Move *_app into their own file
app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.
Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.
No functional change.
Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
diff --git a/app.te b/app.te
index 22168f8..b896ada 100644
--- a/app.te
+++ b/app.te
@@ -1,68 +1,10 @@
-#
-# Domains for apps that do not run with one of the predefined
-# platform UIDs (system, radio, nfc, ...).
-#
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
-#
-# Apps signed with the platform key.
-#
-type platform_app, domain;
-permissive platform_app;
-app_domain(platform_app)
-platform_app_domain(platform_app)
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
-
-# Apps signed with the media key.
-type media_app, domain;
-permissive media_app;
-app_domain(media_app)
-platform_app_domain(media_app)
-# Access the network.
-net_domain(media_app)
-unconfined_domain(media_app)
-relabelto_domain(media_app)
-allow media_app download_file:dir relabelto;
-
-# Apps signed with the shared key.
-type shared_app, domain;
-permissive shared_app;
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
-
-# Apps signed with the release key (testkey in AOSP).
-type release_app, domain;
-permissive release_app;
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-unconfined_domain(release_app)
-
-# Services with isolatedProcess=true in their manifest.
-# In order for isolated_apps to interact with apps that have levelFromUid=true
-# set it must be an mlstrustedsubject.
-type isolated_app, domain, mlstrustedsubject;
-permissive isolated_app;
-app_domain(isolated_app)
-unconfined_domain(isolated_app)
-
-#
-# Untrusted apps.
-#
-type untrusted_app, domain;
-permissive untrusted_app;
-app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-unconfined_domain(untrusted_app)
+# currently empty
diff --git a/isolated_app.te b/isolated_app.te
new file mode 100644
index 0000000..57c357c
--- /dev/null
+++ b/isolated_app.te
@@ -0,0 +1,15 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+### isolated_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type isolated_app, domain;
+permissive isolated_app;
+app_domain(isolated_app)
+unconfined_domain(isolated_app)
diff --git a/media_app.te b/media_app.te
new file mode 100644
index 0000000..f0f987f
--- /dev/null
+++ b/media_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the media key.
+###
+
+type media_app, domain;
+permissive media_app;
+app_domain(media_app)
+platform_app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
diff --git a/platform_app.te b/platform_app.te
new file mode 100644
index 0000000..38d8fcd
--- /dev/null
+++ b/platform_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
+permissive platform_app;
+app_domain(platform_app)
+platform_app_domain(platform_app)
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+unconfined_domain(platform_app)
diff --git a/release_app.te b/release_app.te
new file mode 100644
index 0000000..285f483
--- /dev/null
+++ b/release_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the release key (testkey in AOSP).
+###
+
+type release_app, domain;
+permissive release_app;
+app_domain(release_app)
+platform_app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+unconfined_domain(release_app)
diff --git a/shared_app.te b/shared_app.te
new file mode 100644
index 0000000..b66fbfb
--- /dev/null
+++ b/shared_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the shared key.
+###
+
+type shared_app, domain;
+permissive shared_app;
+app_domain(shared_app)
+platform_app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+unconfined_domain(shared_app)
diff --git a/untrusted_app.te b/untrusted_app.te
new file mode 100644
index 0000000..f552129
--- /dev/null
+++ b/untrusted_app.te
@@ -0,0 +1,17 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps. An "untrusted
+### app" is an APP with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000).
+###
+### untrusted_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type untrusted_app, domain;
+permissive untrusted_app;
+app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+unconfined_domain(untrusted_app)