5d6b66c8ea
This reverts commit 76a62dfb3e.
Reason for revert: Relanding with virtual_camera flag disabled to prevent test failures before rc entry is added for the service (which needs to be done after this cl is submitted to prevent boot test failing due to selinux denials).
Test: https://android-build.corp.google.com/builds/abtd/run/L11500030000350228
Change-Id: Ie621f89610b173918bb4c0b6eb1f35547f56f6b7
224 lines
12 KiB
Text
224 lines
12 KiB
Text
# The entries in this file define how security contexts for apps are determined.
|
|
# Each entry lists input selectors, used to match the app, and outputs which are
|
|
# used to determine the security contexts for matching apps.
|
|
#
|
|
# Input selectors:
|
|
# isSystemServer (boolean)
|
|
# isEphemeralApp (boolean)
|
|
# user (string)
|
|
# seinfo (string)
|
|
# name (string)
|
|
# isPrivApp (boolean)
|
|
# minTargetSdkVersion (unsigned integer)
|
|
# fromRunAs (boolean)
|
|
# isIsolatedComputeApp (boolean)
|
|
# isSdkSandboxNext (boolean)
|
|
# isSdkSandboxAudit (boolean)
|
|
#
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
# An unspecified string or boolean selector with no default will match any
|
|
# value.
|
|
# A user, or name string selector that ends in * will perform a prefix
|
|
# match.
|
|
# String matching is case-insensitive.
|
|
# See external/selinux/libselinux/src/android/android_platform.c,
|
|
# seapp_context_lookup().
|
|
#
|
|
# isSystemServer=true only matches the system server.
|
|
# An unspecified isSystemServer defaults to false.
|
|
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
|
|
# user=_app will match any regular app process.
|
|
# user=_isolated will match any isolated service process.
|
|
# user=_sdksandbox will match sdk sandbox process for an app.
|
|
# Other values of user are matched against the name associated with the process
|
|
# UID.
|
|
# seinfo= matches aginst the seinfo tag for the app, determined from
|
|
# mac_permissions.xml files.
|
|
# The ':' character is reserved and may not be used in seinfo.
|
|
# name= matches against the package name of the app.
|
|
# isPrivApp=true will only match for applications preinstalled in
|
|
# /system/priv-app.
|
|
# minTargetSdkVersion will match applications with a targetSdkVersion
|
|
# greater than or equal to the specified value. If unspecified,
|
|
# it has a default value of 0.
|
|
# fromRunAs=true means the process being labeled is started by run-as. Default
|
|
# is false.
|
|
# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
|
|
# restricted to run in an isolated_app domain. Processes match this selector will
|
|
# be mapped to isolated_compute_app by default. It is expected to be used together
|
|
# with user=_isolated. This selector should not be used unless it is intended
|
|
# to provide isolated processes with relaxed security restrictions.
|
|
# An unspecified isIsolatedComputeApp defaults to false.
|
|
#
|
|
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
|
|
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
|
|
# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
|
|
# as the current dessert release, with additional auditing rules for the accesses
|
|
# we are considering forbidding in the upcoming release.
|
|
#
|
|
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
|
|
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
|
|
# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
|
|
# as the current dessert release, with additional auditing rules for the accesses
|
|
# we are considering forbidding in the upcoming release.
|
|
#
|
|
# isSdkSandboxNext=true means sdk sandbox processes will get
|
|
# sdk_sandbox_next sepolicy applied to them.
|
|
# An unspecified isSdkSandboxNext defaults to false.
|
|
#
|
|
# isSdkSandboxAudit=true means sdk sandbox processes will get
|
|
# sdk_sandbox_audit sepolicy applied to them.
|
|
# An unspecified isSdkSandboxAudit defaults to false.
|
|
#
|
|
# isSdkSandboxAudit=true means sdk sandbox processes will get
|
|
# sdk_sandbox_audit sepolicy applied to them.
|
|
# An unspecified isSdkSandboxAudit defaults to false.
|
|
#
|
|
# Precedence: entries are compared using the following rules, in the order shown
|
|
# (see external/selinux/libselinux/src/android/android_platform.c,
|
|
# seapp_context_cmp()).
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
|
|
# boolean.
|
|
# (3) Specified user= string before unspecified user= string;
|
|
# more specific user= string before less specific user= string.
|
|
# (4) Specified seinfo= string before unspecified seinfo= string.
|
|
# (5) Specified name= string before unspecified name= string;
|
|
# more specific name= string before less specific name= string.
|
|
# (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
|
|
# (7) Higher value of minTargetSdkVersion= before lower value of
|
|
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
|
# defaults to 0 if unspecified.
|
|
# (8) fromRunAs=true before fromRunAs=false.
|
|
# (9) Platform seapp_contexts files (system, system_ext, product) before
|
|
