| # The entries in this file define how security contexts for apps are determined. |
| # Each entry lists input selectors, used to match the app, and outputs which are |
| # used to determine the security contexts for matching apps. |
| # |
| # Input selectors: |
| # isSystemServer (boolean) |
| # isEphemeralApp (boolean) |
| # isOwner (boolean) |
| # user (string) |
| # seinfo (string) |
| # name (string) |
| # path (string) |
| # isPrivApp (boolean) |
| # minTargetSdkVersion (unsigned integer) |
| # fromRunAs (boolean) |
| # |
| # All specified input selectors in an entry must match (i.e. logical AND). |
| # An unspecified string or boolean selector with no default will match any |
| # value. |
| # A user, name, or path string selector that ends in * will perform a prefix |
| # match. |
| # String matching is case-insensitive. |
| # See external/selinux/libselinux/src/android/android_platform.c, |
| # seapp_context_lookup(). |
| # |
| # isSystemServer=true only matches the system server. |
| # An unspecified isSystemServer defaults to false. |
| # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral |
| # isOwner=true will only match for the owner/primary user. |
| # user=_app will match any regular app process. |
| # user=_isolated will match any isolated service process. |
| # Other values of user are matched against the name associated with the process |
| # UID. |
| # seinfo= matches aginst the seinfo tag for the app, determined from |
| # mac_permissions.xml files. |
| # The ':' character is reserved and may not be used in seinfo. |
| # name= matches against the package name of the app. |
| # path= matches against the directory path when labeling app directories. |
| # isPrivApp=true will only match for applications preinstalled in |
| # /system/priv-app. |
| # minTargetSdkVersion will match applications with a targetSdkVersion |
| # greater than or equal to the specified value. If unspecified, |
| # it has a default value of 0. |
| # fromRunAs=true means the process being labeled is started by run-as. Default |
| # is false. |
| # |
| # Precedence: entries are compared using the following rules, in the order shown |
| # (see external/selinux/libselinux/src/android/android_platform.c, |
| # seapp_context_cmp()). |
| # (1) isSystemServer=true before isSystemServer=false. |
| # (2) Specified isEphemeralApp= before unspecified isEphemeralApp= |
| # boolean. |
| # (3) Specified isOwner= before unspecified isOwner= boolean. |
| # (4) Specified user= string before unspecified user= string; |
| # more specific user= string before less specific user= string. |
| # (5) Specified seinfo= string before unspecified seinfo= string. |
| # (6) Specified name= string before unspecified name= string; |
| # more specific name= string before less specific name= string. |
| # (7) Specified path= string before unspecified path= string. |
| # more specific name= string before less specific name= string. |
| # (8) Specified isPrivApp= before unspecified isPrivApp= boolean. |
| # (9) Higher value of minTargetSdkVersion= before lower value of |
| # minTargetSdkVersion= integer. Note that minTargetSdkVersion= |
| # defaults to 0 if unspecified. |
| # (10) fromRunAs=true before fromRunAs=false. |
| # (A fixed selector is more specific than a prefix, i.e. ending in *, and a |
| # longer prefix is more specific than a shorter prefix.) |
| # Apps are checked against entries in precedence order until the first match, |
| # regardless of their order in this file. |
| # |
| # Duplicate entries, i.e. with identical input selectors, are not allowed. |
| # |
| # Outputs: |
| # domain (string) |
| # type (string) |
| # levelFrom (string; one of none, all, app, or user) |
| # level (string) |
| # |
| # domain= determines the label to be used for the app process; entries |
| # without domain= are ignored for this purpose. |
| # type= specifies the label to be used for the app data directory; entries |
| # without type= are ignored for this purpose. The label specified must |
| # have the app_data_file_type attribute. |
| # levelFrom and level are used to determine the level (sensitivity + categories) |
| # for MLS/MCS. |
| # levelFrom=none omits the level. |
| # levelFrom=app determines the level from the process UID. |
| # levelFrom=user determines the level from the user ID. |
| # levelFrom=all determines the level from both UID and user ID. |
| # |
| # levelFrom=user is only supported for _app or _isolated UIDs. |
| # levelFrom=app or levelFrom=all is only supported for _app UIDs. |
| # level may be used to specify a fixed level for any UID. |
| # |
| # For backwards compatibility levelFromUid=true is equivalent to levelFrom=app |
| # and levelFromUid=false is equivalent to levelFrom=none. |
| # |
| # |
| # Neverallow Assertions |
| # Additional compile time assertion checks for the rules in this file can be |
| # added as well. The assertion |
| # rules are lines beginning with the keyword neverallow. Full support for PCRE |
| # regular expressions exists on all input and output selectors. Neverallow |
| # rules are never output to the built seapp_contexts file. Like all keywords, |
| # neverallows are case-insensitive. A neverallow is asserted when all key value |
| # inputs are matched on a key value rule line. |
| # |
| |
| # only the system server can be in system_server domain |
| neverallow isSystemServer=false domain=system_server |
| neverallow isSystemServer="" domain=system_server |
| |
| # system domains should never be assigned outside of system uid |
| neverallow user=((?!system).)* domain=system_app |
| neverallow user=((?!system).)* type=system_app_data_file |
| |
| # any non priv-app with a non-known uid with a specified name should have a specified |
| # seinfo |
| neverallow user=_app isPrivApp=false name=.* seinfo="" |
| neverallow user=_app isPrivApp=false name=.* seinfo=default |
| |
| # neverallow shared relro to any other domain |
| # and neverallow any other uid into shared_relro |
| neverallow user=shared_relro domain=((?!shared_relro).)* |
| neverallow user=((?!shared_relro).)* domain=shared_relro |
| |
| # neverallow non-isolated uids into isolated_app domain |
| # and vice versa |
| neverallow user=_isolated domain=((?!isolated_app).)* |
| neverallow user=((?!_isolated).)* domain=isolated_app |
| |
| # uid shell should always be in shell domain, however non-shell |
| # uid's can be in shell domain |
| neverallow user=shell domain=((?!shell).)* |
| |
| # only the package named com.android.shell can run in the shell domain |
| neverallow domain=shell name=((?!com\.android\.shell).)* |
| neverallow user=shell name=((?!com\.android\.shell).)* |
| |
| # Ephemeral Apps must run in the ephemeral_app domain |
| neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* |
| |
| isSystemServer=true domain=system_server_startup |
| |
| user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all |
| user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all |
| user=system seinfo=platform domain=system_app type=system_app_data_file |
| user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file |
| user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file |
| user=nfc seinfo=platform domain=nfc type=nfc_data_file |
| user=secure_element seinfo=platform domain=secure_element levelFrom=all |
| user=radio seinfo=platform domain=radio type=radio_data_file |
| user=shared_relro domain=shared_relro levelFrom=all |
| user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file |
| user=webview_zygote seinfo=webview_zygote domain=webview_zygote |
| user=_isolated domain=isolated_app levelFrom=user |
| user=_app seinfo=app_zygote domain=app_zygote levelFrom=user |
| user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user |
| user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user |
| user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all |
| user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user |
| user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all |
| user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all |
| user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all |
| user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all |
| user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all |
| user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user |
| user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user |
| user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user |
| user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user |
| user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all |
| user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all |
| user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all |
| user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user |
| user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user |
| user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all |
| user=_app fromRunAs=true domain=runas_app levelFrom=user |