am 008d7f14: Drop the default stanza from mac_permissions.xml

* commit '008d7f14': Drop the default stanza from mac_permissions.xml

am 008d7f14: Drop the default stanza from mac_permissions.xml
60442d18 · Robert Craig · Android Git Automerger · 5a863aef · 008d7f14 · 60442d18
Commit 60442d18 authored 9 years ago by Robert Craig Committed by Android Git Automerger 9 years ago
--- a/mac_permissions.xml
+++ b/mac_permissions.xml
@@ -4,21 +4,46 @@
 <!--
    * A signature is a hex encoded X.509 certificate or a tag defined in
-      keys.conf and is required for each signer tag.
+      keys.conf and is required for each signer tag. The signature can
-    * A signer tag may contain a seinfo tag and multiple package stanzas.
+      either appear as a set of attached cert child tags or as an attribute.
-    * A default tag is allowed that can contain policy for all apps not signed with a
+    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
-      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/package tag is allowed to contain one seinfo tag. This tag
-    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
      represents additional info that each app can use in setting a SELinux security
-      context on the eventual process.
+      context on the eventual process as well as the apps data directory.
-    * When a package is installed the following logic is used to determine what seinfo
+    * seinfo assignments are made according to the following rules:
-      value, if any, is assigned.
+      - Stanzas with package name refinements will be checked first.
-      - All signatures used to sign the app are checked first.
+      - Stanzas w/o package name refinements will be checked second.
-      - If a signer stanza has inner package stanzas, those stanza will be checked
+      - The "default" seinfo label is automatically applied.
-        to try and match the package name of the app. If the package name matches
-        then that seinfo tag is used. If no inner package matches then the outer
+    * valid stanzas can take one of the following forms:
-        seinfo tag is assigned.
-      - The default tag is consulted last if needed.
+     // single cert protecting seinfo
+     <signer signature="@PLATFORM" >
+       <seinfo value="platform" />
+     </signer>
+     // multiple certs protecting seinfo (all contained certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <seinfo value="platform" />
+     </signer>
+     // single cert protecting explicitly named app
+     <signer signature="@PLATFORM" >
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+     // multiple certs protecting explicitly named app (all certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
 -->
    <!-- Platform dev key in AOSP -->
@@ -26,9 +51,4 @@
      <seinfo value="platform" />
    </signer>
-    <!-- All other keys -->
-    <default>
-      <seinfo value="default" />
-    </default>
 </policy>