9ba844fea1
This change folds the shared_app, media_app, and release_app domains into untrusted_app, reducing the set of app domains down to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth, nfc, radio), a single domain for apps signed by the platform key (platform_app), and a single domain for all other apps (untrusted_app). Thus, SELinux only distinguishes when already distinguished by a predefined Android ID (AID) or by the platform certificate (which get the signature-only Android permissions and thus may require special OS-level accesses). It is still possible to introduce specific app domains for specific apps by adding signer and package stanzas to mac_permissions.xml, but this can be done on an as-needed basis for specialized apps that require particular OS-level permissions outside the usual set. As there is now only a single platform app domains, get rid of the platformappdomain attribute and platform_app_domain() macro. We used to add mlstrustedsubject to those domains but drop this since we are not using MLS in AOSP presently; we can revisit which domains need it if/when we use MLS. Since we are dropping the shared, media, and release seinfo entries from seapp_contexts, drop them from mac_permissions.xml as well. However, we leave the keys.conf entries in case someone wants to add a signer entry in the future for specific apps signed by those keys to mac_permissions.xml. Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
45 lines
1.9 KiB
Text
45 lines
1.9 KiB
Text
# Input selectors:
|
|
# isSystemServer (boolean)
|
|
# user (string)
|
|
# seinfo (string)
|
|
# name (string)
|
|
# path (string)
|
|
# sebool (string)
|
|
# isSystemServer=true can only be used once.
|
|
# An unspecified isSystemServer defaults to false.
|
|
# An unspecified string selector will match any value.
|
|
# A user string selector that ends in * will perform a prefix match.
|
|
# user=_app will match any regular app UID.
|
|
# user=_isolated will match any isolated service UID.
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
# Matching is case-insensitive.
|
|
# Precedence rules:
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
# (2) Specified user= string before unspecified user= string.
|
|
# (3) Fixed user= string before user= prefix (i.e. ending in *).
|
|
# (4) Longer user= prefix before shorter user= prefix.
|
|
# (5) Specified seinfo= string before unspecified seinfo= string.
|
|
# (6) Specified name= string before unspecified name= string.
|
|
# (7) Specified path= string before unspecified path= string.
|
|
# (8) Specified sebool= string before unspecified sebool= string.
|
|
#
|
|
# Outputs:
|
|
# domain (string)
|
|
# type (string)
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
# level (string)
|
|
# Only entries that specify domain= will be used for app process labeling.
|
|
# Only entries that specify type= will be used for app directory labeling.
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
|
# level may be used to specify a fixed level for any UID.
|
|
#
|
|
isSystemServer=true domain=system_server
|
|
user=system domain=system_app type=system_data_file
|
|
user=bluetooth domain=bluetooth type=bluetooth_data_file
|
|
user=nfc domain=nfc type=nfc_data_file
|
|
user=radio domain=radio type=radio_data_file
|
|
user=shell domain=shell type=shell_data_file
|
|
user=_isolated domain=isolated_app
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file
|
|
user=_app domain=untrusted_app type=app_data_file
|