Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • Stephen Smalley's avatar
    Get rid of separate platform_app_data_file type. · dc88dca1
    Stephen Smalley authored 
    
The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    dc88dca1
seapp_contexts 2.19 KiB 
# Input selectors: 
#	isSystemServer (boolean)
#	user (string)
#	seinfo (string)
#	name (string)
#	path (string)
#	sebool (string)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# An unspecified string selector will match any value.
# A user string selector that ends in * will perform a prefix match.
# user=_app will match any regular app UID.
# user=_isolated will match any isolated service UID.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
# Precedence rules:
# 	  (1) isSystemServer=true before isSystemServer=false.
#	  (2) Specified user= string before unspecified user= string.
#	  (3) Fixed user= string before user= prefix (i.e. ending in *).
#	  (4) Longer user= prefix before shorter user= prefix. 
#	  (5) Specified seinfo= string before unspecified seinfo= string.
#	  (6) Specified name= string before unspecified name= string.
#	  (7) Specified path= string before unspecified path= string.
#	  (8) Specified sebool= string before unspecified sebool= string.
#
# Outputs:
#	domain (string)
#	type (string)
#	levelFrom (string; one of none, all, app, or user)
#	level (string)
# Only entries that specify domain= will be used for app process labeling.
# Only entries that specify type= will be used for app directory labeling.
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID. 
#
isSystemServer=true domain=system_server
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file
user=_app seinfo=platform domain=platform_app type=app_data_file
user=_app seinfo=shared domain=shared_app type=app_data_file
user=_app seinfo=media domain=media_app type=app_data_file
user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
user=_app seinfo=release domain=release_app type=app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file