From 061f254def394fdc4784fe6c446bdd779cfec768 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 20 Sep 2012 10:57:03 -0400
Subject: [PATCH] Define security labeling for isolated processes.

Used when an app service is declared with android:isolatedProcess="true".
Place such processes in a separate domain, and further isolate them
from each other via categories.

Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te         | 4 ++++
 seapp_contexts | 1 +
 2 files changed, 5 insertions(+)

diff --git a/app.te b/app.te
index 028bf4544..7984f1099 100644
--- a/app.te
+++ b/app.te
@@ -67,6 +67,10 @@ bluetooth_domain(release_app)
 # Read logs.
 allow release_app log_device:chr_file read;
 
+# Services with isolatedProcess=true in their manifest.
+type isolated_app, domain;
+app_domain(isolated_app)
+
 #
 # An example of a specific domain for a specific app
 # A domain for com.android.browser.
diff --git a/seapp_contexts b/seapp_contexts
index 71eca75b8..0050cc263 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,3 +39,4 @@ user=app_* seinfo=shared domain=shared_app type=platform_app_data_file
 user=app_* seinfo=media domain=media_app type=platform_app_data_file
 user=app_* seinfo=release domain=release_app type=platform_app_data_file
 user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
+user=isolated domain=isolated_app levelFromUid=true
-- 
GitLab