1# The entries in this file define how security contexts for apps are determined. 2# Each entry lists input selectors, used to match the app, and outputs which are 3# used to determine the security contexts for matching apps. 4# 5# Input selectors: 6# isSystemServer (boolean) 7# isEphemeralApp (boolean) 8# user (string) 9# seinfo (string) 10# name (string) 11# isPrivApp (boolean) 12# minTargetSdkVersion (unsigned integer) 13# fromRunAs (boolean) 14# isIsolatedComputeApp (boolean) 15# isSdkSandboxNext (boolean) 16# isSdkSandboxAudit (boolean) 17# 18# All specified input selectors in an entry must match (i.e. logical AND). 19# An unspecified string or boolean selector with no default will match any 20# value. 21# A user, or name string selector that ends in * will perform a prefix 22# match. 23# String matching is case-insensitive. 24# See external/selinux/libselinux/src/android/android_platform.c, 25# seapp_context_lookup(). 26# 27# isSystemServer=true only matches the system server. 28# An unspecified isSystemServer defaults to false. 29# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral 30# user=_app will match any regular app process. 31# user=_isolated will match any isolated service process. 32# user=_sdksandbox will match sdk sandbox process for an app. 33# Other values of user are matched against the name associated with the process 34# UID. 35# seinfo= matches aginst the seinfo tag for the app, determined from 36# mac_permissions.xml files. 37# The ':' character is reserved and may not be used in seinfo. 38# name= matches against the package name of the app. 39# isPrivApp=true will only match for applications preinstalled in 40# /system/priv-app. 41# minTargetSdkVersion will match applications with a targetSdkVersion 42# greater than or equal to the specified value. If unspecified, 43# it has a default value of 0. 44# fromRunAs=true means the process being labeled is started by run-as. Default 45# is false. 46# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not 47# restricted to run in an isolated_app domain. Processes match this selector will 48# be mapped to isolated_compute_app by default. It is expected to be used together 49# with user=_isolated. This selector should not be used unless it is intended 50# to provide isolated processes with relaxed security restrictions. 51# 52# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the 53# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed 54# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions 55# as the current dessert release, with additional auditing rules for the accesses 56# we are considering forbidding in the upcoming release. 57# 58# isSdkSandboxNext=true means sdk sandbox processes will get 59# sdk_sandbox_next sepolicy applied to them. 60# 61# isSdkSandboxAudit=true means sdk sandbox processes will get 62# sdk_sandbox_audit sepolicy applied to them. 63# An unspecified isSdkSandboxAudit defaults to false. 64# 65# Precedence: entries are compared using the following rules, in the order shown 66# (see external/selinux/libselinux/src/android/android_platform.c, 67# seapp_context_cmp()). 68# (1) isSystemServer=true before isSystemServer=false. 69# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= 70# boolean. 71# (3) Specified user= string before unspecified user= string; 72# more specific user= string before less specific user= string. 73# (4) Specified seinfo= string before unspecified seinfo= string. 74# (5) Specified name= string before unspecified name= string; 75# more specific name= string before less specific name= string. 76# (6) Specified isPrivApp= before unspecified isPrivApp= boolean. 77# (7) Higher value of minTargetSdkVersion= before lower value of 78# minTargetSdkVersion= integer. Note that minTargetSdkVersion= 79# defaults to 0 if unspecified. 80# (8) fromRunAs=true before fromRunAs=false. 81# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false 82# (10) isSdkSandboxNext=true before isSdkSandboxNext=false 83# (A fixed selector is more specific than a prefix, i.e. ending in *, and a 84# longer prefix is more specific than a shorter prefix.) 85# Apps are checked against entries in precedence order until the first match, 86# regardless of their order in this file. 87# 88# Duplicate entries, i.e. with identical input selectors, are not allowed. 89# 90# Outputs: 91# domain (string) 92# type (string) 93# levelFrom (string; one of none, all, app, or user) 94# level (string) 95# 96# domain= determines the label to be used for the app process; entries 97# without domain= are ignored for this purpose. 98# type= specifies the label to be used for the app data directory; entries 99# without type= are ignored for this purpose. The label specified must 100# have the app_data_file_type attribute. 101# levelFrom and level are used to determine the level (sensitivity + categories) 102# for MLS/MCS. 103# levelFrom=none omits the level. 