# The entries in this file define how security contexts for apps are determined. # Each entry lists input selectors, used to match the app, and outputs which are # used to determine the security contexts for matching apps. # # Input selectors: # isSystemServer (boolean) # isEphemeralApp (boolean) # user (string) # seinfo (string) # name (string) # isPrivApp (boolean) # minTargetSdkVersion (unsigned integer) # fromRunAs (boolean) # isIsolatedComputeApp (boolean) # isSdkSandboxNext (boolean) # # All specified input selectors in an entry must match (i.e. logical AND). # An unspecified string or boolean selector with no default will match any # value. # A user, or name string selector that ends in * will perform a prefix # match. # String matching is case-insensitive. # See external/selinux/libselinux/src/android/android_platform.c, # seapp_context_lookup(). # # isSystemServer=true only matches the system server. # An unspecified isSystemServer defaults to false. # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral # user=_app will match any regular app process. # user=_isolated will match any isolated service process. # user=_sdksandbox will match sdk sandbox process for an app. # Other values of user are matched against the name associated with the process # UID. # seinfo= matches aginst the seinfo tag for the app, determined from # mac_permissions.xml files. # The ':' character is reserved and may not be used in seinfo. # name= matches against the package name of the app. # isPrivApp=true will only match for applications preinstalled in # /system/priv-app. # minTargetSdkVersion will match applications with a targetSdkVersion # greater than or equal to the specified value. If unspecified, # it has a default value of 0. # fromRunAs=true means the process being labeled is started by run-as. Default # is false. # isIsolatedComputeApp=true means the process re-uses an isolated Uid but not # restricted to run in an isolated_app domain. Processes match this selector will # be mapped to isolated_compute_app by default. It is expected to be used together # with user=_isolated. This selector should not be used unless it is intended # to provide isolated processes with relaxed security restrictions. # An unspecified isIsolatedComputeApp defaults to false. # # isSdkSandboxNext=true means sdk sandbox processes will get # sdk_sandbox_next sepolicy applied to them. # An unspecified isSdkSandboxNext defaults to false. # # Precedence: entries are compared using the following rules, in the order shown # (see external/selinux/libselinux/src/android/android_platform.c, # seapp_context_cmp()). # (1) isSystemServer=true before isSystemServer=false. # (2) Specified isEphemeralApp= before unspecified isEphemeralApp= # boolean. # (3) Specified user= string before unspecified user= string; # more specific user= string before less specific user= string. # (4) Specified seinfo= string before unspecified seinfo= string. # (5) Specified name= string before unspecified name= string; # more specific name= string before less specific name= string. # (6) Specified isPrivApp= before unspecified isPrivApp= boolean. # (7) Higher value of minTargetSdkVersion= before lower value of # minTargetSdkVersion= integer. Note that minTargetSdkVersion= # defaults to 0 if unspecified. # (8) fromRunAs=true before fromRunAs=false. # (9) Platform seapp_contexts files (system, system_ext, product) before # vendor seapp_contexts files (vendor, odm). # (A fixed selector is more specific than a prefix, i.e. ending in *, and a # longer prefix is more specific than a shorter prefix.) # Apps are checked against entries in precedence order until the first match, # regardless of their order in this file. # # Duplicate entries, i.e. with identical input selectors, are not allowed. # # Outputs: # domain (string) # type (string) # levelFrom (string; one of none, all, app, or user) # level (string) # # domain= determines the label to be used for the app process; entries # without domain= are ignored for this purpose. # type= specifies the label to be used for the app data directory; entries # without type= are ignored for this purpose. The label specified must # have the app_data_file_type attribute. # levelFrom and level are used to determine the level (sensitivity + categories) # for MLS/MCS. # levelFrom=none omits the level. # levelFrom=app determines the level from the process UID. # levelFrom=user determines the level from the user ID. # levelFrom=all determines the level from both UID and user ID. # # levelFrom=user is only supported for _app or _isolated UIDs. # levelFrom=app or levelFrom=all is only supported for _app UIDs. # level may be used to specify a fixed level for any UID. # # For backwards compatibility levelFromUid=true is equivalent to levelFrom=app # and levelFromUid=false is equivalent to levelFrom=none. # # # Neverallow Assertions # Additional compile time assertion checks for the rules in this file can be # added as well. The assertion # rules are lines beginning with the keyword neverallow. Full support for PCRE # regular expressions exists on all input and output selectors. Neverallow # rules are never output to the built seapp_contexts file. Like all keywords, # neverallows are case-insensitive. A neverallow is asserted when all key value # inputs are matched on a key value rule line. # # only the system server can be assigned the system_server domains neverallow isSystemServer=false domain=system_server neverallow isSystemServer=false domain=system_server_startup neverallow isSystemServer="" domain=system_server neverallow isSystemServer="" domain=system_server_startup # system domains should never be assigned outside of system uid neverallow user=((?!system).)* domain=system_app neverallow user=((?!system).)* type=system_app_data_file # any non priv-app with a non-known uid with a specified name should have a specified # seinfo neverallow user=_app isPrivApp=false name=.* seinfo="" neverallow user=_app isPrivApp=false name=.* seinfo=default # neverallow shared relro to any other domain # and neverallow any other uid into shared_relro neverallow user=shared_relro domain=((?!shared_relro).)* neverallow user=((?!shared_relro).)* domain=shared_relro # neverallow non-isolated uids into isolated_app domain # and vice versa neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)* neverallow user=((?!_isolated).)* domain=isolated_app # neverallow isolatedComputeApp into domains other than isolated_compute_app neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)* # uid shell should always be in shell domain, however non-shell # uid's can be in shell domain neverallow user=shell domain=((?!shell).)* # only the package named com.android.shell can run in the shell domain neverallow domain=shell name=((?!com\.android\.shell).)* neverallow user=shell name=((?!com\.android\.shell).)* # Ephemeral Apps must run in the ephemeral_app domain neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* isSystemServer=true domain=system_server_startup # sdksandbox must run in an sdksandbox domain neverallow user=_sdksandbox domain=((?!sdk_sandbox).)* user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all user=system seinfo=platform domain=system_app type=system_app_data_file user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file user=nfc seinfo=platform domain=nfc type=nfc_data_file user=secure_element seinfo=platform domain=secure_element levelFrom=all user=radio seinfo=platform domain=radio type=radio_data_file user=shared_relro domain=shared_relro levelFrom=all user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file user=webview_zygote seinfo=webview_zygote domain=webview_zygote user=_isolated domain=isolated_app levelFrom=user user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all user=_app fromRunAs=true domain=runas_app levelFrom=user