diff options
Diffstat (limited to 'seapp_contexts')
-rw-r--r-- | seapp_contexts | 92 |
1 files changed, 0 insertions, 92 deletions
diff --git a/seapp_contexts b/seapp_contexts deleted file mode 100644 index d8d2240..0000000 --- a/seapp_contexts +++ /dev/null @@ -1,92 +0,0 @@ -# Input selectors: -# isSystemServer (boolean) -# isOwner (boolean) -# user (string) -# seinfo (string) -# name (string) -# path (string) -# isPrivApp (boolean) -# isSystemServer=true can only be used once. -# An unspecified isSystemServer defaults to false. -# isOwner=true will only match for the owner/primary user. -# isOwner=false will only match for secondary users. -# If unspecified, the entry can match either case. -# An unspecified string selector will match any value. -# A user string selector that ends in * will perform a prefix match. -# user=_app will match any regular app UID. -# user=_isolated will match any isolated service UID. -# isPrivApp=true will only match for applications preinstalled in -# /system/priv-app. -# All specified input selectors in an entry must match (i.e. logical AND). -# Matching is case-insensitive. -# -# Precedence rules: -# (1) isSystemServer=true before isSystemServer=false. -# (2) Specified isOwner= before unspecified isOwner= boolean. -# (3) Specified user= string before unspecified user= string. -# (4) Fixed user= string before user= prefix (i.e. ending in *). -# (5) Longer user= prefix before shorter user= prefix. -# (6) Specified seinfo= string before unspecified seinfo= string. -# ':' character is reserved and may not be used. -# (7) Specified name= string before unspecified name= string. -# (8) Specified path= string before unspecified path= string. -# (9) Specified isPrivApp= before unspecified isPrivApp= boolean. -# -# Outputs: -# domain (string) -# type (string) -# levelFrom (string; one of none, all, app, or user) -# level (string) -# Only entries that specify domain= will be used for app process labeling. -# Only entries that specify type= will be used for app directory labeling. -# levelFrom=user is only supported for _app or _isolated UIDs. -# levelFrom=app or levelFrom=all is only supported for _app UIDs. -# level may be used to specify a fixed level for any UID. -# -# -# Neverallow Assertions -# Additional compile time assertion checks can be added as well. The assertion -# rules are lines beginning with the keyword neverallow. Full support for PCRE -# regular expressions exists on all input and output selectors. Neverallow -# rules are never output to the built seapp_contexts file. Like all keywords, -# neverallows are case-insensitive. A neverallow is asserted when all key value -# inputs are matched on a key value rule line. -# - -# only the system server can be in system_server domain -neverallow isSystemServer=false domain=system_server -neverallow isSystemServer="" domain=system_server - -# system domains should never be assigned outside of system uid -neverallow user=((?!system).)* domain=system_app -neverallow user=((?!system).)* type=system_app_data_file - -# anything with a non-known uid with a specified name should have a specified seinfo -neverallow user=_app name=.* seinfo="" -neverallow user=_app name=.* seinfo=default - -# neverallow shared relro to any other domain -# and neverallow any other uid into shared_relro -neverallow user=shared_relro domain=((?!shared_relro).)* -neverallow user=((?!shared_relro).)* domain=shared_relro - -# neverallow non-isolated uids into isolated_app domain -# and vice versa -neverallow user=_isolated domain=((?!isolated_app).)* -neverallow user=((?!_isolated).)* domain=isolated_app - -# uid shell should always be in shell domain, however non-shell -# uid's can be in shell domain -neverallow user=shell domain=((?!shell).)* - -isSystemServer=true domain=system_server -user=system seinfo=platform domain=system_app type=system_app_data_file -user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file -user=nfc seinfo=platform domain=nfc type=nfc_data_file -user=radio seinfo=platform domain=radio type=radio_data_file -user=shared_relro domain=shared_relro -user=shell seinfo=platform domain=shell type=shell_data_file -user=_isolated domain=isolated_app levelFrom=user -user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user -user=_app domain=untrusted_app type=app_data_file levelFrom=user |