platform_system_sepolicy/private/seapp_contexts

168 lines
8.2 KiB
Text
Raw Normal View History

# The entries in this file define how security contexts for apps are determined.
# Each entry lists input selectors, used to match the app, and outputs which are
# used to determine the security contexts for matching apps.
#
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
# name (string)
# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
# value.
# A user, name, or path string selector that ends in * will perform a prefix
# match.
# String matching is case-insensitive.
# See external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_lookup().
#
# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isOwner=true will only match for the owner/primary user.
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
# Other values of user are matched against the name associated with the process
# UID.
# seinfo= matches aginst the seinfo tag for the app, determined from
# mac_permissions.xml files.
# The ':' character is reserved and may not be used in seinfo.
# name= matches against the package name of the app.
# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
# fromRunAs=true means the process being labeled is started by run-as. Default
# is false.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
# boolean.
# (3) Specified isOwner= before unspecified isOwner= boolean.
# (4) Specified user= string before unspecified user= string;
# more specific user= string before less specific user= string.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string;
# more specific name= string before less specific name= string.
# (7) Specified path= string before unspecified path= string.
# more specific name= string before less specific name= string.
# (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
# (9) Higher value of minTargetSdkVersion= before lower value of
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
# (10) fromRunAs=true before fromRunAs=false.
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
# regardless of their order in this file.
#
# Duplicate entries, i.e. with identical input selectors, are not allowed.
2012-01-04 18:33:27 +01:00
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
#
# domain= determines the label to be used for the app process; entries
# without domain= are ignored for this purpose.
# type= specifies the label to be used for the app data directory; entries
# without type= are ignored for this purpose.
# levelFrom and level are used to determine the level (sensitivity + categories)
# for MLS/MCS.
# levelFrom=none omits the level.
# levelFrom=app determines the level from the process UID.
# levelFrom=user determines the level from the user ID.
# levelFrom=all determines the level from both UID and user ID.
#
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
2012-01-04 18:33:27 +01:00
#
# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
# and levelFromUid=false is equivalent to levelFrom=none.
#
#
# Neverallow Assertions
# Additional compile time assertion checks for the rules in this file can be
# added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
# neverallows are case-insensitive. A neverallow is asserted when all key value
# inputs are matched on a key value rule line.
#
# only the system server can be in system_server domain
neverallow isSystemServer=false domain=system_server
neverallow isSystemServer="" domain=system_server
# system domains should never be assigned outside of system uid
neverallow user=((?!system).)* domain=system_app
neverallow user=((?!system).)* type=system_app_data_file
# any non priv-app with a non-known uid with a specified name should have a specified
# seinfo
neverallow user=_app isPrivApp=false name=.* seinfo=""
neverallow user=_app isPrivApp=false name=.* seinfo=default
# neverallow shared relro to any other domain
# and neverallow any other uid into shared_relro
neverallow user=shared_relro domain=((?!shared_relro).)*
neverallow user=((?!shared_relro).)* domain=shared_relro
# neverallow non-isolated uids into isolated_app domain
# and vice versa
neverallow user=_isolated domain=((?!isolated_app).)*
neverallow user=((?!_isolated).)* domain=isolated_app
# uid shell should always be in shell domain, however non-shell
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
# only the package named com.android.shell can run in the shell domain
neverallow domain=shell name=((?!com\.android\.shell).)*
neverallow user=shell name=((?!com\.android\.shell).)*
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server_startup
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
restore shared_relro functionality Commit 92dfa31f7800ff9184e8525dfd471211c90b9d31 added "seinfo=platform" to all fixed UID domains. However, that caused problems for shared_relro. shared_relro runs like an isolated app, and doesn't have an seinfo field associated with it. This causes a crash when system_server attempts to start shared_relro. W art : PreZygoteFork called when we already have a zygote space. E SELinux : seapp_context_lookup: No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a E SELinux : selinux_android_setcontext: Error setting context for app with uid 1037, seinfo (null): Success E Zygote : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed F art : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process F art : art/runtime/runtime.cc:331] Runtime aborting... F art : art/runtime/runtime.cc:331] Aborting thread: F art : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native F art : art/runtime/runtime.cc:331] | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800 F art : art/runtime/runtime.cc:331] | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80 F art : art/runtime/runtime.cc:331] | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100 F art : art/runtime/runtime.cc:331] | stack=0xbe39d000-0xbe39f000 stackSize=8MB F art : art/runtime/runtime.cc:331] | held mutexes= "abort lock" "mutator lock"(shared held) F art : art/runtime/runtime.cc:331] kernel: (couldn't read /proc/self/task/1176/stack) F art : art/runtime/runtime.cc:331] native: (backtrace::Unwind failed for thread 1176) F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method) F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91) F art : art/runtime/runtime.cc:331] at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227) removing seinfo=platform from shared_relro fixed this bug, but then revealed two new SELinux denials: E SELinux : avc: denied { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager E SELinux : avc: denied { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager Add the needed SELinux rule. Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
2015-01-07 22:52:43 +01:00
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user