9ba844fea1
This change folds the shared_app, media_app, and release_app domains into untrusted_app, reducing the set of app domains down to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth, nfc, radio), a single domain for apps signed by the platform key (platform_app), and a single domain for all other apps (untrusted_app). Thus, SELinux only distinguishes when already distinguished by a predefined Android ID (AID) or by the platform certificate (which get the signature-only Android permissions and thus may require special OS-level accesses). It is still possible to introduce specific app domains for specific apps by adding signer and package stanzas to mac_permissions.xml, but this can be done on an as-needed basis for specialized apps that require particular OS-level permissions outside the usual set. As there is now only a single platform app domains, get rid of the platformappdomain attribute and platform_app_domain() macro. We used to add mlstrustedsubject to those domains but drop this since we are not using MLS in AOSP presently; we can revisit which domains need it if/when we use MLS. Since we are dropping the shared, media, and release seinfo entries from seapp_contexts, drop them from mac_permissions.xml as well. However, we leave the keys.conf entries in case someone wants to add a signer entry in the future for specific apps signed by those keys to mac_permissions.xml. Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
35 lines
1.3 KiB
XML
35 lines
1.3 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<policy>
|
|
|
|
<!--
|
|
|
|
* A signature is a hex encoded X.509 certificate or a tag defined in
|
|
keys.conf and is required for each signer tag.
|
|
* A signer tag may contain a seinfo tag and multiple package stanzas.
|
|
* A default tag is allowed that can contain policy for all apps not signed with a
|
|
previously listed cert. It may not contain any inner package stanzas.
|
|
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
|
|
represents additional info that each app can use in setting a SELinux security
|
|
context on the eventual process.
|
|
* When a package is installed the following logic is used to determine what seinfo
|
|
value, if any, is assigned.
|
|
- All signatures used to sign the app are checked first.
|
|
- If a signer stanza has inner package stanzas, those stanza will be checked
|
|
to try and match the package name of the app. If the package name matches
|
|
then that seinfo tag is used. If no inner package matches then the outer
|
|
seinfo tag is assigned.
|
|
- The default tag is consulted last if needed.
|
|
-->
|
|
|
|
<!-- Platform dev key in AOSP -->
|
|
<signer signature="@PLATFORM" >
|
|
<seinfo value="platform" />
|
|
</signer>
|
|
|
|
<!-- All other keys -->
|
|
<default>
|
|
<seinfo value="default" />
|
|
</default>
|
|
|
|
</policy>
|