Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 008d7f14c1c897c94a07a03c760d07d1cffb33eb^! / .
commit008d7f14c1c897c94a07a03c760d07d1cffb33eb[log] [tgz]
authorRobert Craig <rpcraig@tycho.ncsc.mil>Mon Aug 31 07:29:01 2015 -0400
committerRobert Craig <rpcraig@tycho.ncsc.mil>Tue Sep 01 06:11:19 2015 -0400
tree38b92ce30d34a744a89e586422d16f5b1daa1113
parent2cc942052d03d9a58e338d990bb8a364bdfcace2 [diff]
Drop the default stanza from mac_permissions.xml

All non matching apps will simply receive the seinfo
label of "default" implicitly. No need to further
clarify things anymore with an explicit default stanza.

Change-Id: Ib7b01ee004775f24db9a69340a31784b967ce030
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

diff --git a/mac_permissions.xml b/mac_permissions.xml
index baaaf32..87efe0e 100644
--- a/mac_permissions.xml
+++ b/mac_permissions.xml

@@ -4,21 +4,46 @@
 <!--
 
     * A signature is a hex encoded X.509 certificate or a tag defined in
-      keys.conf and is required for each signer tag.
-    * A signer tag may contain a seinfo tag and multiple package stanzas.
-    * A default tag is allowed that can contain policy for all apps not signed with a
-      previously listed cert. It may not contain any inner package stanzas.
-    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      keys.conf and is required for each signer tag. The signature can
+      either appear as a set of attached cert child tags or as an attribute.
+    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+    * Each signer/package tag is allowed to contain one seinfo tag. This tag
       represents additional info that each app can use in setting a SELinux security
-      context on the eventual process.
-    * When a package is installed the following logic is used to determine what seinfo
-      value, if any, is assigned.
-      - All signatures used to sign the app are checked first.
-      - If a signer stanza has inner package stanzas, those stanza will be checked
-        to try and match the package name of the app. If the package name matches
-        then that seinfo tag is used. If no inner package matches then the outer
-        seinfo tag is assigned.
-      - The default tag is consulted last if needed.
+      context on the eventual process as well as the apps data directory.
+    * seinfo assignments are made according to the following rules:
+      - Stanzas with package name refinements will be checked first.
+      - Stanzas w/o package name refinements will be checked second.
+      - The "default" seinfo label is automatically applied.
+
+    * valid stanzas can take one of the following forms:
+
+     // single cert protecting seinfo
+     <signer signature="@PLATFORM" >
+       <seinfo value="platform" />
+     </signer>
+
+     // multiple certs protecting seinfo (all contained certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <seinfo value="platform" />
+     </signer>
+
+     // single cert protecting explicitly named app
+     <signer signature="@PLATFORM" >
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+
+     // multiple certs protecting explicitly named app (all certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
 -->
 
     <!-- Platform dev key in AOSP -->
@@ -26,9 +51,4 @@
       <seinfo value="platform" />
     </signer>
 
-    <!-- All other keys -->
-    <default>
-      <seinfo value="default" />
-    </default>
-
 </policy>