platform_app.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

###
### Apps signed with the platform key.
###

type platform_app, domain;
app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms;

# Access to /data/media.
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;

# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;

allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;

service_manager_local_audit_domain(platform_app)
auditallow platform_app {
    tmp_system_server_service
    -bluetooth_manager_service
    -connectivity_service
    -content_service
    -device_policy_service
    -display_service
    -dreams_service
    -dropbox_service
    -fingerprint_service
    -graphicsstats_service
    -input_method_service
    -input_service
    -lock_settings_service
    -media_projection_service
    -media_router_service
    -media_session_service
    -mount_service
    -netpolicy_service
    -netstats_service
    -network_management_service
    -notification_service
    -power_service
    -registry_service
    -search_service
    -sensorservice_service
    -statusbar_service
    -trust_service
    -uimode_service
    -usb_service
    -user_service
    -vibrator_service
    -wallpaper_service
    -webviewupdate_service
    -wifi_service
}:service_manager find;