Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • Stephen Smalley's avatar
    Coalesce shared_app, media_app, release_app into untrusted_app. · 9ba844fe
    Stephen Smalley authored 
    
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    9ba844fe
mac_permissions.xml 1.34 KiB 
<?xml version="1.0" encoding="utf-8"?>
<policy>

<!--

    * A signature is a hex encoded X.509 certificate or a tag defined in
      keys.conf and is required for each signer tag.
    * A signer tag may contain a seinfo tag and multiple package stanzas.
    * A default tag is allowed that can contain policy for all apps not signed with a
      previously listed cert. It may not contain any inner package stanzas.
    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
      represents additional info that each app can use in setting a SELinux security
      context on the eventual process.
    * When a package is installed the following logic is used to determine what seinfo
      value, if any, is assigned.
      - All signatures used to sign the app are checked first.
      - If a signer stanza has inner package stanzas, those stanza will be checked
        to try and match the package name of the app. If the package name matches
        then that seinfo tag is used. If no inner package matches then the outer
        seinfo tag is assigned.
      - The default tag is consulted last if needed.
-->

    <!-- Platform dev key in AOSP -->
    <signer signature="@PLATFORM" >
      <seinfo value="platform" />
    </signer>

    <!-- All other keys -->
    <default>
      <seinfo value="default" />
    </default>

</policy>