tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/seapp_contexts

119 lines
5.8 KiB
Text
Raw Normal View History

Trivial change to support different SELinux policies for third party apps Needed to support https://android-review.googlesource.com/80871 Change-Id: Iba569c046135c0e81140faf6296c5da26a243037
2014-07-01 22:59:50 +02:00
# Input selectors:
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# isSystemServer (boolean)
# isEphemeralApp (boolean)
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
# isV2App (boolean)
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# isOwner (boolean)
# user (string)
# seinfo (string)
# name (string)
# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
SE Android policy.
2012-01-04 18:33:27 +01:00
# isSystemServer=true can only be used once.
seinfo can be used to select types, and sebool is now supported.
2012-07-27 23:08:21 +02:00
# An unspecified isSystemServer defaults to false.
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 22:15:44 +02:00
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
# isV2App=true will match apps in the v2 app sandbox.
Add isOwner= input selector for seapp_contexts. Enable labeling apps differently depending on whether they are running for the primary user / owner or for a secondary user. Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-15 21:16:06 +02:00
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
SE Android policy.
2012-01-04 18:33:27 +01:00
# An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match.
Switch app_* and isolated to _app and _isolated in seapp_contexts. The app_* syntax was a legacy of the original approach of looking up the username returned by getpwuid() and the original username encoding scheme by bionic. With the recent changes to move away from this approach, there is no reason to retain that syntax. Instead, just use _app to match app UIDs and _isolated to match isolated service UIDs. The underscore prefix is to signify that these are not real usernames and to avoid conflicts with any system usernames. Requires a corresponding change to libselinux. Change-Id: Ic388a12c1c9d3e47386c8849db607140ef8a3d75 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-09-24 16:16:03 +02:00
# user=_app will match any regular app UID.
# user=_isolated will match any isolated service UID.
Add priv_app domain to global seapp_context Assign priviliged apps not signed with the platform key to the priv_app domain. Bug: 22033466 Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc
2015-10-05 18:15:04 +02:00
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
SE Android policy.
2012-01-04 18:33:27 +01:00
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
Trivial change to support different SELinux policies for third party apps Needed to support https://android-review.googlesource.com/80871 Change-Id: Iba569c046135c0e81140faf6296c5da26a243037
2014-07-01 22:59:50 +02:00
#
Clarify what determines precedence rules in seapp_contexts Test: It's a comment -- no impact on build Change-Id: Ibd7ff0dcd9d4c3d526ca20ab35dd4bac70d14f0a
2016-12-19 19:18:19 +01:00
# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
# (3) Specified isV2App= before unspecified isV2App= boolean.
# (4) Specified isOwner= before unspecified isOwner= boolean.
# (5) Specified user= string before unspecified user= string.
# (6) Fixed user= string before user= prefix (i.e. ending in *).
# (7) Longer user= prefix before shorter user= prefix.
# (8) Specified seinfo= string before unspecified seinfo= string.
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# ':' character is reserved and may not be used.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 19:31:45 +01:00
# (9) Specified name= string before unspecified name= string.
# (10) Specified path= string before unspecified path= string.
# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
SE Android policy.
2012-01-04 18:33:27 +01:00
#
# Outputs:
Add minTargetSdkVersion input selector to seapp_contexts This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806
2017-02-14 18:48:57 +01:00
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
SE Android policy.
2012-01-04 18:33:27 +01:00
# Only entries that specify domain= will be used for app process labeling.
# Only entries that specify type= will be used for app directory labeling.
Generalize levelFromUid support. Introduce a levelFrom=none|app|user|all syntax for specifying per-app, per-user, or per-combination level assignment. levelFromUid=true|false remains valid syntax but is deprecated. levelFromUid=true is equivalent to levelFrom=app. Update check_seapp to accept the new syntax. Update seapp_contexts to document the new syntax and switch from levelFromUid=true to levelFrom=app. No change in behavior. Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-28 16:46:18 +01:00
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
Trivial change to support different SELinux policies for third party apps Needed to support https://android-review.googlesource.com/80871 Change-Id: Iba569c046135c0e81140faf6296c5da26a243037
2014-07-01 22:59:50 +02:00
# level may be used to specify a fixed level for any UID.
SE Android policy.
