From 8840fa7f85e60fc4abd3cedf7cbfc2cd98a4d473 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 11 Sep 2013 11:37:46 -0400
Subject: [PATCH] Split system_app from system.

system_app is for apps that run in the system UID, e.g. Settings.
system is for the system_server.
Split them into separate files and note their purpose in the comment
header of each file.

Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 system.te     | 9 ++++-----
 system_app.te | 9 +++++++++
 2 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 system_app.te

diff --git a/system.te b/system.te
index 3dda4b4bd..f29367cef 100644
--- a/system.te
+++ b/system.te
@@ -1,8 +1,7 @@
-type system_app, domain;
-permissive system_app;
-app_domain(system_app)
-unconfined_domain(system_app)
-
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
 type system, domain;
 permissive system;
 unconfined_domain(system);
diff --git a/system_app.te b/system_app.te
new file mode 100644
index 000000000..61a18dbc7
--- /dev/null
+++ b/system_app.te
@@ -0,0 +1,9 @@
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings.  These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+permissive system_app;
+app_domain(system_app)
+unconfined_domain(system_app)
-- 
GitLab