| Tri Vo | bc8dc3a | 2019-05-26 13:17:08 -0700 | [diff] [blame^] | 1 | <?xml version="1.0" encoding="utf-8"?> |
| 2 | <policy> |
| 3 | |
| 4 | <!-- |
| 5 | |
| 6 | * A signature is a hex encoded X.509 certificate or a tag defined in |
| 7 | keys.conf and is required for each signer tag. The signature can |
| 8 | either appear as a set of attached cert child tags or as an attribute. |
| 9 | * A signer tag must contain a seinfo tag XOR multiple package stanzas. |
| 10 | * Each signer/package tag is allowed to contain one seinfo tag. This tag |
| 11 | represents additional info that each app can use in setting a SELinux security |
| 12 | context on the eventual process as well as the apps data directory. |
| 13 | * seinfo assignments are made according to the following rules: |
| 14 | - Stanzas with package name refinements will be checked first. |
| 15 | - Stanzas w/o package name refinements will be checked second. |
| 16 | - The "default" seinfo label is automatically applied. |
| 17 | |
| 18 | * valid stanzas can take one of the following forms: |
| 19 | |
| 20 | // single cert protecting seinfo |
| 21 | <signer signature="@PLATFORM" > |
| 22 | <seinfo value="platform" /> |
| 23 | </signer> |
| 24 | |
| 25 | // multiple certs protecting seinfo (all contained certs must match) |
| 26 | <signer> |
| 27 | <cert signature="@PLATFORM1"/> |
| 28 | <cert signature="@PLATFORM2"/> |
| 29 | <seinfo value="platform" /> |
| 30 | </signer> |
| 31 | |
| 32 | // single cert protecting explicitly named app |
| 33 | <signer signature="@PLATFORM" > |
| 34 | <package name="com.android.foo"> |
| 35 | <seinfo value="bar" /> |
| 36 | </package> |
| 37 | </signer> |
| 38 | |
| 39 | // multiple certs protecting explicitly named app (all certs must match) |
| 40 | <signer> |
| 41 | <cert signature="@PLATFORM1"/> |
| 42 | <cert signature="@PLATFORM2"/> |
| 43 | <package name="com.android.foo"> |
| 44 | <seinfo value="bar" /> |
| 45 | </package> |
| 46 | </signer> |
| 47 | --> |
| 48 | |
| 49 | <!-- Platform dev key in AOSP --> |
| 50 | <signer signature="@PLATFORM" > |
| 51 | <seinfo value="platform" /> |
| 52 | </signer> |
| 53 | |
| 54 | <!-- Media key in AOSP --> |
| 55 | <signer signature="@MEDIA" > |
| 56 | <seinfo value="media" /> |
| 57 | </signer> |
| 58 | |
| 59 | <signer signature="@NETWORK_STACK" > |
| 60 | <seinfo value="network_stack" /> |
| 61 | </signer> |
| 62 | </policy> |