{"id":20498435,"url":"https://github.com/grapheneos/platform_system_sepolicy","last_synced_at":"2025-04-13T18:43:03.659Z","repository":{"id":10715931,"uuid":"66727078","full_name":"GrapheneOS/platform_system_sepolicy","owner":"GrapheneOS","description":"Base SELinux policy (extended by per-device repositories)","archived":false,"fork":false,"pushed_at":"2025-03-26T02:09:35.000Z","size":31474,"stargazers_count":13,"open_issues_count":0,"forks_count":28,"subscribers_count":4,"default_branch":"15-qpr2","last_synced_at":"2025-03-27T09:39:43.684Z","etag":null,"topics":["android","grapheneos","privacy","security"],"latest_commit_sha":null,"homepage":"https://grapheneos.org/","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GrapheneOS.png","metadata":{"files":{"readme":"README.apps.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"thestinger","custom":"https://grapheneos.org/donate"}},"created_at":"2016-08-27T17:30:23.000Z","updated_at":"2025-03-19T19:57:54.000Z","dependencies_parsed_at":"2023-02-18T17:16:09.147Z","dependency_job_id":"648e6755-a339-41bd-9d04-8bbf0773ab18","html_url":"https://github.com/GrapheneOS/platform_system_sepolicy","commit_stats":null,"previous_names":[],"tags_count":784,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrapheneOS%2Fplatform_system_sepolicy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrapheneOS%2Fplatform_system_sepolicy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrapheneOS%2Fplatform_system_sepolicy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GrapheneOS%2Fplatform_system_sepolicy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GrapheneOS","download_url":"https://codeload.github.com/GrapheneOS/platform_system_sepolicy/tar.gz/refs/heads/15-qpr2","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248765157,"owners_count":21158225,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","grapheneos","privacy","security"],"created_at":"2024-11-15T18:14:13.279Z","updated_at":"2025-04-13T18:43:03.650Z","avatar_url":"https://github.com/GrapheneOS.png","language":"Go","funding_links":["https://github.com/sponsors/thestinger","https://grapheneos.org/donate"],"categories":[],"sub_categories":[],"readme":"The policy defines multiple types and attributes for apps. This document is a\nhigh-level overview of these. For further details on each type, refer to their\nspecific files in the public/ and private/ directories.\n\n## appdomain\nIn general, all apps will have the `appdomain` attribute. You can think of\n`appdomain` as any app started by Zygote. The macro `app_domain()` should be\nused to define a type that is considered an app (see public/te_macros).\n\n## untrusted_app\nThird-party apps (for example, installed from the Play Store), targeting the\nmost recent SDK version will be typed as `untrusted_app`. This is the default\ndomain for apps, unless a more specific criteria applies.\n\nWhen an app is targeting a previous SDK version, it may have the\n`untrusted_app_xx` type where xx is the targetSdkVersion. For instance, an app\nwith `targetSdkVersion = 32` in its manifest will be typed as `untrusted_app_32`.\nNot all targetSdkVersion have a specific type, some version are skipped when no\ndifferences were introduced (see public/untrusted_app.te for more details).\n\nThe `untrusted_app_all` attribute can be used to reference all the types\ndescribed in this section (that is, `untrusted_app`, `untrusted_app_30`,\n`untrusted_app_32`, etc.).\n\n## isolated_app\nApps may be restricted when using isolatedProcess=true in their manifest. In\nthis case, they will be assigned the `isolated_app` type. A similar type\n`isolated_compute_app` exist for some restricted services.\n\nBoth types `isolated_app` and `isolated_compute_app` are grouped under the\nattribute `isolated_app_all`.\n\n## ephemeral_app\nApps that are run without installation. These are apps deployed for example via\nGoogle Play Instant. These are more constrained than `untrusted_app`.\n\n## sdk_sandbox\nSDK runtime apps, installed as part of the Privacy Sandbox project. These are\nsandboxed to limit their communication channels.\n\n## platform_app\nApps that are signed with the platform key. These are installed within the\nsystem or vendor image. com.android.systemui is an example of an app running\nwith this type.\n\n## system_app\nApps pre-installed on a device, signed by the platform key and running with the\nsystem UID. com.android.settings is an example of an app running with this\ntype.\n\n## priv_app\nApps shipped as part of the device and installed in one of the\n`/{system,vendor,product}/priv-app` directories.\ncom.google.android.apps.messaging is an example of an app running as priv_app.\nPermissions for these apps need to be explicitly granted, see\nhttps://source.android.com/docs/core/permissions/perms-allowlist for more\ndetails.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrapheneos%2Fplatform_system_sepolicy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgrapheneos%2Fplatform_system_sepolicy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrapheneos%2Fplatform_system_sepolicy/lists"}