Add mac_permissions.xml file.

This was moved from external/mac-policy.git

Add mac_permissions.xml file.
b19665c3 · rpcraig · 1f0f77fc · b19665c3 · b19665c3
Commit b19665c3 authored 12 years ago by rpcraig
--- a/Android.mk
+++ b/Android.mk
@@ -100,6 +100,18 @@ LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
 include $(BUILD_PREBUILT)
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+include $(BUILD_PREBUILT)
 ##################################
 endif #ifeq ($(HAVE_SELINUX),true)
--- a/mac_permissions.xml
+++ b/mac_permissions.xml
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+<!-- 
+    Sample signer stanza for install policy
+    Rules:
+    * A signature is a hex encoded X.509 certificate and is required for each signer tag.
+    * A <signer signature="" > element may have multiple child elements:
+        allow-permission : produces a set of maximal allowed permissions (whitelist).
+        deny-permission : produces a blacklist of permissions to deny.
+        allow-all : a wildcard tag that will allow every permission requested.
+        package : a complex tag which itself defines allow, deny, and wildcard sub elements for
+            a specific package name protected by the signature
+    * Zero or more global <package name=""> tags are allowed. These tags allow a policy
+      to be set outside any signature for specific package names.
+    * Unknown tags at any level are skipped.
+    * Zero or more signer tags are allowed.
+    * Zero or more package tags are allowed per signer tag.
+    * A <package name=""> tag may not contain another <package name=""> tag. If found, it's skipped.
+    * A <default> tag is allowed that can contain install policy for all apps not signed with a 
+      previously listed cert and not having a per package global policy.
+    * When multiple sub elements appear for a tag the following logic is used to
+        ultimately determine the type of enforcement:
+       ** A blacklist is used if at least one deny-permission tag is found
+       ** A whitelist is used if not a blacklist and at least one allow-permission tag is found
+       ** A wildcard (accept all permission) policy is used if not a blacklist and not a whitelist
+          and at least one allow-all tag is present.
+       ** If a <package name=""> sub element is found then that sub element's policy is used
+          according to the above logic and overrides any signature global policy type.
+       ** In order for a policy stanza to be enforced at least one of the above situations must
+          apply. Meaning, empty signer, default or package tags will not be accepted.
+    * Each signer/default/global package tag is allowed to contain one <seinfo value=""/> tag.
+      This tag represents additional info that each app can use in setting a SELinux security
+      context on the eventual process. Any <seinfo value=""/> tag found as a child of a
+      <package name=""> tag which is protected (sub element of signer or the default tag) is
+      ignored. It's possible that multiple seinfo tags are relevant for one app. In the event
+      that this happens, the seinfo tag that will be applied is the one for which the corresponding
+      policy stanza is used in the policy decision.
+    * Strict enforcing of any xml stanza is not enforced in most cases. This mainly applies to
+        duplicate tags which are allowed. In the event that a tag already exists, the original
+        tag is replaced.
+    * There are also no checks on the validity of permission names. Although valid android
+        permissions are expected, nothing prevents unknowns.
+    * Enforcement decisions:
+       - All signatures used to sign an app are checked for policy according to signer tags.
+         Only one of the signature policies has to pass however.
+       - In the event that none of the signature policies pass, or none even match, then
+         a global package policy is sought. If found, this policy mediates the install.
+       - The default tag is consulted last if needed.
+       - A local package policy always overrides any parent policy.
+       - If none of the cases apply then the app is denied.
+    Example global package policy
+    <package name="com.foo.com">
+      <allow-permission name="android.permission.INTERNET" />
+      <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+      <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+    </package>
+    Sample stanzas are given below based on the AOSP developer keys.
