Something went wrong on our end
Select Git revision
service_contexts
-
Anthony Hugh authoredThis reverts commit cda36e31. This will be moved to a device specific file. BUG: 24555181 Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec
Anthony Hugh authoredThis reverts commit cda36e31. This will be moved to a device specific file. BUG: 24555181 Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec
seapp_contexts 4.39 KiB
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
# isOwner (boolean)
# user (string)
# seinfo (string)
# name (string)
# path (string)
# isPrivApp (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isOwner=true will only match for the owner/primary user.
# isOwner=false will only match for secondary users.
# If unspecified, the entry can match either case.
# An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match.
# user=_app will match any regular app UID.
# user=_isolated will match any isolated service UID.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
#
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
# (3) Specified isOwner= before unspecified isOwner= boolean.
# (4) Specified user= string before unspecified user= string.
# (5) Fixed user= string before user= prefix (i.e. ending in *).
# (6) Longer user= prefix before shorter user= prefix.
# (7) Specified seinfo= string before unspecified seinfo= string.
# ':' character is reserved and may not be used.
# (8) Specified name= string before unspecified name= string.
# (9) Specified path= string before unspecified path= string.
# (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
# Only entries that specify domain= will be used for app process labeling.
# Only entries that specify type= will be used for app directory labeling.
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
#
# Neverallow Assertions
# Additional compile time assertion checks can be added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
# neverallows are case-insensitive. A neverallow is asserted when all key value
# inputs are matched on a key value rule line.
#
# only the system server can be in system_server domain
neverallow isSystemServer=false domain=system_server
neverallow isSystemServer="" domain=system_server
# system domains should never be assigned outside of system uid
neverallow user=((?!system).)* domain=system_app
neverallow user=((?!system).)* type=system_app_data_file
# anything with a non-known uid with a specified name should have a specified seinfo
neverallow user=_app name=.* seinfo=""
neverallow user=_app name=.* seinfo=default