Merge "Update seapp_contexts with isIsolatedComputeApp selector"
This commit is contained in:
commit
eb1290f511
2 changed files with 12 additions and 1 deletions
|
@ -11,6 +11,7 @@
|
||||||
# isPrivApp (boolean)
|
# isPrivApp (boolean)
|
||||||
# minTargetSdkVersion (unsigned integer)
|
# minTargetSdkVersion (unsigned integer)
|
||||||
# fromRunAs (boolean)
|
# fromRunAs (boolean)
|
||||||
|
# isIsolatedComputeApp (boolean)
|
||||||
#
|
#
|
||||||
# All specified input selectors in an entry must match (i.e. logical AND).
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
||||||
# An unspecified string or boolean selector with no default will match any
|
# An unspecified string or boolean selector with no default will match any
|
||||||
|
@ -40,6 +41,11 @@
|
||||||
# it has a default value of 0.
|
# it has a default value of 0.
|
||||||
# fromRunAs=true means the process being labeled is started by run-as. Default
|
# fromRunAs=true means the process being labeled is started by run-as. Default
|
||||||
# is false.
|
# is false.
|
||||||
|
# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
|
||||||
|
# restricted to run in an isolated_app domain. Processes match this selector will
|
||||||
|
# be mapped to isolated_compute_app by default. It is expected to be used together
|
||||||
|
# with user=_isolated. This selector should not be used unless it is intended
|
||||||
|
# to provide isolated processes with relaxed security restrictions.
|
||||||
#
|
#
|
||||||
# Precedence: entries are compared using the following rules, in the order shown
|
# Precedence: entries are compared using the following rules, in the order shown
|
||||||
# (see external/selinux/libselinux/src/android/android_platform.c,
|
# (see external/selinux/libselinux/src/android/android_platform.c,
|
||||||
|
@ -57,6 +63,7 @@
|
||||||
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
||||||
# defaults to 0 if unspecified.
|
# defaults to 0 if unspecified.
|
||||||
# (8) fromRunAs=true before fromRunAs=false.
|
# (8) fromRunAs=true before fromRunAs=false.
|
||||||
|
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
|
||||||
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
||||||
# longer prefix is more specific than a shorter prefix.)
|
# longer prefix is more specific than a shorter prefix.)
|
||||||
# Apps are checked against entries in precedence order until the first match,
|
# Apps are checked against entries in precedence order until the first match,
|
||||||
|
@ -122,9 +129,12 @@ neverallow user=((?!shared_relro).)* domain=shared_relro
|
||||||
|
|
||||||
# neverallow non-isolated uids into isolated_app domain
|
# neverallow non-isolated uids into isolated_app domain
|
||||||
# and vice versa
|
# and vice versa
|
||||||
neverallow user=_isolated domain=((?!isolated_app).)*
|
neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
|
||||||
neverallow user=((?!_isolated).)* domain=isolated_app
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
||||||
|
|
||||||
|
# neverallow isolatedComputeApp into domains other than isolated_compute_app
|
||||||
|
neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
|
||||||
|
|
||||||
# uid shell should always be in shell domain, however non-shell
|
# uid shell should always be in shell domain, however non-shell
|
||||||
# uid's can be in shell domain
|
# uid's can be in shell domain
|
||||||
neverallow user=shell domain=((?!shell).)*
|
neverallow user=shell domain=((?!shell).)*
|
||||||
|
|
|
@ -213,6 +213,7 @@ key_map rules[] = {
|
||||||
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
|
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
||||||
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
|
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
/*Outputs*/
|
/*Outputs*/
|
||||||
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
||||||
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
|
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
|
||||||
|
|
Loading…
Reference in a new issue