2014-07-01 22:59:50 +02:00
|
|
|
# Input selectors:
|
2017-02-14 18:48:57 +01:00
|
|
|
# isSystemServer (boolean)
|
|
|
|
# isEphemeralApp (boolean)
|
2017-02-06 19:31:45 +01:00
|
|
|
# isV2App (boolean)
|
2017-02-14 18:48:57 +01:00
|
|
|
# isOwner (boolean)
|
|
|
|
# user (string)
|
|
|
|
# seinfo (string)
|
|
|
|
# name (string)
|
|
|
|
# path (string)
|
|
|
|
# isPrivApp (boolean)
|
|
|
|
# minTargetSdkVersion (unsigned integer)
|
2012-01-04 18:33:27 +01:00
|
|
|
# isSystemServer=true can only be used once.
|
2012-07-27 23:08:21 +02:00
|
|
|
# An unspecified isSystemServer defaults to false.
|
2016-10-06 22:15:44 +02:00
|
|
|
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
|
2017-02-06 19:31:45 +01:00
|
|
|
# isV2App=true will match apps in the v2 app sandbox.
|
2014-09-15 21:16:06 +02:00
|
|
|
# isOwner=true will only match for the owner/primary user.
|
|
|
|
# isOwner=false will only match for secondary users.
|
|
|
|
# If unspecified, the entry can match either case.
|
2012-01-04 18:33:27 +01:00
|
|
|
# An unspecified string selector will match any value.
|
|
|
|
# A user string selector that ends in * will perform a prefix match.
|
2012-09-24 16:16:03 +02:00
|
|
|
# user=_app will match any regular app UID.
|
|
|
|
# user=_isolated will match any isolated service UID.
|
2015-10-05 18:15:04 +02:00
|
|
|
# isPrivApp=true will only match for applications preinstalled in
|
|
|
|
# /system/priv-app.
|
2017-02-14 18:48:57 +01:00
|
|
|
# minTargetSdkVersion will match applications with a targetSdkVersion
|
|
|
|
# greater than or equal to the specified value. If unspecified,
|
|
|
|
# it has a default value of 0.
|
2012-01-04 18:33:27 +01:00
|
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
|
|
# Matching is case-insensitive.
|
2014-07-01 22:59:50 +02:00
|
|
|
#
|
2016-12-19 19:18:19 +01:00
|
|
|
# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
|
2017-02-14 18:48:57 +01:00
|
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
|
|
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
|
2017-02-06 19:31:45 +01:00
|
|
|
# (3) Specified isV2App= before unspecified isV2App= boolean.
|
|
|
|
# (4) Specified isOwner= before unspecified isOwner= boolean.
|
|
|
|
# (5) Specified user= string before unspecified user= string.
|
|
|
|
# (6) Fixed user= string before user= prefix (i.e. ending in *).
|
|
|
|
# (7) Longer user= prefix before shorter user= prefix.
|
|
|
|
# (8) Specified seinfo= string before unspecified seinfo= string.
|
2017-02-14 18:48:57 +01:00
|
|
|
# ':' character is reserved and may not be used.
|
2017-02-06 19:31:45 +01:00
|
|
|
# (9) Specified name= string before unspecified name= string.
|
|
|
|
# (10) Specified path= string before unspecified path= string.
|
|
|
|
# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
|
|
|
|
# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
|
2017-02-14 18:48:57 +01:00
|
|
|
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
|
2012-01-04 18:33:27 +01:00
|
|
|
#
|
|
|
|
# Outputs:
|
2017-02-14 18:48:57 +01:00
|
|
|
# domain (string)
|
|
|
|
# type (string)
|
|
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
|
|
# level (string)
|
2012-01-04 18:33:27 +01:00
|
|
|
# Only entries that specify domain= will be used for app process labeling.
|
|
|
|
# Only entries that specify type= will be used for app directory labeling.
|
2012-11-28 16:46:18 +01:00
|
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
2014-07-01 22:59:50 +02:00
|
|
|
# level may be used to specify a fixed level for any UID.
|
2012-01-04 18:33:27 +01:00
|
|
|
#
|
2015-06-04 06:57:47 +02:00
|
|
|
#
|
|
|
|
# Neverallow Assertions
|
|
|
|
# Additional compile time assertion checks can be added as well. The assertion
|
|
|
|
# rules are lines beginning with the keyword neverallow. Full support for PCRE
|
|
|
|
# regular expressions exists on all input and output selectors. Neverallow
|
|
|
|
# rules are never output to the built seapp_contexts file. Like all keywords,
|
|
|
|
# neverallows are case-insensitive. A neverallow is asserted when all key value
|
|
|
|
# inputs are matched on a key value rule line.
|
|
|
|
#
|
|
|
|
|
|
|
|
# only the system server can be in system_server domain
|
|
|
|
neverallow isSystemServer=false domain=system_server
|
|
|
|
neverallow isSystemServer="" domain=system_server
|
|
|
|
|
|
|
|
# system domains should never be assigned outside of system uid
|
|
|
|
neverallow user=((?!system).)* domain=system_app
|
|
|
|
neverallow user=((?!system).)* type=system_app_data_file
|
|
|
|
|
|
|
|
# anything with a non-known uid with a specified name should have a specified seinfo
|
|
|
|
neverallow user=_app name=.* seinfo=""
|
|
|
|
neverallow user=_app name=.* seinfo=default
|
|
|
|
|
|
|
|
# neverallow shared relro to any other domain
|
|
|
|
# and neverallow any other uid into shared_relro
|
|
|
|
neverallow user=shared_relro domain=((?!shared_relro).)*
|
|
|
|
neverallow user=((?!shared_relro).)* domain=shared_relro
|
|
|
|
|
|
|
|
# neverallow non-isolated uids into isolated_app domain
|
|
|
|
# and vice versa
|
|
|
|
neverallow user=_isolated domain=((?!isolated_app).)*
|
|
|
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
|
|
|
|
|
|
|
# uid shell should always be in shell domain, however non-shell
|
|
|
|
# uid's can be in shell domain
|
|
|
|
neverallow user=shell domain=((?!shell).)*
|
|
|
|
|
2018-01-24 22:17:18 +01:00
|
|
|
# only the package named com.android.shell can run in the shell domain
|
|
|
|
neverallow domain=shell name=((?!com\.android\.shell).)*
