Merge "Update seapp_contexts with isIsolatedComputeApp selector"

This commit is contained in:
Charles Chen 2023-02-01 17:34:48 +00:00 committed by Gerrit Code Review
commit eb1290f511
2 changed files with 12 additions and 1 deletions

View file

@ -11,6 +11,7 @@
# isPrivApp (boolean) # isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer) # minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean) # fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# #
# All specified input selectors in an entry must match (i.e. logical AND). # All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any # An unspecified string or boolean selector with no default will match any
@ -40,6 +41,11 @@
# it has a default value of 0. # it has a default value of 0.
# fromRunAs=true means the process being labeled is started by run-as. Default # fromRunAs=true means the process being labeled is started by run-as. Default
# is false. # is false.
# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
# restricted to run in an isolated_app domain. Processes match this selector will
# be mapped to isolated_compute_app by default. It is expected to be used together
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
# #
# Precedence: entries are compared using the following rules, in the order shown # Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c, # (see external/selinux/libselinux/src/android/android_platform.c,
@ -57,6 +63,7 @@
# minTargetSdkVersion= integer. Note that minTargetSdkVersion= # minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified. # defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false. # (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.) # longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match, # Apps are checked against entries in precedence order until the first match,
@ -122,9 +129,12 @@ neverallow user=((?!shared_relro).)* domain=shared_relro
# neverallow non-isolated uids into isolated_app domain # neverallow non-isolated uids into isolated_app domain
# and vice versa # and vice versa
neverallow user=_isolated domain=((?!isolated_app).)* neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
neverallow user=((?!_isolated).)* domain=isolated_app neverallow user=((?!_isolated).)* domain=isolated_app
# neverallow isolatedComputeApp into domains other than isolated_compute_app
neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
# uid shell should always be in shell domain, however non-shell # uid shell should always be in shell domain, however non-shell
# uid's can be in shell domain # uid's can be in shell domain
neverallow user=shell domain=((?!shell).)* neverallow user=shell domain=((?!shell).)*

View file

@ -213,6 +213,7 @@ key_map rules[] = {
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool }, { .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint }, { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool }, { .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/ /*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain }, { .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type }, { .name = "type", .dir = dir_out, .fn_validate = validate_type },