d7a1aaf108
Google is added to the package names to differentiate the Google specific modules from AOSP modules. This causes RKPD Google module to not get proper permissions since we permit only AOSP module currently. Test: Tested on Pixel 7 device Change-Id: Ia7c39ef85cedf20f705c27a5944b6f87f786cc1b
181 lines
9.6 KiB
Text
181 lines
9.6 KiB
Text
# The entries in this file define how security contexts for apps are determined.
|
|
# Each entry lists input selectors, used to match the app, and outputs which are
|
|
# used to determine the security contexts for matching apps.
|
|
#
|
|
# Input selectors:
|
|
# isSystemServer (boolean)
|
|
# isEphemeralApp (boolean)
|
|
# user (string)
|
|
# seinfo (string)
|
|
# name (string)
|
|
# isPrivApp (boolean)
|
|
# minTargetSdkVersion (unsigned integer)
|
|
# fromRunAs (boolean)
|
|
#
|
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
|
# An unspecified string or boolean selector with no default will match any
|
|
# value.
|
|
# A user, or name string selector that ends in * will perform a prefix
|
|
# match.
|
|
# String matching is case-insensitive.
|
|
# See external/selinux/libselinux/src/android/android_platform.c,
|
|
# seapp_context_lookup().
|
|
#
|
|
# isSystemServer=true only matches the system server.
|
|
# An unspecified isSystemServer defaults to false.
|
|
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
|
|
# user=_app will match any regular app process.
|
|
# user=_isolated will match any isolated service process.
|
|
# user=_sdksandbox will match sdk sandbox process for an app.
|
|
# Other values of user are matched against the name associated with the process
|
|
# UID.
|
|
# seinfo= matches aginst the seinfo tag for the app, determined from
|
|
# mac_permissions.xml files.
|
|
# The ':' character is reserved and may not be used in seinfo.
|
|
# name= matches against the package name of the app.
|
|
# isPrivApp=true will only match for applications preinstalled in
|
|
# /system/priv-app.
|
|
# minTargetSdkVersion will match applications with a targetSdkVersion
|
|
# greater than or equal to the specified value. If unspecified,
|
|
# it has a default value of 0.
|
|
# fromRunAs=true means the process being labeled is started by run-as. Default
|
|
# is false.
|
|
#
|
|
# Precedence: entries are compared using the following rules, in the order shown
|
|
# (see external/selinux/libselinux/src/android/android_platform.c,
|
|
# seapp_context_cmp()).
|
|
# (1) isSystemServer=true before isSystemServer=false.
|
|
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
|
|
# boolean.
|
|
# (3) Specified user= string before unspecified user= string;
|
|
# more specific user= string before less specific user= string.
|
|
# (4) Specified seinfo= string before unspecified seinfo= string.
|
|
# (5) Specified name= string before unspecified name= string;
|
|
# more specific name= string before less specific name= string.
|
|
# (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
|
|
# (7) Higher value of minTargetSdkVersion= before lower value of
|
|
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
|
|
# defaults to 0 if unspecified.
|
|
# (8) fromRunAs=true before fromRunAs=false.
|
|
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
|
# longer prefix is more specific than a shorter prefix.)
|
|
# Apps are checked against entries in precedence order until the first match,
|
|
# regardless of their order in this file.
|
|
#
|
|
# Duplicate entries, i.e. with identical input selectors, are not allowed.
|
|
#
|
|
# Outputs:
|
|
# domain (string)
|
|
# type (string)
|
|
# levelFrom (string; one of none, all, app, or user)
|
|
# level (string)
|
|
#
|
|
# domain= determines the label to be used for the app process; entries
|
|
# without domain= are ignored for this purpose.
|
|
# type= specifies the label to be used for the app data directory; entries
|
|
# without type= are ignored for this purpose. The label specified must
|
|
# have the app_data_file_type attribute.
|
|
# levelFrom and level are used to determine the level (sensitivity + categories)
|
|
# for MLS/MCS.
|
|
# levelFrom=none omits the level.
|
|
# levelFrom=app determines the level from the process UID.
|
|
# levelFrom=user determines the level from the user ID.
|
|
# levelFrom=all determines the level from both UID and user ID.
|
|
#
|
|
# levelFrom=user is only supported for _app or _isolated UIDs.
|
|
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
|
# level may be used to specify a fixed level for any UID.
|
|
#
|
|
# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
|
|
# and levelFromUid=false is equivalent to levelFrom=none.
|
|
#
|
|
#
|
|
# Neverallow Assertions
|
|
# Additional compile time assertion checks for the rules in this file can be
|
|
# added as well. The assertion
|
|
# rules are lines beginning with the keyword neverallow. Full support for PCRE
|
|
# regular expressions exists on all input and output selectors. Neverallow
|
|
# rules are never output to the built seapp_contexts file. Like all keywords,
|
|
# neverallows are case-insensitive. A neverallow is asserted when all key value
|
|
# inputs are matched on a key value rule line.
|
|
#
|
|
|
|
# only the system server can be assigned the system_server domains
|
|
neverallow isSystemServer=false domain=system_server
|
|
neverallow isSystemServer=false domain=system_server_startup
|
|
neverallow isSystemServer="" domain=system_server
|
|
neverallow isSystemServer="" domain=system_server_startup
|
|
|
|
# system domains should never be assigned outside of system uid
|
|
neverallow user=((?!system).)* domain=system_app
|
|
neverallow user=((?!system).)* type=system_app_data_file
|
|
|
|
# any non priv-app with a non-known uid with a specified name should have a specified
|
|
# seinfo
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=""
|
|
neverallow user=_app isPrivApp=false name=.* seinfo=default
|
|
|
|
# neverallow shared relro to any other domain
|
|
# and neverallow any other uid into shared_relro
|
|
neverallow user=shared_relro domain=((?!shared_relro).)*
|
|
neverallow user=((?!shared_relro).)* domain=shared_relro
|
|
|
|
# neverallow non-isolated uids into isolated_app domain
|
|
# and vice versa
|
|
neverallow user=_isolated domain=((?!isolated_app).)*
|
|
neverallow user=((?!_isolated).)* domain=isolated_app
|
|
|
|
# uid shell should always be in shell domain, however non-shell
|
|
# uid's can be in shell domain
|
|
neverallow user=shell domain=((?!shell).)*
|
|
|
|
# only the package named com.android.shell can run in the shell domain
|
|
neverallow domain=shell name=((?!com\.android\.shell).)*
|
|
neverallow user=shell name=((?!com\.android\.shell).)*
|
|
|
|
# Ephemeral Apps must run in the ephemeral_app domain
|
|
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
|
|
|
isSystemServer=true domain=system_server_startup
|
|
|
|
# sdksandbox must run in the sdksandbox domain
|
|
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
|
|
|
|
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
|
|
user=system seinfo=platform domain=system_app type=system_app_data_file
|
|
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
|
|
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
|
|
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
|
user=secure_element seinfo=platform domain=secure_element levelFrom=all
|
|
user=radio seinfo=platform domain=radio type=radio_data_file
|
|
user=shared_relro domain=shared_relro levelFrom=all
|
|
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
|
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
|
user=_isolated domain=isolated_app levelFrom=user
|
|
user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
|
|
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
|
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
|
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
|
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
|
|
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
|
|
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
|
|
user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
|
|
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
|
|
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
|
|
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
|
|
user=_app fromRunAs=true domain=runas_app levelFrom=user
|
|
|