Update seapp_contexts with isIsolatedComputeApp selector
Provide isIsolatedComputeApp selector for apps reusing _isolated user to run in domains other than isolated_app. Processes match the selector will have a default domain isolated_compute_app assigned. Also updated _isolated neverallow statements. Bug: 265540209 Bug: 265746493 Test: m && atest --host libselinux_test with change on android_unittest.cpp Change-Id: Ia05954aa6a9a9a07d6a8d1e3235a89e7b37dead9
This commit is contained in:
parent
3445819d5a
commit
307049222a
2 changed files with 12 additions and 1 deletions
|
@ -11,6 +11,7 @@
|
|||
# isPrivApp (boolean)
|
||||
# minTargetSdkVersion (unsigned integer)
|
||||
# fromRunAs (boolean)
|
||||
# isIsolatedComputeApp (boolean)
|
||||
#
|
||||
# All specified input selectors in an entry must match (i.e. logical AND).
|
||||
# An unspecified string or boolean selector with no default will match any
|
||||
|
@ -40,6 +41,11 @@
|
|||
# it has a default value of 0.
|
||||
# fromRunAs=true means the process being labeled is started by run-as. Default
|
||||
# is false.
|
||||
# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
|
||||
# restricted to run in an isolated_app domain. Processes match this selector will
|
||||
# be mapped to isolated_compute_app by default. It is expected to be used together
|
||||
# with user=_isolated. This selector should not be used unless it is intended
|
||||
# to provide isolated processes with relaxed security restrictions.
|
||||
#
|
||||
# Precedence: entries are compared using the following rules, in the order shown
|
||||
# (see external/selinux/libselinux/src/android/android_platform.c,
|
||||
|
@ -57,6 +63,7 @@
|
|||
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
||||
# defaults to 0 if unspecified.
|
||||
# (8) fromRunAs=true before fromRunAs=false.
|
||||
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
|
||||
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
||||
# longer prefix is more specific than a shorter prefix.)
|
||||
# Apps are checked against entries in precedence order until the first match,
|
||||
|
@ -122,9 +129,12 @@ neverallow user=((?!shared_relro).)* domain=shared_relro
|
|||
|
||||
# neverallow non-isolated uids into isolated_app domain
|
||||
# and vice versa
|
||||
neverallow user=_isolated domain=((?!isolated_app).)*
|
||||
neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
|
||||
neverallow user=((?!_isolated).)* domain=isolated_app
|
||||
|
||||
# neverallow isolatedComputeApp into domains other than isolated_compute_app
|
||||
neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
|
||||
|
||||
# uid shell should always be in shell domain, however non-shell
|
||||
# uid's can be in shell domain
|
||||
neverallow user=shell domain=((?!shell).)*
|
||||
|
|
|
@ -213,6 +213,7 @@ key_map rules[] = {
|
|||
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
||||
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||
/*Outputs*/
|
||||
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
||||
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
|
||||
|
|
Loading…
Reference in a new issue