2012-01-04 18:33:27 +01:00
#
check_seapp: add support for "neverallow" checks Introduce "neverallow" rules for seapp_contexts. A neverallow rule is similar to the existing key-value-pair entries but the line begins with "neverallow". A neverallow violation is detected when all keys, both inputs and outputs are matched. The neverallow rules value parameter (not the key) can contain regular expressions to assist in matching. Neverallow rules are never output to the generated seapp_contexts file. Also, unless -o is specified, checkseapp runs in silent mode and outputs nothing. Specifying - as an argument to -o outputs to stdout. Sample Output: Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app" Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-04 06:57:47 +02:00
#
# Neverallow Assertions
# Additional compile time assertion checks can be added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
# neverallows are case-insensitive. A neverallow is asserted when all key value
# inputs are matched on a key value rule line.
#
# only the system server can be in system_server domain
neverallow isSystemServer=false domain=system_server
neverallow isSystemServer="" domain=system_server
# system domains should never be assigned outside of system uid
neverallow user=((?!system).)* domain=system_app
neverallow user=((?!system).)* type=system_app_data_file
# anything with a non-known uid with a specified name should have a specified seinfo
neverallow user=_app name=.* seinfo=""
neverallow user=_app name=.* seinfo=default
# neverallow shared relro to any other domain
# and neverallow any other uid into shared_relro
neverallow user=shared_relro domain=((?!shared_relro).)*
neverallow user=((?!shared_relro).)* domain=shared_relro
# neverallow non-isolated uids into isolated_app domain
# and vice versa
neverallow user=_isolated domain=((?!isolated_app).)*
neverallow user=((?!_isolated).)* domain=isolated_app
# uid shell should always be in shell domain, however non-shell
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
Revert "Revert "Ensure only com.android.shell can run in the shell domain."" This reverts commit bf0c2a59f804af514a4488070453e8c49e095380. Bug:68126425 Test: No apps affected by not being able to run in shell domain Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4
2018-01-24 22:17:18 +01:00
# only the package named com.android.shell can run in the shell domain
neverallow domain=shell name=((?!com\.android\.shell).)*
neverallow user=shell name=((?!com\.android\.shell).)*
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 22:15:44 +02:00
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
Add autoplay_app domain Initial check in of empty autoplay_app.te policy file. Create isAutoPlayApp input selector. Give this selector high precedence - only below isSystemServer. Add neverallow rule disallowing an app context with isAutoPlayApp=true from running in a domain other than autoplay_app. Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4
2015-10-30 20:43:19 +01:00
1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
2013-09-14 00:59:04 +02:00
isSystemServer=true domain=system_server
Adding a traceur_app domain to remove it from shell This CL creates a traceur_app domain with userdebug privileges akin to what shell has with regards to being able to find most services on device. Previously, traceur was running as shell which was an unintentional abuse of selinux architecture. Bug: 68126425 Test: Traceur functions outside of shell user privilege Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
2017-12-12 01:19:23 +01:00
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
seinfo for platform based domains should be stated explicitly. The current policy would allow any application that were to "magically" get a sensitive UID into the coresponding sensitive domain. Rather then only using UID as an input selector, require seinfo=platform. Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec
2014-09-29 19:29:48 +02:00
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
SE Policy for Secure Element app and Secure Element HAL Test: App startup on boot Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102
2018-01-04 19:33:20 +01:00
user=secure_element seinfo=platform domain=secure_element levelFrom=all
seinfo for platform based domains should be stated explicitly. The current policy would allow any application that were to "magically" get a sensitive UID into the coresponding sensitive domain. Rather then only using UID as an input selector, require seinfo=platform. Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec
2014-09-29 19:29:48 +02:00
user=radio seinfo=platform domain=radio type=radio_data_file
restore shared_relro functionality Commit 92dfa31f7800ff9184e8525dfd471211c90b9d31 added "seinfo=platform" to all fixed UID domains. However, that caused problems for shared_relro. shared_relro runs like an isolated app, and doesn't have an seinfo field associated with it. This causes a crash when system_server attempts to start shared_relro. W art : PreZygoteFork called when we already have a zygote space. E SELinux : seapp_context_lookup: No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a E SELinux : selinux_android_setcontext: Error setting context for app with uid 1037, seinfo (null): Success E Zygote : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed F art : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process F art : art/runtime/runtime.cc:331] Runtime aborting... F art : art/runtime/runtime.cc:331] Aborting thread: F art : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native F art : art/runtime/runtime.cc:331] | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800 F art : art/runtime/runtime.cc:331] | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80 F art : art/runtime/runtime.cc:331] | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100 F art : art/runtime/runtime.cc:331] | stack=0xbe39d000-0xbe39f000 stackSize=8MB F art : art/runtime/runtime.cc:331] | held mutexes= "abort lock" "mutator lock"(shared held) F art : art/runtime/runtime.cc:331] kernel: (couldn't read /proc/self/task/1176/stack) F art : art/runtime/runtime.cc:331] native: (backtrace::Unwind failed for thread 1176) F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method) F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91) F art : art/runtime/runtime.cc:331] at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227) removing seinfo=platform from shared_relro fixed this bug, but then revealed two new SELinux denials: E SELinux : avc: denied { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager E SELinux : avc: denied { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager Add the needed SELinux rule. Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
2015-01-07 22:52:43 +01:00
user=shared_relro domain=shared_relro
Revert "Revert "Ensure only com.android.shell can run in the shell domain."" This reverts commit bf0c2a59f804af514a4488070453e8c49e095380. Bug:68126425 Test: No apps affected by not being able to run in shell domain Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4
2018-01-24 22:17:18 +01:00
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
SELinux changes to accomodate starting the webview_zygote as a child of the zygote. In this architecture, the system_server instructs the zygote to fork a child-zygote to be the webview_zygote. The system_server tells this new zygote to listen for fork requests on a random abstract unix socket of its choosing. A follow-up CL will remove the rules for starting webview_zygote via init. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Change-Id: I864743943c11c18de386010ecd4b616721cb9954
2018-01-30 16:54:33 +01:00
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
Enforce per-app data protections for targetSdk 28+ Adds per-app categories to untrusted app domains and their app data types. Per-app categories are in addition to the existing per-user categories. Apps targeting sdk version 28+ will now have the following characteristics: Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Whereas apps targeting 27- will look like: Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+ Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+ To ensure backwards compatibility with previous SDK versions, the levelFrom=all now enforces categories by dominance instead of equality. Apps with per-app and per-user categories will continue to have selinux permissions (but not necessarily unix permissions) to access app data with only per-user categories, but apps with only per-user categories will not be able to access the data of apps with both per-app and per-user categories. Bug: 63897054 Test: Boot sailfish, run apps, verify no new selinux denials. Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases Test: adb sideload an OTA and verify that files are correctly labeled. Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
user=_isolated domain=isolated_app levelFrom=all
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-11 01:57:48 +02:00
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
Enable per-user isolation for normal apps. Add levelFrom=user to the entries for apps other than those that run in the predefined platform UIDs (e.g. system, nfc, radio, ...). This causes libselinux to assign a per-user category set computed from the user ID portion of the Linux UID to each app process and its /data/data/<pkgdir> or /data/user/N/<pkgdir> directory. These per-user category sets can be seen in the last field of ps -Z output for apps and ls -Z /data/data or /data/user/N output for the package directories. With this applied, apps running on behalf of one user cannot read or write files created by apps running on behalf of another user, even if the file is world-readable or -writable. Similar isolation is enforced over process interactions (including /proc/pid file access), local socket communications, and System V IPC, as expressed in the set of constraints defined in the mls configuration. At present, Binder IPC is not restricted by the mls configuration; if desired, there is a constraint in the configuration that can be uncommented to also apply isolation on direct binder IPC, although communication will still be possible indirectly via the system_server. Bug: 13507660 Change-Id: I3972f846ff5e7363799ba521f1258d662b18d64e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-11 20:07:28 +02:00
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
Enforce per-app data protections for targetSdk 28+ Adds per-app categories to untrusted app domains and their app data types. Per-app categories are in addition to the existing per-user categories. Apps targeting sdk version 28+ will now have the following characteristics: Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Whereas apps targeting 27- will look like: Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+ Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+ To ensure backwards compatibility with previous SDK versions, the levelFrom=all now enforces categories by dominance instead of equality. Apps with per-app and per-user categories will continue to have selinux permissions (but not necessarily unix permissions) to access app data with only per-user categories, but apps with only per-user categories will not be able to access the data of apps with both per-app and per-user categories. Bug: 63897054 Test: Boot sailfish, run apps, verify no new selinux denials. Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases Test: adb sideload an OTA and verify that files are correctly labeled. Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
Add priv_app domain to global seapp_context Assign priviliged apps not signed with the platform key to the priv_app domain. Bug: 22033466 Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc
2015-10-05 18:15:04 +02:00
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
Enforce per-app data protections for targetSdk 28+ Adds per-app categories to untrusted app domains and their app data types. Per-app categories are in addition to the existing per-user categories. Apps targeting sdk version 28+ will now have the following characteristics: Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Whereas apps targeting 27- will look like: Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+ Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+ To ensure backwards compatibility with previous SDK versions, the levelFrom=all now enforces categories by dominance instead of equality. Apps with per-app and per-user categories will continue to have selinux permissions (but not necessarily unix permissions) to access app data with only per-user categories, but apps with only per-user categories will not be able to access the data of apps with both per-app and per-user categories. Bug: 63897054 Test: Boot sailfish, run apps, verify no new selinux denials. Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases Test: adb sideload an OTA and verify that files are correctly labeled. Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 22:33:27 +01:00
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
Reference in a new issue Copy permalink