+-->
+    <!-- Platform dev key with AOSP -->
+    <signer signature="308204a830820390a003020102020900b3998086d056cffa300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303431353232343035305a170d3335303930313232343035305a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d003082010802820101009c780592ac0d5d381cdeaa65ecc8a6006e36480c6d7207b12011be50863aabe2b55d009adf7146d6f2202280c7cd4d7bdb26243b8a806c26b34b137523a49268224904dc01493e7c0acf1a05c874f69b037b60309d9074d24280e16bad2a8734361951eaf72a482d09b204b1875e12ac98c1aa773d6800b9eafde56d58bed8e8da16f9a360099c37a834a6dfedb7b6b44a049e07a269fccf2c5496f2cf36d64df90a3b8d8f34a3baab4cf53371ab27719b3ba58754ad0c53fc14e1db45d51e234fbbe93c9ba4edf9ce54261350ec535607bf69a2ff4aa07db5f7ea200d09a6c1b49e21402f89ed1190893aab5a9180f152e82f85a45753cf5fc19071c5eec827020103a381fc3081f9301d0603551d0e041604144fe4a0b3dd9cba29f71d7287c4e7c38f2086c2993081c90603551d230481c13081be80144fe4a0b3dd9cba29f71d7287c4e7c38f2086c299a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900b3998086d056cffa300c0603551d13040530030101ff300d06092a864886f70d01010405000382010100572551b8d93a1f73de0f6d469f86dad6701400293c88a0cd7cd778b73dafcc197fab76e6212e56c1c761cfc42fd733de52c50ae08814cefc0a3b5a1a4346054d829f1d82b42b2048bf88b5d14929ef85f60edd12d72d55657e22e3e85d04c831d613d19938bb8982247fa321256ba12d1d6a8f92ea1db1c373317ba0c037f0d1aff645aef224979fba6e7a14bc025c71b98138cef3ddfc059617cf24845cf7b40d6382f7275ed738495ab6e5931b9421765c491b72fb68e080dbdb58c2029d347c8b328ce43ef6a8b15533edfbe989bd6a48dd4b202eda94c6ab8dd5b8399203daae2ed446232e4fe9bd961394c6300e5138e3cfd285e6e4e483538cb8b1b357" >
+      <allow-all />
+      <seinfo value="platform" />
+    </signer>
+    <!-- Media dev key in AOSP -->
+    <signer signature="308204a830820390a003020102020900f2b98e6123572c4e300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303431353233343035375a170d3335303930313233343035375a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100ae250c5a16ef97fc2869ac651b3217cc36ba0e86964168d58a049f40ce85867123a3ffb4f6d949c33cf2da3a05c23eacaa57d803889b1759bcf59e7c6f21890ae25085b7ed56aa626c0989ef9ccd36362ca0e8d1b9603fd4d8328767926ccc090c68b775ae7ff30934cc369ef2855a2667df0c667fd0c7cf5d8eba655806737303bb624726eabaedfb72f07ed7a76ab3cb9a381c4b7dcd809b140d891f00213be401f58d6a06a61eadc3a9c2f1c6567285b09ae09342a66fa421eaf93adf7573a028c331d70601ab3af7cc84033ece7c772a3a5b86b0dbe9d777c3a48aa9801edcee2781589f44d9e4113979600576a99410ba81091259dad98c6c68ff784b8f020103a381fc3081f9301d0603551d0e04160414ca293caa8bc0ed3e542eef4205a2bff2b57e4d753081c90603551d230481c13081be8014ca293caa8bc0ed3e542eef4205a2bff2b57e4d75a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900f2b98e6123572c4e300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010084de9516d5e4a87217a73da8487048f53373a5f733f390d61bdf3cc9e5251625bfcaa7c3159cae275d172a9ae1e876d5458127ac542f68290dd510c0029d8f51e0ee156b7b7b5acdb394241b8ec78b74e5c42c5cafae156caf5bd199a23a27524da072debbe378464a533630b0e4d0ffb7e08ecb701fadb6379c74467f6e00c6ed888595380792038756007872c8e3007af423a57a2cab3a282869b64c4b7bd5fc187d0a7e2415965d5aae4e07a6df751b4a75e9793c918a612b81cd0b628aee0168dc44e47b10d3593260849d6adf6d727dc24444c221d3f9ecc368cad07999f2b8105bc1f20d38d41066cc1411c257a96ea4349f5746565507e4e8020a1a81" >
+      <allow-permission name="android.permission.ACCESS_ALL_DOWNLOADS" />
+      <allow-permission name="android.permission.ACCESS_CACHE_FILESYSTEM" />
+      <allow-permission name="android.permission.ACCESS_DOWNLOAD_MANAGER" />
+      <allow-permission name="android.permission.ACCESS_MTP" />
