Move *_app into their own file

app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f

Move *_app into their own file
748fdef6 · Nick Kralevich · 08f01a33 · 748fdef6 · 748fdef6 · 748fdef6
Commit 748fdef6 authored 11 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
-#
-# Domains for apps that do not run with one of the predefined
-# platform UIDs (system, radio, nfc, ...).
-#
-
-#
-# Apps signed with the platform key.
-#
-type platform_app, domain;
-permissive platform_app;
-app_domain(platform_app)
-platform_app_domain(platform_app)
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
-
-# Apps signed with the media key.
-type media_app, domain;
-permissive media_app;
-app_domain(media_app)
-platform_app_domain(media_app)
-# Access the network.
-net_domain(media_app)
-unconfined_domain(media_app)
-relabelto_domain(media_app)
-allow media_app download_file:dir relabelto;
-
-# Apps signed with the shared key.
-type shared_app, domain;
-permissive shared_app;
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
-
-# Apps signed with the release key (testkey in AOSP).
-type release_app, domain;
-permissive release_app;
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-unconfined_domain(release_app)
-
-# Services with isolatedProcess=true in their manifest.
-# In order for isolated_apps to interact with apps that have levelFromUid=true
-# set it must be an mlstrustedsubject.
-type isolated_app, domain, mlstrustedsubject;
-permissive isolated_app;
-app_domain(isolated_app)
-unconfined_domain(isolated_app)
-
-#
-# Untrusted apps.
-#
-type untrusted_app, domain;
-permissive untrusted_app;
-app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-unconfined_domain(untrusted_app)
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# currently empty
--- a/isolated_app.te
+++ b/isolated_app.te
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+### isolated_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type isolated_app, domain;
+permissive isolated_app;
+app_domain(isolated_app)
+unconfined_domain(isolated_app)
--- a/media_app.te
+++ b/media_app.te
+###
+### Apps signed with the media key.
+###
+
+type media_app, domain;
+permissive media_app;
+app_domain(media_app)
+platform_app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
--- a/platform_app.te
+++ b/platform_app.te
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
+permissive platform_app;
+app_domain(platform_app)
+platform_app_domain(platform_app)
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+unconfined_domain(platform_app)
--- a/release_app.te
+++ b/release_app.te
+###
+### Apps signed with the release key (testkey in AOSP).
+###
+
+type release_app, domain;
+permissive release_app;
+app_domain(release_app)
+platform_app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+unconfined_domain(release_app)
--- a/shared_app.te
+++ b/shared_app.te
+###
+### Apps signed with the shared key.
+###
+
+type shared_app, domain;
+permissive shared_app;
+app_domain(shared_app)
+platform_app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+unconfined_domain(shared_app)
--- a/untrusted_app.te
+++ b/untrusted_app.te
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps. An "untrusted
+### app" is an APP with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000).
+###
+### untrusted_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type untrusted_app, domain;
+permissive untrusted_app;
+app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+unconfined_domain(untrusted_app)