Google Git
Sign in
android / platform / system / sepolicy / eb1290f5116cc73968faa2de6d72f9ebd94bd108^1..eb1290f5116cc73968faa2de6d72f9ebd94bd108 / .
commiteb1290f5116cc73968faa2de6d72f9ebd94bd108[log] [tgz]
authorCharles Chen <liangyuchen@google.com>Wed Feb 01 17:34:48 2023 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Feb 01 17:34:48 2023 +0000
treecc0e8508295fe802cd329677c82abf8a90c3f56a
parentb36ecf6caacc1d9003aafe15bbf191767b87328a [diff]
parent307049222a841a16d2a3ec7cbaf656380922c41a [diff]
Merge "Update seapp_contexts with isIsolatedComputeApp selector"
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d950c3d..e3ee026 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -11,6 +11,7 @@
 #       isPrivApp (boolean)
 #       minTargetSdkVersion (unsigned integer)
 #       fromRunAs (boolean)
+#       isIsolatedComputeApp (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -40,6 +41,11 @@
 #       it has a default value of 0.
 # fromRunAs=true means the process being labeled is started by run-as. Default
 # is false.
+# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
+# restricted to run in an isolated_app domain. Processes match this selector will
+# be mapped to isolated_compute_app by default. It is expected to be used together
+# with user=_isolated. This selector should not be used unless it is intended
+# to provide isolated processes with relaxed security restrictions.
 #
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
@@ -57,6 +63,7 @@
 #              minTargetSdkVersion= integer. Note that minTargetSdkVersion=
 #              defaults to 0 if unspecified.
 #       (8) fromRunAs=true before fromRunAs=false.
+#       (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
 # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
 # longer prefix is more specific than a shorter prefix.)
 # Apps are checked against entries in precedence order until the first match,
@@ -122,9 +129,12 @@
 
 # neverallow non-isolated uids into isolated_app domain
 # and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
 neverallow user=((?!_isolated).)* domain=isolated_app
 
+# neverallow isolatedComputeApp into domains other than isolated_compute_app
+neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
+
 # uid shell should always be in shell domain, however non-shell
 # uid's can be in shell domain
 neverallow user=shell domain=((?!shell).)*

diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 7795e3a..e57a6b3 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c

@@ -213,6 +213,7 @@
                 { .name = "isPrivApp",      .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
                 /*Outputs*/
                 { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },
                 { .name = "type",           .dir = dir_out, .fn_validate = validate_type  },