+      <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+      <allow-permission name="android.permission.CONNECTIVITY_INTERNAL" />
+      <allow-permission name="android.permission.INTERNET" />
+      <allow-permission name="android.permission.MODIFY_NETWORK_ACCOUNTING" />
+      <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
+      <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
+      <allow-permission name="android.permission.RECEIVE_WAP_PUSH" />
+      <allow-permission name="android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS" />
+      <allow-permission name="android.permission.UPDATE_DEVICE_STATS" />
+      <allow-permission name="android.permission.WAKE_LOCK" />
+      <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+      <allow-permission name="android.permission.WRITE_MEDIA_STORAGE" />
+      <allow-permission name="android.permission.WRITE_SETTINGS" />
+      <seinfo value="media" />
+    </signer>
+    <!-- shared dev key in AOSP -->
+    <signer signature="308204a830820390a003020102020900f2a73396bd38767a300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303732333231353735395a170d3335313230393231353735395a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100c8c2dbfd094a2df45c3ff1a32ed21805ec72fc58d017971bd0f6b52c262d70819d191967e158dfd3a2c7f1b3e0e80ce545d79d2848220211eb86f0fd8312d37b420c113750cc94618ae872f4886463bdc4627caa0c0483c86493e3515571170338bfdcc4cd6addd1c0a2f35f5cf24ed3e4043a3e58e2b05e664ccde12bcb67735fd6df1249c369e62542bc0a4729e53917f5c38ffa52d17b73c9c73798ddb18ed481590875547e66bfc5daca4c25a6eb960ed96923709da302ba646cb496b325e86c5c8b2e7a3377b2bbe4c7cf33254291163f689152ac088550c83c508f4bf5adf0aed5a2dca0583f9ab0ad17650db7eea4b23fdb45885547d0feab72183889020103a381fc3081f9301d0603551d0e04160414cb4c7e2cdbb3f0ada98dab79968d172e9dbb1ed13081c90603551d230481c13081be8014cb4c7e2cdbb3f0ada98dab79968d172e9dbb1ed1a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900f2a73396bd38767a300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010040a8d096997959e917a36c44246b6bac2bae05437ecd89794118f7834720352d1c6f8a39b0869942f4da65981faa2951d33971129ec1921d795671c527d6e249f252829faf5b591310311e2de096500d568ad4114a656dc34a8c6f610453afc1ea7992dba4aa7b3f8543a6e35c0728de77fe97eeac83771fd0ec90f8e4449434ee0b6045783e70c7a2e460249260e003cf7608dc352a4c9ef706def4b26050e978ae2fffd7a3323787014915eb3cc874fcc7a9ae930877c5c8c7d1c2e2a8ee863c89180d1855cedba400e7ba43cccaa7243d397e7c0e8e8e4d7d4f92b6bbead49c0cf018069eddca2e7e2fb4668d89dbbd7950d0cd254180fa1eaafc2a556f84" >
+      <allow-permission name="android.permission.ACCESS_COARSE_LOCATION" />
+      <allow-permission name="android.permission.ACCESS_FINE_LOCATION" />
+      <allow-permission name="android.permission.ACCESS_NETWORK_STATE" />
+      <allow-permission name="android.permission.ALLOW_ANY_CODEC_FOR_PLAYBACK" />
+      <allow-permission name="android.permission.BIND_APPWIDGET" />
+      <allow-permission name="android.permission.BIND_WALLPAPER" />
+      <allow-permission name="android.permission.CALL_PHONE" />
+      <allow-permission name="android.permission.CALL_PRIVILEGED" />
+      <allow-permission name="android.permission.CAMERA" />
+      <allow-permission name="android.permission.GET_ACCOUNTS" />
+      <allow-permission name="android.permission.GLOBAL_SEARCH" />
+      <allow-permission name="android.permission.INTERNET" />
+      <allow-permission name="android.permission.MANAGE_ACCOUNTS" />
+      <allow-permission name="android.permission.MODIFY_AUDIO_SETTINGS" />
