1 # Input selectors: 2 # isSystemServer (boolean) 3 # isEphemeralApp (boolean) 4 # isV2App (boolean) 5 # isOwner (boolean) 6 # user (string) 7 # seinfo (string) 8 # name (string) 9 # path (string) 10 # isPrivApp (boolean) 11 # minTargetSdkVersion (unsigned integer) 12 # isSystemServer=true can only be used once. 13 # An unspecified isSystemServer defaults to false. 14 # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral 15 # isV2App=true will match apps in the v2 app sandbox. 16 # isOwner=true will only match for the owner/primary user. 17 # isOwner=false will only match for secondary users. 18 # If unspecified, the entry can match either case. 19 # An unspecified string selector will match any value. 20 # A user string selector that ends in * will perform a prefix match. 21 # user=_app will match any regular app UID. 22 # user=_isolated will match any isolated service UID. 23 # isPrivApp=true will only match for applications preinstalled in 24 # /system/priv-app. 25 # minTargetSdkVersion will match applications with a targetSdkVersion 26 # greater than or equal to the specified value. If unspecified, 27 # it has a default value of 0. 28 # All specified input selectors in an entry must match (i.e. logical AND). 29 # Matching is case-insensitive. 30 # 31 # Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()): 32 # (1) isSystemServer=true before isSystemServer=false. 33 # (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean. 34 # (3) Specified isV2App= before unspecified isV2App= boolean. 35 # (4) Specified isOwner= before unspecified isOwner= boolean. 36 # (5) Specified user= string before unspecified user= string. 37 # (6) Fixed user= string before user= prefix (i.e. ending in *). 38 # (7) Longer user= prefix before shorter user= prefix. 39 # (8) Specified seinfo= string before unspecified seinfo= string. 40 # ':' character is reserved and may not be used. 41 # (9) Specified name= string before unspecified name= string. 42 # (10) Specified path= string before unspecified path= string. 43 # (11) Specified isPrivApp= before unspecified isPrivApp= boolean. 44 # (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion= 45 # integer. Note that minTargetSdkVersion= defaults to 0 if unspecified. 46 # 47 # Outputs: 48 # domain (string) 49 # type (string) 50 # levelFrom (string; one of none, all, app, or user) 51 # level (string) 52 # Only entries that specify domain= will be used for app process labeling. 53 # Only entries that specify type= will be used for app directory labeling. 54 # levelFrom=user is only supported for _app or _isolated UIDs. 55 # levelFrom=app or levelFrom=all is only supported for _app UIDs. 56 # level may be used to specify a fixed level for any UID. 57 # 58 # 59 # Neverallow Assertions 60 # Additional compile time assertion checks can be added as well. The assertion 61 # rules are lines beginning with the keyword neverallow. Full support for PCRE 62 # regular expressions exists on all input and output selectors. Neverallow 63 # rules are never output to the built seapp_contexts file. Like all keywords, 64 # neverallows are case-insensitive. A neverallow is asserted when all key value 65 # inputs are matched on a key value rule line. 66 # 67 68 # only the system server can be in system_server domain 69 neverallow isSystemServer=false domain=system_server 70 neverallow isSystemServer="" domain=system_server 71 72 # system domains should never be assigned outside of system uid 73 neverallow user=((?!system).)* domain=system_app 74 neverallow user=((?!system).)* type=system_app_data_file 75 76 # anything with a non-known uid with a specified name should have a specified seinfo 77 neverallow user=_app name=.* seinfo="" 78 neverallow user=_app name=.* seinfo=default 79 80 # neverallow shared relro to any other domain 81 # and neverallow any other uid into shared_relro 82 neverallow user=shared_relro domain=((?!shared_relro).)* 83 neverallow user=((?!shared_relro).)* domain=shared_relro 84 85 # neverallow non-isolated uids into isolated_app domain 86 # and vice versa 87 neverallow user=_isolated domain=((?!isolated_app).)* 88 neverallow user=((?!_isolated).)* domain=isolated_app 89 90 # uid shell should always be in shell domain, however non-shell 91 # uid's can be in shell domain 92 neverallow user=shell domain=((?!shell).)* 93 94 # Ephemeral Apps must run in the ephemeral_app domain 95 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* 96 97 isSystemServer=true domain=system_server 98 user=system seinfo=platform domain=system_app type=system_app_data_file 99 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file 100 user=nfc seinfo=platform domain=nfc type=nfc_data_file 101 user=radio seinfo=platform domain=radio type=radio_data_file 102 user=shared_relro domain=shared_relro 103 user=shell seinfo=platform domain=shell type=shell_data_file 104 user=_isolated domain=isolated_app levelFrom=user 105 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user 106 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user 107 user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user 108 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user 109 user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user 110 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user 111
