According to the "Precedence Rules" of seapp contexts, the order of all the policies should follow:
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified user= string before unspecified user= string.
# (3) Fixed user= string before user= prefix (i.e. ending in *).
# (4) Longer user= prefix before shorter user= prefix.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string.
So, I don't think the current order is correct.
isSystemServer=true domain=system
user=system domain=system_app type=system_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=app_* domain=untrusted_app type=app_data_file levelFromUid=true
user=app_* seinfo=platform domain=platform_app levelFromUid=true
user=app_* seinfo=shared domain=shared_app levelFromUid=true
user=app_* seinfo=media domain=media_app levelFromUid=true
user=app_* seinfo=release domain=release_app levelFromUid=true
user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
For example, "user=app_* domain=untrusted_app type=app_data_file levelFromUid=true" should
be the last one. And "user=app_* seinfo=release domain=release_app levelFromUid=true" should
follow behind "user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true".
Could you help me to clarify that???? Thanks a lot.
--
-----------------------------------
Haiqing Jiang, PH.D studentComputer Science Department, North Carolina State University
