system_app.te - platform/external/sepolicy - Git at Google

 #
 # Apps that run with the system UID, e.g. com.android.system.ui,
 # com.android.settings.  These are not as privileged as the system
 # server.
 #
 type system_app, domain;
 app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)

 # Read and write /data/data subdirectory.
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

 # Read /data/misc/keychain subdirectory.
 allow system_app keychain_data_file:dir r_dir_perms;
 allow system_app keychain_data_file:file r_file_perms;

 # Read and write to other system-owned /data directories, such as
 # /data/system/cache and /data/misc/user.
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
 # Audit writes to these directories and files so we can identify
 # and possibly move these directories into their own type in the future.
 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
 auditallow system_app system_data_file:file { create setattr append write link unlink rename };

 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;

 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
 allow system_app net_radio_prop:property_service set;
 allow system_app system_radio_prop:property_service set;
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
 allow system_app system_prop:property_service set;
 allow system_app ctl_bugreport_prop:property_service set;
 allow system_app logd_prop:property_service set;

 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;

 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;

 allow system_app mediaserver_service:service_manager find;
 allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
 allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;

 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
     -accessibility_service
     -activity_service
     -appops_service
     -appwidget_service
     -assetatlas_service
     -audio_service
     -backup_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
     -device_policy_service
     -display_service
     -dreams_service
     -dropbox_service
     -graphicsstats_service
     -input_method_service
     -input_service
     -lock_settings_service
     -mount_service
     -network_management_service
     -notification_service
     -power_service
     -print_service
     -registry_service
     -sensorservice_service
     -usagestats_service
     -usb_service
     -user_service
     -vibrator_service
     -wifi_service
 }:service_manager find;

 allow system_app keystore:keystore_key {
 	test
 	get
 	insert
 	delete
 	exist
 	saw
 	reset
 	password
 	lock
 	unlock
 	zero
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
 };

 control_logd(system_app)
	#
	# Apps that run with the system UID, e.g. com.android.system.ui,
	# com.android.settings. These are not as privileged as the system
	# server.
	#
	type system_app, domain;
	app_domain(system_app)
	net_domain(system_app)
	binder_service(system_app)

	# Read and write /data/data subdirectory.
	allow system_app system_app_data_file:dir create_dir_perms;
	allow system_app system_app_data_file:{ file lnk_file } create_file_perms;

	# Read /data/misc/keychain subdirectory.
	allow system_app keychain_data_file:dir r_dir_perms;
	allow system_app keychain_data_file:file r_file_perms;

	# Read and write to other system-owned /data directories, such as
	# /data/system/cache and /data/misc/user.
	allow system_app system_data_file:dir create_dir_perms;
	allow system_app system_data_file:file create_file_perms;
	allow system_app misc_user_data_file:dir create_dir_perms;
	allow system_app misc_user_data_file:file create_file_perms;
	# Audit writes to these directories and files so we can identify
	# and possibly move these directories into their own type in the future.
	auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
	auditallow system_app system_data_file:file { create setattr append write link unlink rename };

	# Read wallpaper file.
	allow system_app wallpaper_file:file r_file_perms;

	# Write to properties
	unix_socket_connect(system_app, property, init)
	allow system_app debug_prop:property_service set;
	allow system_app net_radio_prop:property_service set;
	allow system_app system_radio_prop:property_service set;
	auditallow system_app net_radio_prop:property_service set;
	auditallow system_app system_radio_prop:property_service set;
	allow system_app system_prop:property_service set;
	allow system_app ctl_bugreport_prop:property_service set;
	allow system_app logd_prop:property_service set;

	# Create /data/anr/traces.txt.
	allow system_app anr_data_file:dir ra_dir_perms;
	allow system_app anr_data_file:file create_file_perms;

	# Settings need to access app name and icon from asec
	allow system_app asec_apk_file:file r_file_perms;

	allow system_app mediaserver_service:service_manager find;
	allow system_app nfc_service:service_manager find;
	allow system_app radio_service:service_manager find;
	allow system_app surfaceflinger_service:service_manager find;
	allow system_app system_app_service:service_manager add;
	allow system_app system_server_service:service_manager find;
	allow system_app tmp_system_server_service:service_manager find;

	service_manager_local_audit_domain(system_app)
	auditallow system_app {
	tmp_system_server_service
	-accessibility_service
	-activity_service
	-appops_service
	-appwidget_service
	-assetatlas_service
	-audio_service
	-backup_service
	-bluetooth_manager_service
	-connectivity_service
	-content_service
	-device_policy_service
	-display_service
	-dreams_service
	-dropbox_service
	-graphicsstats_service
	-input_method_service
	-input_service
	-lock_settings_service
	-mount_service
	-network_management_service
	-notification_service
	-power_service
	-print_service
	-registry_service
	-sensorservice_service
	-usagestats_service
	-usb_service
	-user_service
	-vibrator_service
	-wifi_service
	}:service_manager find;

	allow system_app keystore:keystore_key {
	test
	get
	insert
	delete
	exist
	saw
	reset
	password
	lock
	unlock
	zero
	sign
	verify
	grant
	duplicate
	clear_uid
	};

	control_logd(system_app)