Merge "Update seapp_contexts with isIsolatedComputeApp selector" am: eb1290f511 am: cbd5aa73ff am: 0e848232ec

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2390135

Change-Id: I742ed5d1761b9531ac41a5b84177265ef4671854
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Charles Chen 2023-02-01 21:32:12 +00:00 committed by Automerger Merge Worker
commit 12b3014623
2 changed files with 12 additions and 1 deletions

View file

@ -11,6 +11,7 @@
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@ -40,6 +41,11 @@
# it has a default value of 0.
# fromRunAs=true means the process being labeled is started by run-as. Default
# is false.
# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
# restricted to run in an isolated_app domain. Processes match this selector will
# be mapped to isolated_compute_app by default. It is expected to be used together
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
@ -57,6 +63,7 @@
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@ -122,9 +129,12 @@ neverallow user=((?!shared_relro).)* domain=shared_relro
# neverallow non-isolated uids into isolated_app domain
# and vice versa
neverallow user=_isolated domain=((?!isolated_app).)*
neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
neverallow user=((?!_isolated).)* domain=isolated_app
# neverallow isolatedComputeApp into domains other than isolated_compute_app
neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
# uid shell should always be in shell domain, however non-shell
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*

View file

@ -213,6 +213,7 @@ key_map rules[] = {
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },