400d3ac140
Initial check in of empty autoplay_app.te policy file. Create isAutoPlayApp input selector. Give this selector high precedence - only below isSystemServer. Add neverallow rule disallowing an app context with isAutoPlayApp=true from running in a domain other than autoplay_app. Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4
99 lines
4.4 KiB
Text
99 lines
4.4 KiB
Text
# Input selectors:
|
|
# isSystemServer (boolean)
|
|
# isAutoPlayApp (boolean)
|
|
# isOwner (boolean)
|
|
# user (string)
|
|
# seinfo (string)
|
|
# name (string)
|
|
# path (string)
|
|
# isPrivApp (boolean)
|
|
# isSystemServer=true can only be used once.
|
|
# An unspecified isSystemServer defaults to false.
|
|
# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
|
|
# isOwner=true will only match for the owner/primary user.
|
|
# isOwner=false will only match for secondary users.
|
|
# If unspecified, the entry can match either case.
|
|
# An unspecified string selector will match any value.
|
|
# A user string selector that ends in * will perform a prefix match.
|
|
# user=_app will match any regular app UID.
|
|
# user=_isolated will match any isolated service UID.
|
|
# isPrivApp=true will only match for applications preinstalled in
|
|
# /system/priv-app.
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
# Matching is case-insensitive.
|
|
#
|
|
# Precedence rules:
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
# (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
|
|
# (3) Specified isOwner= before unspecified isOwner= boolean.
|
|
# (4) Specified user= string before unspecified user= string.
|
|
# (5) Fixed user= string before user= prefix (i.e. ending in *).
|
|
# (6) Longer user= prefix before shorter user= prefix.
|
|
# (7) Specified seinfo= string before unspecified seinfo= string.
|
|
# ':' character is reserved and may not be used.
|
|
# (8) Specified name= string before unspecified name= string.
|
|
# (9) Specified path= string before unspecified path= string.
|
|
# (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
|
|
#
|
|
# Outputs:
|
|
# domain (string)
|
|
# type (string)
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
# level (string)
|
|
# Only entries that specify domain= will be used for app process labeling.
|
|
# Only entries that specify type= will be used for app directory labeling.
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
|
# level may be used to specify a fixed level for any UID.
|
|
#
|
|
#
|
|
# Neverallow Assertions
|
|
# Additional compile time assertion checks can be added as well. The assertion
|
|
# rules are lines beginning with the keyword neverallow. Full support for PCRE
|
|
# regular expressions exists on all input and output selectors. Neverallow
|
|
# rules are never output to the built seapp_contexts file. Like all keywords,
|
|
# neverallows are case-insensitive. A neverallow is asserted when all key value
|
|
# inputs are matched on a key value rule line.
|
|
#
|
|
|
|
# only the system server can be in system_server domain
|
|
neverallow isSystemServer=false domain=system_server
|
|
neverallow isSystemServer="" domain=system_server
|
|
|
|
# system domains should never be assigned outside of system uid
|
|
neverallow user=((?!system).)* domain=system_app
|
|
neverallow user=((?!system).)* type=system_app_data_file
|
|
|
|
# anything with a non-known uid with a specified name should have a specified seinfo
|
|
neverallow user=_app name=.* seinfo=""
|
|
neverallow user=_app name=.* seinfo=default
|
|
|
|
# neverallow shared relro to any other domain
|
|
# and neverallow any other uid into shared_relro
|
|
neverallow user=shared_relro domain=((?!shared_relro).)*
|
|
neverallow user=((?!shared_relro).)* domain=shared_relro
|
|
|
|
# neverallow non-isolated uids into isolated_app domain
|
|
# and vice versa
|
|
neverallow user=_isolated domain=((?!isolated_app).)*
|
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
|
|
|
# uid shell should always be in shell domain, however non-shell
|
|
# uid's can be in shell domain
|
|
neverallow user=shell domain=((?!shell).)*
|
|
|
|
# AutoPlay Apps must run in the autoplay_app domain
|
|
neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
|
|
|
|
isSystemServer=true domain=system_server
|
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
|
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
|
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
|
user=shared_relro domain=shared_relro
|
|
user=shell seinfo=platform domain=shell type=shell_data_file
|
|
user=_isolated domain=isolated_app levelFrom=user
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
|
user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
|
|
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
|
|
user=_app domain=untrusted_app type=app_data_file levelFrom=user
|