1# The entries in this file define how security contexts for apps are determined.
2# Each entry lists input selectors, used to match the app, and outputs which are
3# used to determine the security contexts for matching apps.
4#
5# Input selectors:
6#       isSystemServer (boolean)
7#       isEphemeralApp (boolean)
8#       isOwner (boolean)
9#       user (string)
10#       seinfo (string)
11#       name (string)
12#       path (string)
13#       isPrivApp (boolean)
14#       minTargetSdkVersion (unsigned integer)
15#       fromRunAs (boolean)
16#
17# All specified input selectors in an entry must match (i.e. logical AND).
18# An unspecified string or boolean selector with no default will match any
19# value.
20# A user, name, or path string selector that ends in * will perform a prefix
21# match.
22# String matching is case-insensitive.
23# See external/selinux/libselinux/src/android/android_platform.c,
24# seapp_context_lookup().
25#
26# isSystemServer=true only matches the system server.
27# An unspecified isSystemServer defaults to false.
28# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
29# isOwner=true will only match for the owner/primary user.
30# user=_app will match any regular app process.
31# user=_isolated will match any isolated service process.
32# Other values of user are matched against the name associated with the process
33# UID.
34# seinfo= matches aginst the seinfo tag for the app, determined from
35# mac_permissions.xml files.
36# The ':' character is reserved and may not be used in seinfo.
37# name= matches against the package name of the app.
38# path= matches against the directory path when labeling app directories.
39# isPrivApp=true will only match for applications preinstalled in
40#       /system/priv-app.
41# minTargetSdkVersion will match applications with a targetSdkVersion
42#       greater than or equal to the specified value. If unspecified,
43#       it has a default value of 0.
44# fromRunAs=true means the process being labeled is started by run-as. Default
45# is false.
46#
47# Precedence: entries are compared using the following rules, in the order shown
48# (see external/selinux/libselinux/src/android/android_platform.c,
49# seapp_context_cmp()).
50#       (1) isSystemServer=true before isSystemServer=false.
51#       (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
52#             boolean.
53#       (3) Specified isOwner= before unspecified isOwner= boolean.
54#       (4) Specified user= string before unspecified user= string;
55#             more specific user= string before less specific user= string.
56#       (5) Specified seinfo= string before unspecified seinfo= string.
57#       (6) Specified name= string before unspecified name= string;
58#             more specific name= string before less specific name= string.
59#       (7) Specified path= string before unspecified path= string.
60#             more specific name= string before less specific name= string.
61#       (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
62#       (9) Higher value of minTargetSdkVersion= before lower value of
63#              minTargetSdkVersion= integer. Note that minTargetSdkVersion=
64#              defaults to 0 if unspecified.
65#       (10) fromRunAs=true before fromRunAs=false.
66# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
67# longer prefix is more specific than a shorter prefix.)
68# Apps are checked against entries in precedence order until the first match,
69# regardless of their order in this file.
70#
71# Duplicate entries, i.e. with identical input selectors, are not allowed.
72#
73# Outputs:
74#       domain (string)
75#       type (string)
76#       levelFrom (string; one of none, all, app, or user)
77#       level (string)
78#
79# domain= determines the label to be used for the app process; entries
80# without domain= are ignored for this purpose.
81# type= specifies the label to be used for the app data directory; entries
82# without type= are ignored for this purpose. The label specified must
83# have the app_data_file_type attribute.
84# levelFrom and level are used to determine the level (sensitivity + categories)
85# for MLS/MCS.
86# levelFrom=none omits the level.
87# levelFrom=app determines the level from the process UID.
88# levelFrom=user determines the level from the user ID.
89# levelFrom=all determines the level from both UID and user ID.
90#
91# levelFrom=user is only supported for _app or _isolated UIDs.
92# levelFrom=app or levelFrom=all is only supported for _app UIDs.
93# level may be used to specify a fixed level for any UID.
94#
95# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
96# and levelFromUid=false is equivalent to levelFrom=none.
97#
98#
99# Neverallow Assertions
100# Additional compile time assertion checks for the rules in this file can be
101# added as well. The assertion
102# rules are lines beginning with the keyword neverallow. Full support for PCRE
103# regular expressions exists on all input and output selectors. Neverallow
104# rules are never output to the built seapp_contexts file. Like all keywords,
105# neverallows are case-insensitive. A neverallow is asserted when all key value
106# inputs are matched on a key value rule line.
107#
108
109# only the system server can be in system_server domain
110neverallow isSystemServer=false domain=system_server
111neverallow isSystemServer="" domain=system_server
112
113# system domains should never be assigned outside of system uid
114neverallow user=((?!system).)* domain=system_app
115neverallow user=((?!system).)* type=system_app_data_file
116
117# any non priv-app with a non-known uid with a specified name should have a specified
118# seinfo
119neverallow user=_app isPrivApp=false name=.* seinfo=""
120neverallow user=_app isPrivApp=false name=.* seinfo=default
121
122# neverallow shared relro to any other domain
123# and neverallow any other uid into shared_relro
124neverallow user=shared_relro domain=((?!shared_relro).)*
125neverallow user=((?!shared_relro).)* domain=shared_relro
126
127# neverallow non-isolated uids into isolated_app domain
128# and vice versa
129neverallow user=_isolated domain=((?!isolated_app).)*
130neverallow user=((?!_isolated).)* domain=isolated_app
131
132# uid shell should always be in shell domain, however non-shell
133# uid's can be in shell domain
134neverallow user=shell domain=((?!shell).)*
135
136# only the package named com.android.shell can run in the shell domain
137neverallow domain=shell name=((?!com\.android\.shell).)*
138neverallow user=shell name=((?!com\.android\.shell).)*
139
140# Ephemeral Apps must run in the ephemeral_app domain
141neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
142
143isSystemServer=true domain=system_server_startup
144
145user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
146user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
147user=system seinfo=platform domain=system_app type=system_app_data_file
148user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
149user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
150user=nfc seinfo=platform domain=nfc type=nfc_data_file
151user=secure_element seinfo=platform domain=secure_element levelFrom=all
152user=radio seinfo=platform domain=radio type=radio_data_file
153user=shared_relro domain=shared_relro levelFrom=all
154user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
155user=webview_zygote seinfo=webview_zygote domain=webview_zygote
156user=_isolated domain=isolated_app levelFrom=user
157user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
158user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
159user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
160user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
161user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
162user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
163user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
164user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
165user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
166user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
167user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
168user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
169user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
170user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
171user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
172user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
173user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
174user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
175user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
176user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
177user=_app fromRunAs=true domain=runas_app levelFrom=user
178