commit 4e7769e0408518f8119b18e08a1369316d98e1c7
author Jeff Vander Stoep <jeffv@google.com> Wed May 06 13:17:28 2020 +0200
committer Jeff Vander Stoep <jeffv@google.com> Wed May 06 13:17:28 2020 +0200
tree 5aee103e4a6d59f0ad76bb9d6c926a9856ae0ccb
parent df7775d17386f74274accbcd6d5235505e2275e0

priv_app: use per-app selinux contexts

Enforce for priv-apps with targetSdkVersion>=31.

This is the same restriction enforced on third party apps with
targetSdkVersion>=28 in Android 9.0. See:
https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux

This change allows selinux to better enforce the application sandbox
providing better defense-in-depth for priv-apps.
In particular it prevents apps running in the priv_app domain
from sharing their private data directory by granting
world-accessible unix permissions.

Bug: 142672293
Test: Build, boot, check for denials.
Change-Id: If2953eb990fdc24aaccf29be3394a9ee1f02185c

private/seapp_contexts

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 12e46dc..e944063 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -156,6 +156,7 @@
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all