xref: /aosp_15_r20/system/sepolicy/private/seapp_contexts (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# The entries in this file define how security contexts for apps are determined.
2# Each entry lists input selectors, used to match the app, and outputs which are
3# used to determine the security contexts for matching apps.
4#
5# Input selectors:
6#       isSystemServer (boolean)
7#       isEphemeralApp (boolean)
8#       user (string)
9#       seinfo (string)
10#       name (string)
11#       isPrivApp (boolean)
12#       minTargetSdkVersion (unsigned integer)
13#       fromRunAs (boolean)
14#       isIsolatedComputeApp (boolean)
15#       isSdkSandboxNext (boolean)
16#       isSdkSandboxAudit (boolean)
17#
18# All specified input selectors in an entry must match (i.e. logical AND).
19# An unspecified string or boolean selector with no default will match any
20# value.
21# A user, or name string selector that ends in * will perform a prefix
22# match.
23# String matching is case-insensitive.
24# See external/selinux/libselinux/src/android/android_platform.c,
25# seapp_context_lookup().
26#
27# isSystemServer=true only matches the system server.
28# An unspecified isSystemServer defaults to false.
29# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
30# user=_app will match any regular app process.
31# user=_isolated will match any isolated service process.
32# user=_sdksandbox will match sdk sandbox process for an app.
33# Other values of user are matched against the name associated with the process
34# UID.
35# seinfo= matches aginst the seinfo tag for the app, determined from
36# mac_permissions.xml files.
37# The ':' character is reserved and may not be used in seinfo.
38# name= matches against the package name of the app.
39# isPrivApp=true will only match for applications preinstalled in
40#       /system/priv-app.
41# minTargetSdkVersion will match applications with a targetSdkVersion
42#       greater than or equal to the specified value. If unspecified,
43#       it has a default value of 0.
44# fromRunAs=true means the process being labeled is started by run-as. Default
45# is false.
46# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
47# restricted to run in an isolated_app domain. Processes match this selector will
48# be mapped to isolated_compute_app by default. It is expected to be used together
49# with user=_isolated. This selector should not be used unless it is intended
50# to provide isolated processes with relaxed security restrictions.
51# An unspecified isIsolatedComputeApp defaults to false.
52#
53# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
54# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
55# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
56# as the current dessert release, with additional auditing rules for the accesses
57# we are considering forbidding in the upcoming release.
58#
59# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
60# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
61# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
62# as the current dessert release, with additional auditing rules for the accesses
63# we are considering forbidding in the upcoming release.
64#
65# isSdkSandboxNext=true means sdk sandbox processes will get
66# sdk_sandbox_next sepolicy applied to them.
67# An unspecified isSdkSandboxNext defaults to false.
68#
69# isSdkSandboxAudit=true means sdk sandbox processes will get
70# sdk_sandbox_audit sepolicy applied to them.
71# An unspecified isSdkSandboxAudit defaults to false.
72#
73# isSdkSandboxAudit=true means sdk sandbox processes will get
74# sdk_sandbox_audit sepolicy applied to them.
75# An unspecified isSdkSandboxAudit defaults to false.
76#
77# Precedence: entries are compared using the following rules, in the order shown
78# (see external/selinux/libselinux/src/android/android_seapp.c,
79# seapp_context_cmp()).
80#       (1) isSystemServer=true before isSystemServer=false.
81#       (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
82#             boolean.
83#       (3) Specified user= string before unspecified user= string;
84#             more specific user= string before less specific user= string.
85#       (4) Specified seinfo= string before unspecified seinfo= string.
86#       (5) Specified name= string before unspecified name= string;
87#             more specific name= string before less specific name= string.
88#       (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
89#       (7) Higher value of minTargetSdkVersion= before lower value of
90#              minTargetSdkVersion= integer. Note that minTargetSdkVersion=
91#              defaults to 0 if unspecified.
92#       (8) fromRunAs=true before fromRunAs=false.
93#       (9) Platform seapp_contexts files (system, system_ext, product) before
94#              vendor seapp_contexts files (vendor, odm).
95# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
96# longer prefix is more specific than a shorter prefix.)
97# Apps are checked against entries in precedence order until the first match,
98# regardless of their order in this file.
