1<?xml version="1.0" encoding="utf-8"?> 2<!-- Copyright (C) 2008 The Android Open Source Project 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15--> 16 17<!-- This file is used to define the mappings between lower-level system 18 user and group IDs and the higher-level permission names managed 19 by the platform. 20 21 Be VERY careful when editing this file! Mistakes made here can open 22 big security holes. 23--> 24<permissions> 25 26 <!-- ================================================================== --> 27 <!-- ================================================================== --> 28 <!-- ================================================================== --> 29 30 <!-- The following tags are associating low-level group IDs with 31 permission names. By specifying such a mapping, you are saying 32 that any application process granted the given permission will 33 also be running with the given group ID attached to its process, 34 so it can perform any filesystem (read, write, execute) operations 35 allowed for that group. --> 36 37 <permission name="android.permission.BLUETOOTH_ADMIN" > 38 <group gid="net_bt_admin" /> 39 </permission> 40 41 <permission name="android.permission.BLUETOOTH" > 42 <group gid="net_bt" /> 43 </permission> 44 45 <permission name="android.permission.BLUETOOTH_STACK" > 46 <group gid="bluetooth" /> 47 <group gid="wakelock" /> 48 <group gid="uhid" /> 49 </permission> 50 51 <permission name="android.permission.NET_TUNNELING" > 52 <group gid="vpn" /> 53 </permission> 54 55 <permission name="android.permission.INTERNET" > 56 <group gid="inet" /> 57 </permission> 58 59 <permission name="android.permission.READ_LOGS" > 60 <group gid="log" /> 61 </permission> 62 63 <permission name="android.permission.WRITE_MEDIA_STORAGE" > 64 <group gid="media_rw" /> 65 </permission> 66 67 <permission name="android.permission.ACCESS_MTP" > 68 <group gid="mtp" /> 69 </permission> 70 71 <permission name="android.permission.NET_ADMIN" > 72 <group gid="net_admin" /> 73 </permission> 74 75 <permission name="android.permission.MAINLINE_NETWORK_STACK" > 76 <group gid="net_admin" /> 77 <group gid="net_raw" /> 78 </permission> 79 80 <!-- The group that /cache belongs to, linked to the permission 81 set on the applications that can access /cache --> 82 <permission name="android.permission.ACCESS_CACHE_FILESYSTEM" > 83 <group gid="cache" /> 84 </permission> 85 86 <!-- RW permissions to any system resources owned by group 'diag'. 87 This is for carrier and manufacture diagnostics tools that must be 88 installable from the framework. Be careful. --> 89 <permission name="android.permission.DIAGNOSTIC" > 90 <group gid="input" /> 91 <group gid="diag" /> 92 </permission> 93 94 <!-- Group that can read detailed network usage statistics --> 95 <permission name="android.permission.READ_NETWORK_USAGE_HISTORY"> 96 <group gid="net_bw_stats" /> 97 </permission> 98 99 <!-- Group that can modify how network statistics are accounted --> 100 <permission name="android.permission.UPDATE_DEVICE_STATS"> 101 <group gid="net_bw_acct" /> 102 </permission> 103 104 <permission name="android.permission.LOOP_RADIO" > 105 <group gid="loop_radio" /> 106 </permission> 107 108 <!-- Hotword training apps sometimes need a GID to talk with low-level 109 hardware; give them audio for now until full HAL support is added. --> 110 <permission name="android.permission.MANAGE_VOICE_KEYPHRASES"> 111 <group gid="audio" /> 112 </permission> 113 114 <permission name="android.permission.ACCESS_BROADCAST_RADIO" > 115 <!-- /dev/fm is gid media, not audio --> 116 <group gid="media" /> 117 </permission> 118 119 <permission name="android.permission.USE_RESERVED_DISK"> 120 <group gid="reserved_disk" /> 121 </permission> 122 123 <!-- These are permissions that were mapped to gids but we need 124 to keep them here until an upgrade from L to the current 125 version is to be supported. These permissions are built-in 126 and in L were not stored in packages.xml as a result if they 127 are not defined here while parsing packages.xml we would 128 ignore these permissions being granted to apps and not 129 propagate the granted state. From N we are storing the 130 built-in permissions in packages.xml as the saved storage 131 is negligible (one tag with the permission) compared to 132 the fragility as one can remove a built-in permission which 133 no longer needs to be mapped to gids and break grant propagation. --> 134 <permission name="android.permission.READ_EXTERNAL_STORAGE" /> 135 <permission name="android.permission.WRITE_EXTERNAL_STORAGE" /> 136 137 <!-- ================================================================== --> 138 <!-- ================================================================== --> 139 <!-- ================================================================== --> 140 141 <!-- The following tags are assigning high-level permissions to specific 142 user IDs. These are used to allow specific core system users to 143 perform the given operations with the higher-level framework. For 144 example, we give a wide variety of permissions to the shell user 145 since that is the user the adb shell runs under and developers and 146 others should have a fairly open environment in which to 147 interact with the system. --> 148 149 <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="media" /> 150 <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="media" /> 151 <assign-permission name="android.permission.WAKE_LOCK" uid="media" /> 152 <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="media" /> 153 <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="media" /> 154 <assign-permission name="android.permission.GET_PROCESS_STATE_AND_OOM_SCORE" uid="media" /> 155 <assign-permission name="android.permission.INTERNET" uid="media" /> 156 157 <assign-permission