1# Input selectors:
2#       isSystemServer (boolean)
3#       isEphemeralApp (boolean)
4#       isV2App (boolean)
5#       isOwner (boolean)
6#       user (string)
7#       seinfo (string)
8#       name (string)
9#       path (string)
10#       isPrivApp (boolean)
11#       minTargetSdkVersion (unsigned integer)
12# isSystemServer=true can only be used once.
13# An unspecified isSystemServer defaults to false.
14# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
15# isV2App=true will match apps in the v2 app sandbox.
16# isOwner=true will only match for the owner/primary user.
17# isOwner=false will only match for secondary users.
18# If unspecified, the entry can match either case.
19# An unspecified string selector will match any value.
20# A user string selector that ends in * will perform a prefix match.
21# user=_app will match any regular app UID.
22# user=_isolated will match any isolated service UID.
23# isPrivApp=true will only match for applications preinstalled in
24#       /system/priv-app.
25# minTargetSdkVersion will match applications with a targetSdkVersion
26#       greater than or equal to the specified value. If unspecified,
27#       it has a default value of 0.
28# All specified input selectors in an entry must match (i.e. logical AND).
29# Matching is case-insensitive.
30#
31# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
32#       (1) isSystemServer=true before isSystemServer=false.
33#       (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
34#       (3) Specified isV2App= before unspecified isV2App= boolean.
35#       (4) Specified isOwner= before unspecified isOwner= boolean.
36#       (5) Specified user= string before unspecified user= string.
37#       (6) Fixed user= string before user= prefix (i.e. ending in *).
38#       (7) Longer user= prefix before shorter user= prefix.
39#       (8) Specified seinfo= string before unspecified seinfo= string.
40#           ':' character is reserved and may not be used.
41#       (9) Specified name= string before unspecified name= string.
42#       (10) Specified path= string before unspecified path= string.
43#       (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
44#       (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
45#              integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
46#
47# Outputs:
48#       domain (string)
49#       type (string)
50#       levelFrom (string; one of none, all, app, or user)
51#       level (string)
52# Only entries that specify domain= will be used for app process labeling.
53# Only entries that specify type= will be used for app directory labeling.
54# levelFrom=user is only supported for _app or _isolated UIDs.
55# levelFrom=app or levelFrom=all is only supported for _app UIDs.
56# level may be used to specify a fixed level for any UID.
57#
58#
59# Neverallow Assertions
60# Additional compile time assertion checks can be added as well. The assertion
61# rules are lines beginning with the keyword neverallow. Full support for PCRE
62# regular expressions exists on all input and output selectors. Neverallow
63# rules are never output to the built seapp_contexts file. Like all keywords,
64# neverallows are case-insensitive. A neverallow is asserted when all key value
65# inputs are matched on a key value rule line.
66#
67
68# only the system server can be in system_server domain
69neverallow isSystemServer=false domain=system_server
70neverallow isSystemServer="" domain=system_server
71
72# system domains should never be assigned outside of system uid
73neverallow user=((?!system).)* domain=system_app
74neverallow user=((?!system).)* type=system_app_data_file
75
76# anything with a non-known uid with a specified name should have a specified seinfo
77neverallow user=_app name=.* seinfo=""
78neverallow user=_app name=.* seinfo=default
79
80# neverallow shared relro to any other domain
81# and neverallow any other uid into shared_relro
82neverallow user=shared_relro domain=((?!shared_relro).)*
83neverallow user=((?!shared_relro).)* domain=shared_relro
84
85# neverallow non-isolated uids into isolated_app domain
86# and vice versa
87neverallow user=_isolated domain=((?!isolated_app).)*
88neverallow user=((?!_isolated).)* domain=isolated_app
89
90# uid shell should always be in shell domain, however non-shell
91# uid's can be in shell domain
92neverallow user=shell domain=((?!shell).)*
93
94# Ephemeral Apps must run in the ephemeral_app domain
95neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
96
97isSystemServer=true domain=system_server
98user=system seinfo=platform domain=system_app type=system_app_data_file
99user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
100user=nfc seinfo=platform domain=nfc type=nfc_data_file
101user=radio seinfo=platform domain=radio type=radio_data_file
102user=shared_relro domain=shared_relro
103user=shell seinfo=platform domain=shell type=shell_data_file
104user=_isolated domain=isolated_app levelFrom=user
105user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
106user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
107user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
108user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
109user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
110user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
111