# vendor seapp_contexts files (vendor, odm).
|
|
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
|
# longer prefix is more specific than a shorter prefix.)
|
|
# Apps are checked against entries in precedence order until the first match,
|
|
# regardless of their order in this file.
|
|
#
|
|
# Duplicate entries, i.e. with identical input selectors, are not allowed.
|
|
#
|
|
# Outputs:
|
|
# domain (string)
|
|
# type (string)
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
# level (string)
|
|
#
|
|
# domain= determines the label to be used for the app process; entries
|
|
# without domain= are ignored for this purpose.
|
|
# type= specifies the label to be used for the app data directory; entries
|
|
# without type= are ignored for this purpose. The label specified must
|
|
# have the app_data_file_type attribute.
|
|
# levelFrom and level are used to determine the level (sensitivity + categories)
|
|
# for MLS/MCS.
|
|
# levelFrom=none omits the level.
|
|
# levelFrom=app determines the level from the process UID.
|
|
# levelFrom=user determines the level from the user ID.
|
|
# levelFrom=all determines the level from both UID and user ID.
|
|
#
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
|
# level may be used to specify a fixed level for any UID.
|
|
#
|
|
# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
|
|
# and levelFromUid=false is equivalent to levelFrom=none.
|
|
#
|
|
#
|
|
# Neverallow Assertions
|
|
# Additional compile time assertion checks for the rules in this file can be
|
|
# added as well. The assertion
|
|
# rules are lines beginning with the keyword neverallow. Full support for PCRE
|
|
# regular expressions exists on all input and output selectors. Neverallow
|
|
# rules are never output to the built seapp_contexts file. Like all keywords,
|
|
# neverallows are case-insensitive. A neverallow is asserted when all key value
|
|
# inputs are matched on a key value rule line.
|
|
#
|
|
|
|
# only the system server can be assigned the system_server domains
|
|
neverallow isSystemServer=false domain=system_server
|
|
neverallow isSystemServer=false domain=system_server_startup
|
|
neverallow isSystemServer="" domain=system_server
|
|
neverallow isSystemServer="" domain=system_server_startup
|
|
|
|
# system domains should never be assigned outside of system uid
|
|
neverallow user=((?!system).)* domain=system_app
|
|
neverallow user=((?!system).)* type=system_app_data_file
|
|
|
|
# any non priv-app with a non-known uid with a specified name should have a specified
|
|
# seinfo
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=""
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=default
|
|
|
|
# neverallow shared relro to any other domain
|
|
# and neverallow any other uid into shared_relro
|
|
neverallow user=shared_relro domain=((?!shared_relro).)*
|
|
neverallow user=((?!shared_relro).)* domain=shared_relro
|
|
|
|
# neverallow non-isolated uids into isolated_app domain
|
|
# and vice versa
|
|
neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
|
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
|
|
|
# neverallow isolatedComputeApp into domains other than isolated_compute_app
|
|
neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
|
|
|
|
# uid shell should always be in shell domain, however non-shell
|
|
# uid's can be in shell domain
|
|
neverallow user=shell domain=((?!shell).)*
|
|
|
|
# only the package named com.android.shell can run in the shell domain
|
|
neverallow domain=shell name=((?!com\.android\.shell).)*
|
|
neverallow user=shell name=((?!com\.android\.shell).)*
|
|
|
|
# Ephemeral Apps must run in the ephemeral_app domain
|
|
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
|
|
|
isSystemServer=true domain=system_server_startup
|
|
|
|
# sdksandbox must run in an sdksandbox domain
|
|
neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
|
|
|
|
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
|
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
|
|
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
|
|
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
|
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
|
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
|
user=shared_relro domain=shared_relro levelFrom=all
|
|
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
|
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
|
user=_isolated domain=isolated_app levelFrom=user
|
|
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
|
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
|
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
|
user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
|
|
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
|
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
|
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
|
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
|
|
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
|
|
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
|
|
user=_app fromRunAs=true domain=runas_app levelFrom=user
|