2019-01-31 16:16:01 +01:00
|
|
|
# The entries in this file define how security contexts for apps are determined.
|
|
|
|
|
# Each entry lists input selectors, used to match the app, and outputs which are
|
|
|
|
|
# used to determine the security contexts for matching apps.
|
|
|
|
|
#
|
2014-07-01 22:59:50 +02:00
|
|
|
# Input selectors:
|
2017-02-14 18:48:57 +01:00
|
|
|
# isSystemServer (boolean)
|
|
|
|
|
# isEphemeralApp (boolean)
|
|
|
|
|
# isOwner (boolean)
|
|
|
|
|
# user (string)
|
|
|
|
|
# seinfo (string)
|
|
|
|
|
# name (string)
|
|
|
|
|
# path (string)
|
|
|
|
|
# isPrivApp (boolean)
|
|
|
|
|
# minTargetSdkVersion (unsigned integer)
|
2018-11-02 22:34:06 +01:00
|
|
|
# fromRunAs (boolean)
|
2019-01-31 16:16:01 +01:00
|
|
|
#
|
|
|
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
|
|
|
# An unspecified string or boolean selector with no default will match any
|
|
|
|
|
# value.
|
|
|
|
|
# A user, name, or path string selector that ends in * will perform a prefix
|
|
|
|
|
# match.
|
|
|
|
|
# String matching is case-insensitive.
|
|
|
|
|
# See external/selinux/libselinux/src/android/android_platform.c,
|
|
|
|
|
# seapp_context_lookup().
|
|
|
|
|
#
|
|
|
|
|
# isSystemServer=true only matches the system server.
|
2012-07-27 23:08:21 +02:00
|
|
|
# An unspecified isSystemServer defaults to false.
|
2016-10-06 22:15:44 +02:00
|
|
|
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
|
2014-09-15 21:16:06 +02:00
|
|
|
# isOwner=true will only match for the owner/primary user.
|
2019-01-31 16:16:01 +01:00
|
|
|
# user=_app will match any regular app process.
|
|
|
|
|
# user=_isolated will match any isolated service process.
|
|
|
|
|
# Other values of user are matched against the name associated with the process
|
|
|
|
|
# UID.
|
|
|
|
|
# seinfo= matches aginst the seinfo tag for the app, determined from
|
|
|
|
|
# mac_permissions.xml files.
|
|
|
|
|
# The ':' character is reserved and may not be used in seinfo.
|
|
|
|
|
# name= matches against the package name of the app.
|
|
|
|
|
# path= matches against the directory path when labeling app directories.
|
2015-10-05 18:15:04 +02:00
|
|
|
# isPrivApp=true will only match for applications preinstalled in
|
|
|
|
|
# /system/priv-app.
|
2017-02-14 18:48:57 +01:00
|
|
|
# minTargetSdkVersion will match applications with a targetSdkVersion
|
|
|
|
|
# greater than or equal to the specified value. If unspecified,
|
|
|
|
|
# it has a default value of 0.
|
2019-01-31 16:16:01 +01:00
|
|
|
# fromRunAs=true means the process being labeled is started by run-as. Default
|
|
|
|
|
# is false.
|
2014-07-01 22:59:50 +02:00
|
|
|
#
|
2019-01-31 16:16:01 +01:00
|
|
|
# Precedence: entries are compared using the following rules, in the order shown
|
|
|
|
|
# (see external/selinux/libselinux/src/android/android_platform.c,
|
|
|
|
|
# seapp_context_cmp()).
|
2017-02-14 18:48:57 +01:00
|
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
2019-01-31 16:16:01 +01:00
|
|
|
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
|
|
|
|
|
# boolean.
|
2019-04-17 00:56:33 +02:00
|
|
|
# (3) Specified isOwner= before unspecified isOwner= boolean.
|
|
|
|
|
# (4) Specified user= string before unspecified user= string;
|
2019-01-31 16:16:01 +01:00
|
|
|
# more specific user= string before less specific user= string.
|
2019-04-17 00:56:33 +02:00
|
|
|
# (5) Specified seinfo= string before unspecified seinfo= string.
|
|
|
|
|
# (6) Specified name= string before unspecified name= string;
|
2019-01-31 16:16:01 +01:00
|
|
|
# more specific name= string before less specific name= string.
|
2019-04-17 00:56:33 +02:00
|
|
|
# (7) Specified path= string before unspecified path= string.
|
2019-01-31 16:16:01 +01:00
|
|
|