name="android.permission.INTERNET" uid="shell" /> 158 159 <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="audioserver" /> 160 <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="audioserver" /> 161 <assign-permission name="android.permission.WAKE_LOCK" uid="audioserver" /> 162 <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="audioserver" /> 163 <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="audioserver" /> 164 <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="audioserver" /> 165 166 <assign-permission name="android.permission.MODIFY_AUDIO_SETTINGS" uid="cameraserver" /> 167 <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="cameraserver" /> 168 <assign-permission name="android.permission.WAKE_LOCK" uid="cameraserver" /> 169 <assign-permission name="android.permission.UPDATE_DEVICE_STATS" uid="cameraserver" /> 170 <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="cameraserver" /> 171 <assign-permission name="android.permission.GET_PROCESS_STATE_AND_OOM_SCORE" uid="cameraserver" /> 172 <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="cameraserver" /> 173 <assign-permission name="android.permission.WATCH_APPOPS" uid="cameraserver" /> 174 175 <assign-permission name="android.permission.ACCESS_SURFACE_FLINGER" uid="graphics" /> 176 177 <assign-permission name="android.permission.DUMP" uid="incidentd" /> 178 <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="incidentd" /> 179 <assign-permission name="android.permission.INTERACT_ACROSS_USERS" uid="incidentd" /> 180 <assign-permission name="android.permission.REQUEST_INCIDENT_REPORT_APPROVAL" uid="incidentd" /> 181 182 <assign-permission name="android.permission.ACCESS_LOWPAN_STATE" uid="lowpan" /> 183 <assign-permission name="android.permission.MANAGE_LOWPAN_INTERFACES" uid="lowpan" /> 184 185 <assign-permission name="android.permission.BATTERY_STATS" uid="statsd" /> 186 <assign-permission name="android.permission.DUMP" uid="statsd" /> 187 <assign-permission name="android.permission.PACKAGE_USAGE_STATS" uid="statsd" /> 188 <assign-permission name="android.permission.STATSCOMPANION" uid="statsd" /> 189 <assign-permission name="android.permission.UPDATE_APP_OPS_STATS" uid="statsd" /> 190 191 <split-permission name="android.permission.ACCESS_FINE_LOCATION"> 192 <new-permission name="android.permission.ACCESS_COARSE_LOCATION" /> 193 </split-permission> 194 <split-permission name="android.permission.WRITE_EXTERNAL_STORAGE"> 195 <new-permission name="android.permission.READ_EXTERNAL_STORAGE" /> 196 </split-permission> 197 <split-permission name="android.permission.READ_CONTACTS" 198 targetSdk="16"> 199 <new-permission name="android.permission.READ_CALL_LOG" /> 200 </split-permission> 201 <split-permission name="android.permission.WRITE_CONTACTS" 202 targetSdk="16"> 203 <new-permission name="android.permission.WRITE_CALL_LOG" /> 204 </split-permission> 205 <split-permission name="android.permission.ACCESS_FINE_LOCATION" 206 targetSdk="29"> 207 <new-permission name="android.permission.ACCESS_BACKGROUND_LOCATION" /> 208 </split-permission> 209 <split-permission name="android.permission.ACCESS_COARSE_LOCATION" 210 targetSdk="29"> 211 <new-permission name="android.permission.ACCESS_BACKGROUND_LOCATION" /> 212 </split-permission> 213 <split-permission name="android.permission.READ_EXTERNAL_STORAGE" 214 targetSdk="29"> 215 <new-permission name="android.permission.ACCESS_MEDIA_LOCATION" /> 216 </split-permission> 217 218 <!-- This is a list of all the libraries available for application 219 code to link against. --> 220 221 <library name="android.test.base" 222 file="/system/framework/android.test.base.jar" /> 223 <library name="android.test.mock" 224 file="/system/framework/android.test.mock.jar" 225 dependency="android.test.base" /> 226 <library name="android.test.runner" 227 file="/system/framework/android.test.runner.jar" 228 dependency="android.test.base:android.test.mock" /> 229 230 <!-- In BOOT_JARS historically, and now added to legacy applications. --> 231 <library name="android.hidl.base-V1.0-java" 232 file="/system/framework/android.hidl.base-V1.0-java.jar" /> 233 <library name="android.hidl.manager-V1.0-java" 234 file="/system/framework/android.hidl.manager-V1.0-java.jar" 235 dependency="android.hidl.base-V1.0-java" /> 236 237 <!-- These are the standard packages that are white-listed to always have internet 238 access while in power save mode, even if they aren't in the foreground. --> 239 <allow-in-power-save package="com.android.providers.downloads" /> 240 241 <!-- These are the standard packages that are white-listed to always have internet 242 access while in data mode, even if they aren't in the foreground. --> 243 <allow-in-data-usage-save package="com.android.providers.downloads" /> 244 245 <!-- This is a core platform component that needs to freely run in the background --> 246 <allow-in-power-save package="com.android.cellbroadcastreceiver" /> 247 <allow-in-power-save package="com.android.shell" /> 248 249 <!-- Whitelist system providers --> 250 <allow-in-power-save-except-idle package="com.android.providers.calendar" /> 251 <allow-in-power-save-except-idle package="com.android.providers.contacts" /> 252 253 <!-- The PAC proxy process must have network access, otherwise no app will 254 be able to connect to the internet when such a proxy is in use, since 255 all outgoing connections originate from this app. --> 256 <allow-in-power-save-except-idle package="com.android.proxyhandler" /> 257 258 <!-- These are the packages that are white-listed to be able to run as system user --> 259 <system-user-whitelisted-app package="com.android.settings" /> 260 261 <!-- These are the packages that shouldn't run as system user --> 262 <system-user-blacklisted-app package="com.android.wallpaper.livepicker" /> 263</permissions> 264