12de184d37
Defense in depth: ensure no other app can access rkpd data files. Test: Presubmits. Change-Id: Id3ca9829eadf19fb50da8d0a7414706121871633
200 lines
11 KiB
Text
200 lines
11 KiB
Text
# The entries in this file define how security contexts for apps are determined.
|
|
# Each entry lists input selectors, used to match the app, and outputs which are
|
|
# used to determine the security contexts for matching apps.
|
|
#
|
|
# Input selectors:
|
|
# isSystemServer (boolean)
|
|
# isEphemeralApp (boolean)
|
|
# user (string)
|
|
# seinfo (string)
|
|
# name (string)
|
|
# isPrivApp (boolean)
|
|
# minTargetSdkVersion (unsigned integer)
|
|
# fromRunAs (boolean)
|
|
# isIsolatedComputeApp (boolean)
|
|
# isSdkSandboxNext (boolean)
|
|
#
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
# An unspecified string or boolean selector with no default will match any
|
|
# value.
|
|
# A user, or name string selector that ends in * will perform a prefix
|
|
# match.
|
|
# String matching is case-insensitive.
|
|
# See external/selinux/libselinux/src/android/android_platform.c,
|
|
# seapp_context_lookup().
|
|
#
|
|
# isSystemServer=true only matches the system server.
|
|
# An unspecified isSystemServer defaults to false.
|
|
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
|
|
# user=_app will match any regular app process.
|
|
# user=_isolated will match any isolated service process.
|
|
# user=_sdksandbox will match sdk sandbox process for an app.
|
|
# Other values of user are matched against the name associated with the process
|
|
# UID.
|
|
# seinfo= matches aginst the seinfo tag for the app, determined from
|
|
# mac_permissions.xml files.
|
|
# The ':' character is reserved and may not be used in seinfo.
|
|
# name= matches against the package name of the app.
|
|
# isPrivApp=true will only match for applications preinstalled in
|
|
# /system/priv-app.
|
|
# minTargetSdkVersion will match applications with a targetSdkVersion
|
|
# greater than or equal to the specified value. If unspecified,
|
|
# it has a default value of 0.
|
|
# fromRunAs=true means the process being labeled is started by run-as. Default
|
|
# is false.
|
|
# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
|
|
# restricted to run in an isolated_app domain. Processes match this selector will
|
|
# be mapped to isolated_compute_app by default. It is expected to be used together
|
|
# with user=_isolated. This selector should not be used unless it is intended
|
|
# to provide isolated processes with relaxed security restrictions.
|
|
#
|
|
# isSdkSandboxNext=true means sdk sandbox processes will get
|
|
# sdk_sandbox_next sepolicy applied to them.
|
|
#
|
|
# Precedence: entries are compared using the following rules, in the order shown
|
|
# (see external/selinux/libselinux/src/android/android_platform.c,
|
|
# seapp_context_cmp()).
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
|
|
# boolean.
|
|
# (3) Specified user= string before unspecified user= string;
|
|
# more specific user= string before less specific user= string.
|
|
# (4) Specified seinfo= string before unspecified seinfo= string.
|
|
# (5) Specified name= string before unspecified name= string;
|
|
# more specific name= string before less specific name= string.
|
|
# (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
|
|
# (7) Higher value of minTargetSdkVersion= before lower value of
|
|
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
|
# defaults to 0 if unspecified.
|
|
# (8) fromRunAs=true before fromRunAs=false.
|
|
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
|
|
# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
|
|
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
|
# longer prefix is more specific than a shorter prefix.)
|
|
# Apps are checked against entries in precedence order until the first match,
|
|
# regardless of their order in this file.
|
|
#
|
|
# Duplicate entries, i.e. with identical input selectors, are not allowed.
|
|
#
|
|
# Outputs:
|
|
# domain (string)
|
|
# type (string)
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
# level (string)
|
|
#
|
|
# domain= determines the label to be used for the app process; entries
|
|
# without domain= are ignored for this purpose.
|
|
# type= specifies the label to be used for the app data directory; entries
|
|
# without type= are ignored for this purpose. The label specified must
|
|
# have the app_data_file_type attribute.
|
|
# levelFrom and level are used to determine the level (sensitivity + categories)
|
|
# for MLS/MCS.
|
|
# levelFrom=none omits the level.
|
|
# levelFrom=app determines the level from the process UID.
|
|
# levelFrom=user determines the level from the user ID.
|
|
# levelFrom=all determines the level from both UID and user ID.
|
|
#
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
|
# level may be used to specify a fixed level for any UID.
|
|
#
|
|
# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
|
|
# and levelFromUid=false is equivalent to levelFrom=none.
|
|
#
|
|
#
|
|
# Neverallow Assertions
|
|
# Additional compile time assertion checks for the rules in this file can be
|
|
# added as well. The assertion
|
|
# rules are lines beginning with the keyword neverallow. Full support for PCRE
|
|
# regular expressions exists on all input and output selectors. Neverallow
|
|
# rules are never output to the built seapp_contexts file. Like all keywords,
|
|
# neverallows are case-insensitive. A neverallow is asserted when all key value
|
|
# inputs are matched on a key value rule line.
|
|
#
|
|
|
|
# only the system server can be assigned the system_server domains
|
|
neverallow isSystemServer=false domain=system_server
|
|
neverallow isSystemServer=false domain=system_server_startup
|
|
neverallow isSystemServer="" domain=system_server
|
|
neverallow isSystemServer="" domain=system_server_startup
|
|
|
|
# system domains should never be assigned outside of system uid
|
|
neverallow user=((?!system).)* domain=system_app
|
|
neverallow user=((?!system).)* type=system_app_data_file
|
|
|
|
# any non priv-app with a non-known uid with a specified name should have a specified
|
|
# seinfo
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=""
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=default
|
|
|
|
# neverallow shared relro to any other domain
|
|
# and neverallow any other uid into shared_relro
|
|
neverallow user=shared_relro domain=((?!shared_relro).)*
|
|
neverallow user=((?!shared_relro).)* domain=shared_relro
|
|
|
|
# neverallow non-isolated uids into isolated_app domain
|
|
# and vice versa
|
|
neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
|
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
|
|
|
# neverallow isolatedComputeApp into domains other than isolated_compute_app
|
|
neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
|
|
|
|
# uid shell should always be in shell domain, however non-shell
|
|
# uid's can be in shell domain
|
|
neverallow user=shell domain=((?!shell).)*
|
|
|
|
# only the package named com.android.shell can run in the shell domain
|
|
neverallow domain=shell name=((?!com\.android\.shell).)*
|
|
neverallow user=shell name=((?!com\.android\.shell).)*
|
|
|
|
# Ephemeral Apps must run in the ephemeral_app domain
|
|
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
|
|
|
isSystemServer=true domain=system_server_startup
|
|
|
|
# sdksandbox must run in an sdksandbox domain
|
|
neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
|
|
|
|
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
|
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
|
|
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
|
|
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
|
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
|
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
|
user=shared_relro domain=shared_relro levelFrom=all
|
|
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
|
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
|
user=_isolated domain=isolated_app levelFrom=user
|
|
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
|
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
|
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
|
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
|
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
|
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
|
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
|
|
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
|
|
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
|
|
user=_app fromRunAs=true domain=runas_app levelFrom=user
|