99#
100# Duplicate entries, i.e. with identical input selectors, are not allowed.
101#
102# Outputs:
103#       domain (string)
104#       type (string)
105#       levelFrom (string; one of none, all, app, or user)
106#       level (string)
107#
108# domain= determines the label to be used for the app process; entries
109# without domain= are ignored for this purpose.
110# type= specifies the label to be used for the app data directory; entries
111# without type= are ignored for this purpose. The label specified must
112# have the app_data_file_type attribute.
113# levelFrom and level are used to determine the level (sensitivity + categories)
114# for MLS/MCS.
115# levelFrom=none omits the level.
116# levelFrom=app determines the level from the process UID.
117# levelFrom=user determines the level from the user ID.
118# levelFrom=all determines the level from both UID and user ID.
119#
120# levelFrom=user is only supported for _app or _isolated UIDs.
121# levelFrom=app or levelFrom=all is only supported for _app UIDs.
122# level may be used to specify a fixed level for any UID.
123#
124#
125# Neverallow Assertions
126# Additional compile time assertion checks for the rules in this file can be
127# added as well. The assertion
128# rules are lines beginning with the keyword neverallow. Full support for PCRE
129# regular expressions exists on all input and output selectors. Neverallow
130# rules are never output to the built seapp_contexts file. Like all keywords,
131# neverallows are case-insensitive. A neverallow is asserted when all key value
132# inputs are matched on a key value rule line.
133#
134
135# only the system server can be assigned the system_server domains
136neverallow isSystemServer=false domain=system_server
137neverallow isSystemServer=false domain=system_server_startup
138neverallow isSystemServer="" domain=system_server
139neverallow isSystemServer="" domain=system_server_startup
140
141# system domains should never be assigned outside of system uid
142neverallow user=((?!system).)* domain=system_app
143neverallow user=((?!system).)* type=system_app_data_file
144
145# any non priv-app with a non-known uid with a specified name should have a specified
146# seinfo
147neverallow user=_app isPrivApp=false name=.* seinfo=""
148neverallow user=_app isPrivApp=false name=.* seinfo=default
149
150# neverallow shared relro to any other domain
151# and neverallow any other uid into shared_relro
152neverallow user=shared_relro domain=((?!shared_relro).)*
153neverallow user=((?!shared_relro).)* domain=shared_relro
154
155# neverallow non-isolated uids into isolated_app domain
156# and vice versa
157neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
158neverallow user=((?!_isolated).)* domain=isolated_app
159
160# neverallow isolatedComputeApp into domains other than isolated_compute_app
161neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
162
163# uid shell should always be in shell domain, however non-shell
164# uid's can be in shell domain
165neverallow user=shell domain=((?!shell).)*
166
167# only the package named com.android.shell can run in the shell domain
168neverallow domain=shell name=((?!com\.android\.shell).)*
169neverallow user=shell name=((?!com\.android\.shell).)*
170
171# Ephemeral Apps must run in the ephemeral_app domain
172neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
173
174isSystemServer=true domain=system_server_startup
175
176# sdksandbox must run in an sdksandbox domain
177neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
178
179user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
180user=system seinfo=platform domain=system_app type=system_app_data_file
181user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
182user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
183user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
184# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
185user=nfc seinfo=platform domain=nfc type=nfc_data_file
186user=nfc seinfo=nfc domain=nfc type=nfc_data_file
187user=secure_element seinfo=platform domain=secure_element levelFrom=all
188user=radio seinfo=platform domain=radio type=radio_data_file
189user=shared_relro domain=shared_relro levelFrom=all
190user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
191user=webview_zygote seinfo=webview_zygote domain=webview_zygote
192user=_isolated domain=isolated_app levelFrom=user
193user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
194user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
195user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
196user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
197user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
198user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
199user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
200user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
201user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
202user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
203user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
204user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
205user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
206user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
207user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
208user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
209user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
210user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
211user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
212user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
213user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
214user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
215user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
216user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
217user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
218user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
219user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
220user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
221user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
222user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
223user=_app fromRunAs=true domain=runas_app levelFrom=user
224user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
225user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
226user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
227