# more specific name= string before less specific name= string.
|
2019-04-17 00:56:33 +02:00
|
|
|
# (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
|
|
|
|
|
# (9) Higher value of minTargetSdkVersion= before lower value of
|
2019-01-31 16:16:01 +01:00
|
|
|
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
|
|
|
|
# defaults to 0 if unspecified.
|
2019-04-17 00:56:33 +02:00
|
|
|
# (10) fromRunAs=true before fromRunAs=false.
|
2019-01-31 16:16:01 +01:00
|
|
|
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
|
|
|
|
# longer prefix is more specific than a shorter prefix.)
|
|
|
|
|
# Apps are checked against entries in precedence order until the first match,
|
|
|
|
|
# regardless of their order in this file.
|
|
|
|
|
#
|
|
|
|
|
# Duplicate entries, i.e. with identical input selectors, are not allowed.
|
2012-01-04 18:33:27 +01:00
|
|
|
#
|
|
|
|
|
# Outputs:
|
2017-02-14 18:48:57 +01:00
|
|
|
# domain (string)
|
|
|
|
|
# type (string)
|
|
|
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
|
|
|
# level (string)
|
2019-01-31 16:16:01 +01:00
|
|
|
#
|
|
|
|
|
# domain= determines the label to be used for the app process; entries
|
|
|
|
|
# without domain= are ignored for this purpose.
|
|
|
|
|
# type= specifies the label to be used for the app data directory; entries
|
|
|
|
|
# without type= are ignored for this purpose.
|
|
|
|
|
# levelFrom and level are used to determine the level (sensitivity + categories)
|
|
|
|
|
# for MLS/MCS.
|
|
|
|
|
# levelFrom=none omits the level.
|
|
|
|
|
# levelFrom=app determines the level from the process UID.
|
|
|
|
|
# levelFrom=user determines the level from the user ID.
|
|
|
|
|
# levelFrom=all determines the level from both UID and user ID.
|
2019-04-17 00:56:33 +02:00
|
|
|
#
|
2012-11-28 16:46:18 +01:00
|
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
|
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
2014-07-01 22:59:50 +02:00
|
|
|
# level may be used to specify a fixed level for any UID.
|
2012-01-04 18:33:27 +01:00
|
|
|
#
|
2019-01-31 16:16:01 +01:00
|
|
|
# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
|
|
|
|
|
# and levelFromUid=false is equivalent to levelFrom=none.
|
|
|
|
|
#
|
2015-06-04 06:57:47 +02:00
|
|
|
#
|
|
|
|
|
# Neverallow Assertions
|
2019-01-31 16:16:01 +01:00
|
|
|
# Additional compile time assertion checks for the rules in this file can be
|
|
|
|
|
# added as well. The assertion
|
2015-06-04 06:57:47 +02:00
|
|
|
# rules are lines beginning with the keyword neverallow. Full support for PCRE
|
|
|
|
|
# regular expressions exists on all input and output selectors. Neverallow
|
|
|
|
|
# rules are never output to the built seapp_contexts file. Like all keywords,
|
|
|
|
|
# neverallows are case-insensitive. A neverallow is asserted when all key value
|
|
|
|
|
# inputs are matched on a key value rule line.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# only the system server can be in system_server domain
|
|
|
|
|
neverallow isSystemServer=false domain=system_server
|
|
|
|
|
neverallow isSystemServer="" domain=system_server
|
|
|
|
|
|
|
|
|
|
# system domains should never be assigned outside of system uid
|
|
|
|
|
neverallow user=((?!system).)* domain=system_app
|
|
|
|
|
neverallow user=((?!system).)* type=system_app_data_file
|
|
|
|
|
|
2019-10-31 23:45:00 +01:00
|
|
|
# any non priv-app with a non-known uid with a specified name should have a specified
|
|
|
|
|
# seinfo
|
|
|
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=""
|
|
|
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=default
|
2015-06-04 06:57:47 +02:00
|
|
|
|
|
|
|
|
# neverallow shared relro to any other domain
|
|
|
|
|
# and neverallow any other uid into shared_relro
|
|
|
|
|
