Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ff4db9194e684a894939f88effc84f79f222e1c3^! / . / seapp_contexts
commitff4db9194e684a894939f88effc84f79f222e1c3[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Sep 15 15:16:06 2014 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Mon Sep 15 15:55:04 2014 -0400
treedf6a93c118a6eb8e8d8b115e28a85500de8791d9
parente7d136738fcd90346839b373bf3404d70c5334eb [diff] [blame]
Add isOwner= input selector for seapp_contexts.

Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/seapp_contexts b/seapp_contexts
index 26d0c8f..2d00dda 100644
--- a/seapp_contexts
+++ b/seapp_contexts

@@ -1,5 +1,6 @@
 # Input selectors:
 #	isSystemServer (boolean)
+#	isOwner (boolean)
 #	user (string)
 #	seinfo (string)
 #	name (string)
@@ -7,6 +8,9 @@
 #	sebool (string)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
 # An unspecified string selector will match any value.
 # A user string selector that ends in * will perform a prefix match.
 # user=_app will match any regular app UID.
@@ -16,13 +20,14 @@
 #
 # Precedence rules:
 # 	  (1) isSystemServer=true before isSystemServer=false.
-#	  (2) Specified user= string before unspecified user= string.
-#	  (3) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (4) Longer user= prefix before shorter user= prefix.
-#	  (5) Specified seinfo= string before unspecified seinfo= string.
-#	  (6) Specified name= string before unspecified name= string.
-#	  (7) Specified path= string before unspecified path= string.
-#	  (8) Specified sebool= string before unspecified sebool= string.
+# 	  (2) Specified isOwner= before unspecified isOwner= boolean.
+#	  (3) Specified user= string before unspecified user= string.
+#	  (4) Fixed user= string before user= prefix (i.e. ending in *).
+#	  (5) Longer user= prefix before shorter user= prefix.
+#	  (6) Specified seinfo= string before unspecified seinfo= string.
+#	  (7) Specified name= string before unspecified name= string.
+#	  (8) Specified path= string before unspecified path= string.
+#	  (9) Specified sebool= string before unspecified sebool= string.
 #
 # Outputs:
 #	domain (string)