1# The entries in this file define how security contexts for apps are determined. 2# Each entry lists input selectors, used to match the app, and outputs which are 3# used to determine the security contexts for matching apps. 4# 5# Input selectors: 6# isSystemServer (boolean) 7# isEphemeralApp (boolean) 8# user (string) 9# seinfo (string) 10# name (string) 11# isPrivApp (boolean) 12# minTargetSdkVersion (unsigned integer) 13# fromRunAs (boolean) 14# 15# All specified input selectors in an entry must match (i.e. logical AND). 16# An unspecified string or boolean selector with no default will match any 17# value. 18# A user, or name string selector that ends in * will perform a prefix 19# match. 20# String matching is case-insensitive. 21# See external/selinux/libselinux/src/android/android_platform.c, 22# seapp_context_lookup(). 23# 24# isSystemServer=true only matches the system server. 25# An unspecified isSystemServer defaults to false. 26# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral 27# user=_app will match any regular app process. 28# user=_isolated will match any isolated service process. 29# user=_sdksandbox will match sdk sandbox process for an app. 30# Other values of user are matched against the name associated with the process 31# UID. 32# seinfo= matches aginst the seinfo tag for the app, determined from 33# mac_permissions.xml files. 34# The ':' character is reserved and may not be used in seinfo. 35# name= matches against the package name of the app. 36# isPrivApp=true will only match for applications preinstalled in 37# /system/priv-app. 38# minTargetSdkVersion will match applications with a targetSdkVersion 39# greater than or equal to the specified value. If unspecified, 40# it has a default value of 0. 41# fromRunAs=true means the process being labeled is started by run-as. Default 42# is false. 43# 44# Precedence: entries are compared using the following rules, in the order shown 45# (see external/selinux/libselinux/src/android/android_platform.c, 46# seapp_context_cmp()). 47# (1) isSystemServer=true before isSystemServer=false. 48# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= 49# boolean. 50# (3) Specified user= string before unspecified user= string; 51# more specific user= string before less specific user= string. 52# (4) Specified seinfo= string before unspecified seinfo= string. 53# (5) Specified name= string before unspecified name= string; 54# more specific name= string before less specific name= string. 55# (6) Specified isPrivApp= before unspecified isPrivApp= boolean. 56# (7) Higher value of minTargetSdkVersion= before lower value of 57# minTargetSdkVersion= integer. Note that minTargetSdkVersion= 58# defaults to 0 if unspecified. 59# (8) fromRunAs=true before fromRunAs=false. 60# (A fixed selector is more specific than a prefix, i.e. ending in *, and a 61# longer prefix is more specific than a shorter prefix.) 62# Apps are checked against entries in precedence order until the first match, 63# regardless of their order in this file. 64# 65# Duplicate entries, i.e. with identical input selectors, are not allowed. 66# 67# Outputs: 68# domain (string) 69# type (string) 70# levelFrom (string; one of none, all, app, or user) 71# level (string) 72# 73# domain= determines the label to be used for the app process; entries 74# without domain= are ignored for this purpose. 75# type= specifies the label to be used for the app data directory; entries 76# without type= are ignored for this purpose. The label specified must 77# have the app_data_file_type attribute. 78# levelFrom and level are used to determine the level (sensitivity + categories) 79# for MLS/MCS. 80# levelFrom=none omits the level. 81# levelFrom=app determines the level from the process UID. 82# levelFrom=user determines the level from the user ID. 83# levelFrom=all determines the level from both UID and user ID. 84# 85# levelFrom=user is only supported for _app or _isolated UIDs. 86# levelFrom=app or levelFrom=all is only supported for _app UIDs. 87# level may be used to specify a fixed level for any UID. 88# 89# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app 90# and levelFromUid=false is equivalent to levelFrom=none. 91# 92# 93# Neverallow Assertions 94# Additional compile time assertion checks for the rules in this file can be 95# added as well. The assertion 96# rules are lines beginning with the keyword neverallow. Full support for PCRE 97# regular expressions exists on all input and output selectors. Neverallow 98# rules are never output to the built seapp_contexts file. Like all keywords, 99# neverallows are case-insensitive. A neverallow is asserted when all key value 100# inputs are matched on a key value rule line. 101# 102 103# only the system server can be assigned the system_server domains 104neverallow isSystemServer=false domain=system_server 105neverallow isSystemServer=false domain=system_server_startup 106neverallow isSystemServer="" domain=system_server 107neverallow isSystemServer="" domain=system_server_startup 108 109# system domains should never be assigned outside of system uid 110neverallow user=((?!system).)* domain=system_app 111neverallow user=((?!system).)* type=system_app_data_file 112 113# any non priv-app with a non-known uid with a specified name should have a specified 114# seinfo 115neverallow user=_app isPrivApp=false name=.* seinfo="" 116neverallow user=_app isPrivApp=false name=.* seinfo=default 117 118# neverallow shared relro to any other domain 119# and neverallow any other uid into shared_relro 120neverallow user=shared_relro domain=((?!shared_relro).)* 121neverallow user=((?!shared_relro).)* domain=shared_relro 122 123# neverallow non-isolated uids into isolated_app domain 124# and vice versa 125neverallow user=_isolated domain=((?!isolated_app).)* 126neverallow user=((?!_isolated).)* domain=isolated_app 127 128# uid shell should always be in shell domain, however non-shell 129# uid's can be in shell domain 130neverallow user=shell domain=((?!shell).)* 131 132# only the package named com.android.shell can run in the shell domain 133neverallow domain=shell name=((?!com\.android\.shell).)* 134neverallow user=shell name=((?!com\.android\.shell).)* 135 136# Ephemeral Apps must run in the ephemeral_app domain 137neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* 138 139isSystemServer=true domain=system_server_startup 140 141# sdksandbox must run in the sdksandbox domain 142neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)* 143 144user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all 145user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all 146user=system seinfo=platform domain=system_app type=system_app_data_file 147user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file 148user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file 149user=nfc seinfo=platform domain=nfc type=nfc_data_file 150user=secure_element seinfo=platform domain=secure_element levelFrom=all 151user=radio seinfo=platform domain=radio type=radio_data_file 152user=shared_relro domain=shared_relro levelFrom=all 153user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file 154user=webview_zygote seinfo=webview_zygote domain=webview_zygote 155user=_isolated domain=isolated_app levelFrom=user 156user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all 157user=_app seinfo=app_zygote domain=app_zygote levelFrom=user 158user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user 159user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user 160user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all 161user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user 162user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all 163user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all 164user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all 165user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all 166user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all 167user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user 168user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user 169user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user 170user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user 171user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all 172user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all 173user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all 174user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all 175user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user 176user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user 177user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all 178user=_app fromRunAs=true domain=runas_app levelFrom=user 179 180