Define security labeling for isolated processes.

Used when an app service is declared with android:isolatedProcess="true". Place such processes in a separate domain, and further isolate them from each other via categories. Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define security labeling for isolated processes.
061f254d · Stephen Smalley · 66a3e8d9 · 061f254d · 061f254d
Commit 061f254d authored 12 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -67,6 +67,10 @@ bluetooth_domain(release_app)
 # Read logs.
 allow release_app log_device:chr_file read;
+# Services with isolatedProcess=true in their manifest.
+type isolated_app, domain;
+app_domain(isolated_app)
 #
 # An example of a specific domain for a specific app
 # A domain for com.android.browser.

--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,3 +39,4 @@ user=app_* seinfo=shared domain=shared_app type=platform_app_data_file
 user=app_* seinfo=media domain=media_app type=platform_app_data_file
 user=app_* seinfo=release domain=release_app type=platform_app_data_file
 user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
+user=isolated domain=isolated_app levelFromUid=true