|
|
|
|
neverallow user=shell name=((?!com\.android\.shell).)*
|
|
|
|
|
2016-10-06 22:15:44 +02:00
|
|
|
# Ephemeral Apps must run in the ephemeral_app domain
|
|
|
|
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
2015-10-30 20:43:19 +01:00
|
|
|
|
2013-09-14 00:59:04 +02:00
|
|
|
isSystemServer=true domain=system_server
|
2017-12-12 01:19:23 +01:00
|
|
|
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
2014-09-29 19:29:48 +02:00
|
|
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
|
|
|
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
|
|
|
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
2018-01-04 19:33:20 +01:00
|
|
|
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
2014-09-29 19:29:48 +02:00
|
|
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
restore shared_relro functionality
Commit 92dfa31f7800ff9184e8525dfd471211c90b9d31 added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.
This causes a crash when system_server attempts to start shared_relro.
W art : PreZygoteFork called when we already have a zygote space.
E SELinux : seapp_context_lookup: No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
E SELinux : selinux_android_setcontext: Error setting context for app with uid 1037, seinfo (null): Success
E Zygote : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
F art : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
F art : art/runtime/runtime.cc:331] Runtime aborting...
F art : art/runtime/runtime.cc:331] Aborting thread:
F art : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
F art : art/runtime/runtime.cc:331] | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
F art : art/runtime/runtime.cc:331] | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
F art : art/runtime/runtime.cc:331] | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
F art : art/runtime/runtime.cc:331] | stack=0xbe39d000-0xbe39f000 stackSize=8MB
F art : art/runtime/runtime.cc:331] | held mutexes= "abort lock" "mutator lock"(shared held)
F art : art/runtime/runtime.cc:331] kernel: (couldn't read /proc/self/task/1176/stack)
F art : art/runtime/runtime.cc:331] native: (backtrace::Unwind failed for thread 1176)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)
removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:
E SELinux : avc: denied { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
E SELinux : avc: denied { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
Add the needed SELinux rule.
Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
2015-01-07 22:52:43 +01:00
|
|
|
user=shared_relro domain=shared_relro
|
2018-01-24 22:17:18 +01:00
|
|
|
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
2018-01-30 16:54:33 +01:00
|
|
|
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
Enforce per-app data protections for targetSdk 28+
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.
Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+
To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.
Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
|
|
|
user=_isolated domain=isolated_app levelFrom=all
|
2017-04-11 01:57:48 +02:00
|
|
|
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
|
Enable per-user isolation for normal apps.
Add levelFrom=user to the entries for apps other than those
that run in the predefined platform UIDs (e.g. system, nfc, radio, ...).
This causes libselinux to assign a per-user category set computed from
the user ID portion of the Linux UID to each app process and its
/data/data/<pkgdir> or /data/user/N/<pkgdir> directory. These
per-user category sets can be seen in the last field of ps -Z output for
apps and ls -Z /data/data or /data/user/N output for the package
directories.
With this applied, apps running on behalf of one user cannot read
or write files created by apps running on behalf of another user,
even if the file is world-readable or -writable. Similar isolation is
enforced over process interactions (including /proc/pid file access),
local socket communications, and System V IPC, as expressed in the
set of constraints defined in the mls configuration. At present,
Binder IPC is not restricted by the mls configuration; if desired,
there is a constraint in the configuration that can be uncommented
to also apply isolation on direct binder IPC, although communication
will still be possible indirectly via the system_server.
Bug: 13507660
Change-Id: I3972f846ff5e7363799ba521f1258d662b18d64e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-11 20:07:28 +02:00
|
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
Enforce per-app data protections for targetSdk 28+
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.
Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+
To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.
Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
|
|
|
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
2018-08-13 20:39:20 +02:00
|
|
|
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
|
Enforce per-app data protections for targetSdk 28+
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.
Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+
To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.
Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
|
|
|
user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
|
|
|
|
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
|
2017-02-13 22:33:27 +01:00
|
|
|
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
|