platform_system_sepolicy/public/untrusted_app.te
Jeff Vander Stoep 1f7ae8ee3f reland: untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-22 09:47:53 +00:00

30 lines
1.3 KiB
Text

###
### Untrusted apps.
###
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The untrusted_app domain is the default assignment in
### seapp_contexts for any app with UID between APP_AID (10000)
### and AID_ISOLATED_START (99000) if the app has no specific seinfo
### value as determined from mac_permissions.xml. In current AOSP, this
### domain is assigned to all non-system apps as well as to any system apps
### that are not signed by the platform key. To move
### a system app into a specific domain, add a signer entry for it to
### mac_permissions.xml and assign it one of the pre-existing seinfo values
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
# This file defines the rules for untrusted apps running with
# targetSdkVersion >= 30.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
# targetSdkVersion = 29.
type untrusted_app_29, domain;
# This file defines the rules for untrusted apps running with
# 25 < targetSdkVersion <= 28.
type untrusted_app_27, domain;
# This file defines the rules for untrusted apps running with
# targetSdkVersion <= 25.
type untrusted_app_25, domain;