104# levelFrom=app determines the level from the process UID. 105# levelFrom=user determines the level from the user ID. 106# levelFrom=all determines the level from both UID and user ID. 107# 108# levelFrom=user is only supported for _app or _isolated UIDs. 109# levelFrom=app or levelFrom=all is only supported for _app UIDs. 110# level may be used to specify a fixed level for any UID. 111# 112# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app 113# and levelFromUid=false is equivalent to levelFrom=none. 114# 115# 116# Neverallow Assertions 117# Additional compile time assertion checks for the rules in this file can be 118# added as well. The assertion 119# rules are lines beginning with the keyword neverallow. Full support for PCRE 120# regular expressions exists on all input and output selectors. Neverallow 121# rules are never output to the built seapp_contexts file. Like all keywords, 122# neverallows are case-insensitive. A neverallow is asserted when all key value 123# inputs are matched on a key value rule line. 124# 125 126# only the system server can be assigned the system_server domains 127neverallow isSystemServer=false domain=system_server 128neverallow isSystemServer=false domain=system_server_startup 129neverallow isSystemServer="" domain=system_server 130neverallow isSystemServer="" domain=system_server_startup 131 132# system domains should never be assigned outside of system uid 133neverallow user=((?!system).)* domain=system_app 134neverallow user=((?!system).)* type=system_app_data_file 135 136# any non priv-app with a non-known uid with a specified name should have a specified 137# seinfo 138neverallow user=_app isPrivApp=false name=.* seinfo="" 139neverallow user=_app isPrivApp=false name=.* seinfo=default 140 141# neverallow shared relro to any other domain 142# and neverallow any other uid into shared_relro 143neverallow user=shared_relro domain=((?!shared_relro).)* 144neverallow user=((?!shared_relro).)* domain=shared_relro 145 146# neverallow non-isolated uids into isolated_app domain 147# and vice versa 148neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)* 149neverallow user=((?!_isolated).)* domain=isolated_app 150 151# neverallow isolatedComputeApp into domains other than isolated_compute_app 152neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)* 153 154# uid shell should always be in shell domain, however non-shell 155# uid's can be in shell domain 156neverallow user=shell domain=((?!shell).)* 157 158# only the package named com.android.shell can run in the shell domain 159neverallow domain=shell name=((?!com\.android\.shell).)* 160neverallow user=shell name=((?!com\.android\.shell).)* 161 162# Ephemeral Apps must run in the ephemeral_app domain 163neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* 164 165isSystemServer=true domain=system_server_startup 166 167# sdksandbox must run in an sdksandbox domain 168neverallow user=_sdksandbox domain=((?!sdk_sandbox).)* 169 170user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all 171user=system seinfo=platform domain=system_app type=system_app_data_file 172user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all 173user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file 174user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file 175user=nfc seinfo=platform domain=nfc type=nfc_data_file 176user=secure_element seinfo=platform domain=secure_element levelFrom=all 177user=radio seinfo=platform domain=radio type=radio_data_file 178user=shared_relro domain=shared_relro levelFrom=all 179user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file 180user=webview_zygote seinfo=webview_zygote domain=webview_zygote 181user=_isolated domain=isolated_app levelFrom=user 182user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user 183user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all 184user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all 185user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all 186user=_app seinfo=app_zygote domain=app_zygote levelFrom=user 187user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user 188user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user 189user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all 190user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user 191user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all 192user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all 193user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all 194user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all 195user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all 196user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all 197user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all 198user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user 199user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user 200user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user 201user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user 202user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user 203user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user 204user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all 205user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all 206user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all 207user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all 208user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all 209user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user 210user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user 211user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all 212user=_app fromRunAs=true domain=runas_app levelFrom=user 213