PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6bf9bbc829
android_system_sepolicy/seapp_contexts
Stephen Smalley 6d8fa69548 Move shell entry up with other platform UID entries. 
This is a trivial change to seapp_contexts to force a relabel
of /data/data directories by PMS/installd by yielding a
different hash value for comparison against /data/system/seapp_hash.
This change does not alter any actual app process or data directory
labeling decisions.  The seapp_contexts entries are sorted upon
loading by libselinux to match the precedence rules described
in the comment header, so ordering in this file should not matter.

This should not be merged before the code changes with the same Change-Id.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-28 08:25:22 -04:00

49 lines
2.1 KiB
Plaintext
Raw Blame History

# Input selectors:
# isSystemServer (boolean)
# user (string)
# seinfo (string)
# name (string)
# path (string)
# sebool (string)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match.
# user=_app will match any regular app UID.
# user=_isolated will match any isolated service UID.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified user= string before unspecified user= string.
# (3) Fixed user= string before user= prefix (i.e. ending in *).
# (4) Longer user= prefix before shorter user= prefix.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string.
# (7) Specified path= string before unspecified path= string.
# (8) Specified sebool= string before unspecified sebool= string.
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
# Only entries that specify domain= will be used for app process labeling.
# Only entries that specify type= will be used for app directory labeling.
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
isSystemServer=true domain=system_server
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=shell domain=shell type=shell_data_file
user=_app domain=untrusted_app type=app_data_file
user=_app seinfo=platform domain=platform_app type=app_data_file
user=_app seinfo=shared domain=shared_app type=app_data_file
user=_app seinfo=media domain=media_app type=app_data_file
user=_app seinfo=release domain=release_app type=app_data_file
user=_isolated domain=isolated_app
Reference in New Issue View Git Blame Copy Permalink