+      <allow-permission name="android.permission.MODIFY_PHONE_STATE" />
+      <allow-permission name="android.permission.NFC" />
+      <allow-permission name="android.permission.PACKAGE_USAGE_STATS" />
+      <allow-permission name="android.permission.READ_CALL_LOG" />
+      <allow-permission name="android.permission.READ_CONTACTS"/>
+      <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
+      <allow-permission name="android.permission.READ_PHONE_STATE" />
+      <allow-permission name="android.permission.READ_PROFILE" />
+      <allow-permission name="android.permission.READ_SOCIAL_STREAM" />
+      <allow-permission name="android.permission.READ_SYNC_SETTINGS" />
+      <allow-permission name="android.permission.READ_SYNC_STATS" />
+      <allow-permission name="android.permission.READ_USER_DICTIONARY" />
+      <allow-permission name="android.permission.REBOOT" />
+      <allow-permission name="android.permission.RECEIVE_BOOT_COMPLETED" />
+      <allow-permission name="android.permission.RECORD_AUDIO" />
+      <allow-permission name="android.permission.SET_WALLPAPER" />
+      <allow-permission name="android.permission.SET_WALLPAPER_COMPONENT" />
+      <allow-permission name="android.permission.SET_WALLPAPER_HINTS" />
+      <allow-permission name="android.permission.SUBSCRIBED_FEEDS_READ" />
+      <allow-permission name="android.permission.SUBSCRIBED_FEEDS_WRITE" />
+      <allow-permission name="android.permission.USE_CREDENTIALS" />
+      <allow-permission name="android.permission.VIBRATE" />
+      <allow-permission name="android.permission.WAKE_LOCK" />
+      <allow-permission name="android.permission.WRITE_CALL_LOG" />
+      <allow-permission name="android.permission.WRITE_CONTACTS" />
+      <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+      <allow-permission name="android.permission.WRITE_PROFILE" />
+      <allow-permission name="android.permission.WRITE_SETTINGS" />
+      <allow-permission name="android.permission.WRITE_USER_DICTIONARY" />
+      <allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
+      <allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT" />
+      <allow-permission name="com.android.launcher.permission.READ_SETTINGS" />
+      <allow-permission name="com.android.launcher.permission.WRITE_SETTINGS" />
+      <allow-permission name="com.android.voicemail.permission.ADD_VOICEMAIL" />
+      <allow-permission name="com.android.voicemail.permission.READ_WRITE_ALL_VOICEMAIL" />
+      <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH" />
+      <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.cp" />
+      <allow-permission name="com.google.android.googleapps.permission.GOOGLE_AUTH.mail" />
+      <seinfo value="shared" />
+    </signer>
+    <!-- release dev key in AOSP -->
+    <signer signature="308204a830820390a003020102020900936eacbe07f201df300d06092a864886f70d0101050500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303232393031333334365a170d3335303731373031333334365a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d00308201080282010100d6931904dec60b24b1edc762e0d9d8253e3ecd6ceb1de2ff068ca8e8bca8cd6bd3786ea70aa76ce60ebb0f993559ffd93e77a943e7e83d4b64b8e4fea2d3e656f1e267a81bbfb230b578c20443be4c7218b846f5211586f038a14e89c2be387f8ebecf8fcac3da1ee330c9ea93d0a7c3dc4af350220d50080732e0809717ee6a053359e6a694ec2cb3f284a0a466c87a94d83b31093a67372e2f6412c06e6d42f15818dffe0381cc0cd444da6cddc3b82458194801b32564134fbfde98c9287748dbf5676a540d8154c8bbca07b9e247553311c46b9af76fdeeccc8e69