd_service
118  mdns_service
119  netd_service
120  virtual_touchpad_service
121  vold_service
122}:service_manager find;
123
124# suppress denials caused by debugfs_tracing
125dontaudit system_app debugfs_tracing:file rw_file_perms;
126
127# Ignore access to memory properties for Settings.
128dontaudit system_app proc_pagetypeinfo:file r_file_perms;
129dontaudit system_app sysfs_zram:dir search;
130
131allow system_app keystore:keystore2_key {
132    delete
133    get_info
134    grant
135    rebind
136    update
137    use
138};
139
140# Allow Settings to manage WI-FI keys.
141allow system_app wifi_key:keystore2_key {
142    delete
143    get_info
144    rebind
145    update
146    use
147};
148
149# settings app reads /proc/version
150allow system_app {
151  proc_version
152}:file r_file_perms;
153
154# Allow system apps to modify cgroup attributes and migrate processes
155allow system_app cgroup:file w_file_perms;
156allow system_app cgroup_v2:file w_file_perms;
157allow system_app cgroup_v2:dir w_dir_perms;
158
159control_logd(system_app)
160read_runtime_log_tags(system_app)
161get_prop(system_app, device_logging_prop)
162
163# allow system apps to use UDP sockets provided by the system server but not
164# modify them other than to connect
165allow system_app system_server:udp_socket {
166        connect getattr read recvfrom sendto write getopt setopt };
167
168# allow system apps to read game manager related sysrops
169get_prop(system_app, game_manager_config_prop)
170
171# Settings app reads ro.oem_unlock_supported
172get_prop(system_app, oem_unlock_prop)
173
174# Settings app reads ro.usb.uvc.enabled
175get_prop(system_app, usb_uvc_enabled_prop)
176
177# Settings app reads and writes the wifi blob database
178allow system_app connectivityblob_data_file:dir rw_dir_perms;
179allow system_app connectivityblob_data_file:file create_file_perms;
180
181###
182### Neverallow rules
183###
184
185# app domains which access /dev/fuse should not run as system_app
186neverallow system_app fuse_device:chr_file *;
187
188# Apps which run as UID=system should not rely on any attacker controlled
189# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
190# allow writes to files passed by file descriptor to support dumpstate and
191# bug reports, but not reads.
192neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
193neverallow system_app shell_data_file:file { open read ioctl lock };
194
195# system_app should be the only domain writing the adaptive haptics prop
196neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
197# system_app should be the only domain writing the force l3 prop
198neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
199
200allow system_app vendor_boot_ota_file:dir { r_dir_perms };
201allow system_app vendor_boot_ota_file:file { r_file_perms };
202
203# allow system_app to read system_dlkm_file for /system_dlkm/etc/NOTICE.xml.gz
204allow system_app system_dlkm_file:dir search;
205allow system_app system_dlkm_file:file { getattr open read };
206