Skip to content
Snippets Groups Projects
Commit 3ac1d26a authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Switch app_* and isolated to _app and _isolated in seapp_contexts. 


The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic.  With the recent changes to move away from this approach,
there is no reason to retain that syntax.  Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs.  The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to libselinux.

Change-Id: Ic388a12c1c9d3e47386c8849db607140ef8a3d75
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 061f254d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 9 additions and 7 deletions
seapp_contexts
+ 9
7
View file @ 3ac1d26a
...@@ -8,6 +8,8 @@ ...@@ -8,6 +8,8 @@
# An unspecified isSystemServer defaults to false. # An unspecified isSystemServer defaults to false.
# An unspecified string selector will match any value. # An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match. # A user string selector that ends in * will perform a prefix match.
# user=_app will match any regular app UID.
# user=_isolated will match any isolated service UID.
# All specified input selectors in an entry must match (i.e. logical AND). # All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive. # Matching is case-insensitive.
# Precedence rules: # Precedence rules:
...@@ -33,10 +35,10 @@ isSystemServer=true domain=system ...@@ -33,10 +35,10 @@ isSystemServer=true domain=system
user=system domain=system_app type=system_data_file user=system domain=system_app type=system_data_file
user=nfc domain=nfc type=nfc_data_file user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file user=radio domain=radio type=radio_data_file
user=app_* domain=untrusted_app type=app_data_file levelFromUid=true user=_app domain=untrusted_app type=app_data_file levelFromUid=true
user=app_* seinfo=platform domain=platform_app type=platform_app_data_file user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=app_* seinfo=shared domain=shared_app type=platform_app_data_file user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=app_* seinfo=media domain=media_app type=platform_app_data_file user=_app seinfo=media domain=media_app type=platform_app_data_file
user=app_* seinfo=release domain=release_app type=platform_app_data_file user=_app seinfo=release domain=release_app type=platform_app_data_file
user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file user=_app seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
user=isolated domain=isolated_app levelFromUid=true user=_isolated domain=isolated_app levelFromUid=true
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment