| Nick Kralevich | 4be3190 | 2014-07-01 13:59:50 -0700 | [diff] [blame] | 1 | # Input selectors: |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 2 | # isSystemServer (boolean) |
| Chad Brubaker | 06cf31e | 2016-10-06 13:15:44 -0700 | [diff] [blame] | 3 | # isEphemeralApp (boolean) |
| Stephen Smalley | ff4db91 | 2014-09-15 15:16:06 -0400 | [diff] [blame] | 4 | # isOwner (boolean) |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 5 | # user (string) |
| 6 | # seinfo (string) |
| 7 | # name (string) |
| Stephen Smalley | 6139de5 | 2014-02-19 10:54:41 -0500 | [diff] [blame] | 8 | # path (string) |
| Jeff Vander Stoep | ee9c0b5 | 2015-10-05 09:15:04 -0700 | [diff] [blame] | 9 | # isPrivApp (boolean) |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 10 | # isSystemServer=true can only be used once. |
| Stephen Smalley | dd31ddf | 2012-07-27 17:08:21 -0400 | [diff] [blame] | 11 | # An unspecified isSystemServer defaults to false. |
| Chad Brubaker | 06cf31e | 2016-10-06 13:15:44 -0700 | [diff] [blame] | 12 | # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral |
| Stephen Smalley | ff4db91 | 2014-09-15 15:16:06 -0400 | [diff] [blame] | 13 | # isOwner=true will only match for the owner/primary user. |
| 14 | # isOwner=false will only match for secondary users. |
| 15 | # If unspecified, the entry can match either case. |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 16 | # An unspecified string selector will match any value. |
| 17 | # A user string selector that ends in * will perform a prefix match. |
| Stephen Smalley | 3ac1d26 | 2012-09-24 10:16:03 -0400 | [diff] [blame] | 18 | # user=_app will match any regular app UID. |
| 19 | # user=_isolated will match any isolated service UID. |
| Jeff Vander Stoep | ee9c0b5 | 2015-10-05 09:15:04 -0700 | [diff] [blame] | 20 | # isPrivApp=true will only match for applications preinstalled in |
| 21 | # /system/priv-app. |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 22 | # All specified input selectors in an entry must match (i.e. logical AND). |
| 23 | # Matching is case-insensitive. |
| Nick Kralevich | 4be3190 | 2014-07-01 13:59:50 -0700 | [diff] [blame] | 24 | # |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 25 | # Precedence rules: |
| 26 | # (1) isSystemServer=true before isSystemServer=false. |
| Chad Brubaker | 06cf31e | 2016-10-06 13:15:44 -0700 | [diff] [blame] | 27 | # (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean. |
| Jeff Vander Stoep | 400d3ac | 2015-10-30 12:43:19 -0700 | [diff] [blame] | 28 | # (3) Specified isOwner= before unspecified isOwner= boolean. |
| 29 | # (4) Specified user= string before unspecified user= string. |
| 30 | # (5) Fixed user= string before user= prefix (i.e. ending in *). |
| 31 | # (6) Longer user= prefix before shorter user= prefix. |
| 32 | # (7) Specified seinfo= string before unspecified seinfo= string. |
| Jeff Vander Stoep | ee9c0b5 | 2015-10-05 09:15:04 -0700 | [diff] [blame] | 33 | # ':' character is reserved and may not be used. |
| Jeff Vander Stoep | 400d3ac | 2015-10-30 12:43:19 -0700 | [diff] [blame] | 34 | # (8) Specified name= string before unspecified name= string. |
| 35 | # (9) Specified path= string before unspecified path= string. |
| 36 | # (10) Specified isPrivApp= before unspecified isPrivApp= boolean. |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 37 | # |
| 38 | # Outputs: |
| 39 | # domain (string) |
| 40 | # type (string) |
| Stephen Smalley | 3808414 | 2012-11-28 10:46:18 -0500 | [diff] [blame] | 41 | # levelFrom (string; one of none, all, app, or user) |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 42 | # level (string) |
| 43 | # Only entries that specify domain= will be used for app process labeling. |
| 44 | # Only entries that specify type= will be used for app directory labeling. |
| Stephen Smalley | 3808414 | 2012-11-28 10:46:18 -0500 | [diff] [blame] | 45 | # levelFrom=user is only supported for _app or _isolated UIDs. |
| 46 | # levelFrom=app or levelFrom=all is only supported for _app UIDs. |
| Nick Kralevich | 4be3190 | 2014-07-01 13:59:50 -0700 | [diff] [blame] | 47 | # level may be used to specify a fixed level for any UID. |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 48 | # |
| William Roberts | 81e1f90 | 2015-06-03 21:57:47 -0700 | [diff] [blame] | 49 | # |
| 50 | # Neverallow Assertions |
| 51 | # Additional compile time assertion checks can be added as well. The assertion |
| 52 | # rules are lines beginning with the keyword neverallow. Full support for PCRE |
| 53 | # regular expressions exists on all input and output selectors. Neverallow |
| 54 | # rules are never output to the built seapp_contexts file. Like all keywords, |
| 55 | # neverallows are case-insensitive. A neverallow is asserted when all key value |
| 56 | # inputs are matched on a key value rule line. |
| 57 | # |
| 58 | |
| 59 | # only the system server can be in system_server domain |
| 60 | neverallow isSystemServer=false domain=system_server |
| 61 | neverallow isSystemServer="" domain=system_server |
| 62 | |
| 63 | # system domains should never be assigned outside of system uid |
| 64 | neverallow user=((?!system).)* domain=system_app |
| 65 | neverallow user=((?!system).)* type=system_app_data_file |
| 66 | |
| 67 | # anything with a non-known uid with a specified name should have a specified seinfo |
| 68 | neverallow user=_app name=.* seinfo="" |
| 69 | neverallow user=_app name=.* seinfo=default |
| 70 | |
| 71 | # neverallow shared relro to any other domain |
| 72 | # and neverallow any other uid into shared_relro |
| 73 | neverallow user=shared_relro domain=((?!shared_relro).)* |
| 74 | neverallow user=((?!shared_relro).)* domain=shared_relro |
| 75 | |
| 76 | # neverallow non-isolated uids into isolated_app domain |
| 77 | # and vice versa |
| 78 | neverallow user=_isolated domain=((?!isolated_app).)* |
| 79 | neverallow user=((?!_isolated).)* domain=isolated_app |
| 80 | |
| 81 | # uid shell should always be in shell domain, however non-shell |
| 82 | # uid's can be in shell domain |
| 83 | neverallow user=shell domain=((?!shell).)* |
| 84 | |
| Chad Brubaker | 06cf31e | 2016-10-06 13:15:44 -0700 | [diff] [blame] | 85 | # Ephemeral Apps must run in the ephemeral_app domain |
| 86 | neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* |
| Jeff Vander Stoep | 400d3ac | 2015-10-30 12:43:19 -0700 | [diff] [blame] | 87 | |
| Alex Klyubin | 1fdee11 | 2013-09-13 15:59:04 -0700 | [diff] [blame] | 88 | isSystemServer=true domain=system_server |
| William Roberts | 92dfa31 | 2014-09-29 10:29:48 -0700 | [diff] [blame] | 89 | user=system seinfo=platform domain=system_app type=system_app_data_file |
| 90 | user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file |
| 91 | user=nfc seinfo=platform domain=nfc type=nfc_data_file |
| 92 | user=radio seinfo=platform domain=radio type=radio_data_file |
| Nick Kralevich | b5ffbb7 | 2015-01-07 13:52:43 -0800 | [diff] [blame] | 93 | user=shared_relro domain=shared_relro |
| William Roberts | 92dfa31 | 2014-09-29 10:29:48 -0700 | [diff] [blame] | 94 | user=shell seinfo=platform domain=shell type=shell_data_file |
| Stephen Smalley | a833763 | 2014-09-11 14:07:28 -0400 | [diff] [blame] | 95 | user=_isolated domain=isolated_app levelFrom=user |
| 96 | user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user |
| Chad Brubaker | 06cf31e | 2016-10-06 13:15:44 -0700 | [diff] [blame] | 97 | user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all |
| Jeff Vander Stoep | ee9c0b5 | 2015-10-05 09:15:04 -0700 | [diff] [blame] | 98 | user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user |
| Stephen Smalley | a833763 | 2014-09-11 14:07:28 -0400 | [diff] [blame] | 99 | user=_app domain=untrusted_app type=app_data_file levelFrom=user |