Define security labeling for isolated processes.
Used when an app service is declared with android:isolatedProcess="true".
Place such processes in a separate domain, and further isolate them
from each other via categories.
Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/app.te b/app.te
index 028bf45..7984f10 100644
--- a/app.te
+++ b/app.te
@@ -67,6 +67,10 @@
# Read logs.
allow release_app log_device:chr_file read;
+# Services with isolatedProcess=true in their manifest.
+type isolated_app, domain;
+app_domain(isolated_app)
+
#
# An example of a specific domain for a specific app
# A domain for com.android.browser.
diff --git a/seapp_contexts b/seapp_contexts
index 71eca75..0050cc2 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,3 +39,4 @@
user=app_* seinfo=media domain=media_app type=platform_app_data_file
user=app_* seinfo=release domain=release_app type=platform_app_data_file
user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
+user=isolated domain=isolated_app levelFromUid=true