neverallow user=shared_relro domain=((?!shared_relro).)*
|
|
|
|
|
neverallow user=((?!shared_relro).)* domain=shared_relro
|
|
|
|
|
|
|
|
|
|
# neverallow non-isolated uids into isolated_app domain
|
|
|
|
|
# and vice versa
|
|
|
|
|
neverallow user=_isolated domain=((?!isolated_app).)*
|
|
|
|
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
|
|
|
|
|
|
|
|
|
# uid shell should always be in shell domain, however non-shell
|
|
|
|
|
# uid's can be in shell domain
|
|
|
|
|
neverallow user=shell domain=((?!shell).)*
|
|
|
|
|
|
2018-01-24 22:17:18 +01:00
|
|
|
# only the package named com.android.shell can run in the shell domain
|
|
|
|
|
neverallow domain=shell name=((?!com\.android\.shell).)*
|
|
|
|
|
neverallow user=shell name=((?!com\.android\.shell).)*
|
|
|
|
|
|
2016-10-06 22:15:44 +02:00
|
|
|
# Ephemeral Apps must run in the ephemeral_app domain
|
|
|
|
|
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
2015-10-30 20:43:19 +01:00
|
|
|
|
2018-10-04 19:57:29 +02:00
|
|
|
isSystemServer=true domain=system_server_startup
|
|
|
|
|
|
2017-12-12 01:19:23 +01:00
|
|
|
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
2014-09-29 19:29:48 +02:00
|
|
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
|
|
|
|
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
|
2019-11-22 18:33:37 +01:00
|
|
|
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
|
2014-09-29 19:29:48 +02:00
|
|
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
2018-01-04 19:33:20 +01:00
|
|
|
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
2014-09-29 19:29:48 +02:00
|
|
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
restore shared_relro functionality
Commit 92dfa31f7800ff9184e8525dfd471211c90b9d31 added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.
This causes a crash when system_server attempts to start shared_relro.
W art : PreZygoteFork called when we already have a zygote space.
E SELinux : seapp_context_lookup: No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
E SELinux : selinux_android_setcontext: Error setting context for app with uid 1037, seinfo (null): Success
E Zygote : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
F art : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
F art : art/runtime/runtime.cc:331] Runtime aborting...
F art : art/runtime/runtime.cc:331] Aborting thread:
F art : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
F art : art/runtime/runtime.cc:331] | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
F art : art/runtime/runtime.cc:331] | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
F art : art/runtime/runtime.cc:331] | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
F art : art/runtime/runtime.cc:331] | stack=0xbe39d000-0xbe39f000 stackSize=8MB
F art : art/runtime/runtime.cc:331] | held mutexes= "abort lock" "mutator lock"(shared held)
F art : art/runtime/runtime.cc:331] kernel: (couldn't read /proc/self/task/1176/stack)
F art : art/runtime/runtime.cc:331] native: (backtrace::Unwind failed for thread 1176)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)
removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:
E SELinux : avc: denied { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
E SELinux : avc: denied { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
Add the needed SELinux rule.
Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
2015-01-07 22:52:43 +01:00
|
|
|
user=shared_relro domain=shared_relro
|
2018-01-24 22:17:18 +01:00
|
|
|
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
2018-01-30 16:54:33 +01:00
|
|
|
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
Enforce per-app data protections for targetSdk 28+
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.
Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+
To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.
Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
|
|
|
user=_isolated domain=isolated_app levelFrom=all
|
2018-11-05 11:39:15 +01:00
|
|
|
user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
|
2020-04-22 15:26:02 +02:00
|
|
|
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
Enable per-user isolation for normal apps.
Add levelFrom=user to the entries for apps other than those
that run in the predefined platform UIDs (e.g. system, nfc, radio, ...).
This causes libselinux to assign a per-user category set computed from
the user ID portion of the Linux UID to each app process and its
/data/data/<pkgdir> or /data/user/N/<pkgdir> directory. These
per-user category sets can be seen in the last field of ps -Z output for
apps and ls -Z /data/data or /data/user/N output for the package
directories.
With this applied, apps running on behalf of one user cannot read
or write files created by apps running on behalf of another user,
even if the file is world-readable or -writable. Similar isolation is
enforced over process interactions (including /proc/pid file access),
local socket communications, and System V IPC, as expressed in the
set of constraints defined in the mls configuration. At present,
Binder IPC is not restricted by the mls configuration; if desired,
there is a constraint in the configuration that can be uncommented
to also apply isolation on direct binder IPC, although communication
will still be possible indirectly via the system_server.
Bug: 13507660
Change-Id: I3972f846ff5e7363799ba521f1258d662b18d64e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-11 20:07:28 +02:00
|
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
2019-04-17 00:56:33 +02:00
|
|
|
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
2020-05-06 13:17:28 +02:00
|
|
|
user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
|
Change priv-apps /data/data labels to privapp_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.
This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46352bd91cdc58f33d55378e5567dc1c, there should be no
noticeable effect from this change.
This change was originally submitted as
4df57822fce7e87b41edbe410a2554c6c39fc286. However, it was reverted in
cdc6649acc43d3a38753e22790f372290c1189c1 due to a different labeling
bug. That bug has been fixed, and we can reapply this change.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Bug: 112357170
2018-09-12 21:30:32 +02:00
|
|
|
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
|
2019-10-31 23:45:00 +01:00
|
|
|
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
2020-04-22 15:26:02 +02:00
|
|
|
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
2020-01-30 16:52:45 +01:00
|
|
|
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
2019-11-21 18:32:33 +01:00
|
|
|
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
2019-11-14 23:00:30 +01:00
|
|
|
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
|
2019-10-29 22:13:20 +01:00
|
|
|
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
|
|
|
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
|
|
|
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
|
2020-04-22 19:22:45 +02:00
|
|
|
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
|
2020-01-20 10:14:48 +01:00
|
|
|
user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
|
|
|
|
|
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
|
2018-11-02 19:12:43 +01:00
|
|
|
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
|
Enforce per-app data protections for targetSdk 28+
Adds per-app categories to untrusted app domains and their
app data types. Per-app categories are in addition to the
existing per-user categories.
Apps targeting sdk version 28+ will now have the following
characteristics:
Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9]
Whereas apps targeting 27- will look like:
Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+
Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+
To ensure backwards compatibility with previous SDK versions,
the levelFrom=all now enforces categories by dominance instead of
equality. Apps with per-app and per-user categories will continue
to have selinux permissions (but not necessarily unix permissions)
to access app data with only per-user categories, but apps with only
per-user categories will not be able to access the data of apps with
both per-app and per-user categories.
Bug: 63897054
Test: Boot sailfish, run apps, verify no new selinux denials.
Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: adb sideload an OTA and verify that files are correctly labeled.
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
2017-12-18 05:55:12 +01:00
|
|
|
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
|
2017-02-13 22:33:27 +01:00
|
|
|
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
|
2019-01-08 01:37:24 +01:00
|
|
|
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
|
|
|
|
|
user=_app fromRunAs=true domain=runas_app levelFrom=user
|