e7c8a2d08e782620943f99727d3c04fe72991d99df9bae38a0b2177fa31d5b6afee91f020103a381fc3081f9301d0603551d0e04160414485900563d272c46ae118605a47419ac09ca8c113081c90603551d230481c13081be8014485900563d272c46ae118605a47419ac09ca8c11a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900936eacbe07f201df300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007aaf968ceb50c441055118d0daabaf015b8a765a27a715a2c2b44f221415ffdace03095abfa42df70708726c2069e5c36eddae0400be29452c084bc27eb6a17eac9dbe182c204eb15311f455d824b656dbe4dc2240912d7586fe88951d01a8feb5ae5a4260535df83431052422468c36e22c2a5ef994d61dd7306ae4c9f6951ba3c12f1d1914ddc61f1a62da2df827f603fea5603b2c540dbd7c019c36bab29a4271c117df523cdbc5f3817a49e0efa60cbd7f74177e7a4f193d43f4220772666e4c4d83e1bd5a86087cf34f2dec21e245ca6c2bb016e683638050d2c430eea7c26a1c49d3760a58ab7f1a82cc938b4831384324bd0401fa12163a50570e684d" >
+      <seinfo value="release" />
+      <deny-permission name="android.permission.BRICK" />
+      <deny-permission name="android.permission.READ_LOGS" />
+      <deny-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS" />
+      <deny-permission name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS" />
+      <package name="com.android.browser" >
+        <allow-permission name="android.permission.ACCESS_COARSE_LOCATION"/>
+        <allow-permission name="android.permission.ACCESS_DOWNLOAD_MANAGER"/>
+        <allow-permission name="android.permission.ACCESS_FINE_LOCATION"/>
+        <allow-permission name="android.permission.ACCESS_NETWORK_STATE"/>
+        <allow-permission name="android.permission.ACCESS_WIFI_STATE"/>
+        <allow-permission name="android.permission.GET_ACCOUNTS"/>
+        <allow-permission name="android.permission.INTERNET" />
+        <allow-permission name="android.permission.MANAGE_ACCOUNTS" />
+        <allow-permission name="android.permission.NFC" />
+        <allow-permission name="android.permission.READ_CONTACTS" />
+        <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
+        <allow-permission name="android.permission.READ_PROFILE" />
+        <allow-permission name="android.permission.READ_SYNC_SETTINGS" />
+        <allow-permission name="android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS" />
+        <allow-permission name="android.permission.SET_WALLPAPER" />
+        <allow-permission name="android.permission.USE_CREDENTIALS"/>
+        <allow-permission name="android.permission.WAKE_LOCK"/>
+        <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+        <allow-permission name="android.permission.WRITE_SETTINGS" />
+        <allow-permission name="android.permission.WRITE_SYNC_SETTINGS" />
+        <allow-permission name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
+        <allow-permission name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS"/>
+        <allow-permission name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
+      </package>
+    </signer>
+    <!-- All other keys -->
+    <default>
+      <seinfo value="default" />
+      <deny-permission name="android.permission.ACCESS_COARSE_LOCATION" />
+      <deny-permission name="android.permission.ACCESS_FINE_LOCATION" />
+      <deny-permission name="android.permission.AUTHENTICATE_ACCOUNTS" />
+      <deny-permission name="android.permission.CALL_PHONE" />
+      <deny-permission name="android.permission.CAMERA" />
+      <deny-permission name="android.permission.READ_LOGS" />
+      <deny-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
+    </default>
+</policy>