From d823f83e5466b53521b098c0865b89c7f12025fa Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Feb 2014 13:26:20 -0500
Subject: [PATCH] Clarify meaning of untrusted_app and app domain assignment
 logic.

The current inline documentation is not entirely accurate and caused
user confusion, e.g. see:
https://groups.google.com/d/msg/android-security-discuss/javBrPT8ius/C4EVEFUu4ZoJ

Try to clarify the meaning of untrusted_app, how app domains are
assigned, and how to move other system apps out of untrusted_app into
a different domain.

Change-Id: I98d344dd078fe9e2738b68636adaabda1f4b3c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 untrusted_app.te | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/untrusted_app.te b/untrusted_app.te
index 96c700974..16499c1b0 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -1,9 +1,20 @@
 ###
 ### Untrusted apps.
 ###
-### This file defines the rules for untrusted apps. An "untrusted
-### app" is an APP with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000).
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory).  The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.  In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by one of the four platform keys.  To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
 ###
 ### untrusted_app includes all the appdomain rules, plus the
 ### additional following rules:
-- 
GitLab