Rewrite app domains and seapp_contexts to leverage new seinfo tags.
diff --git a/app.te b/app.te
index ed76ccf..62e4bb1 100644
--- a/app.te
+++ b/app.te
@@ -4,31 +4,64 @@
#
#
-# Trusted apps.
+# Apps signed with the platform key.
#
-type trusted_app, domain;
-app_domain(trusted_app)
+type platform_app, domain;
+app_domain(platform_app)
# Access the network.
-net_domain(trusted_app)
+net_domain(platform_app)
# Access bluetooth.
-bluetooth_domain(trusted_app)
+bluetooth_domain(platform_app)
# Read logs.
-allow trusted_app log_device:chr_file read;
-# Access /dev/mtp_usb.
-# XXX Split android.process.media into a separate domain?
-allow trusted_app mtp_device:chr_file rw_file_perms;
+allow platform_app log_device:chr_file read;
# Write to /cache.
-allow trusted_app cache_file:dir rw_dir_perms;
-allow trusted_app cache_file:file create_file_perms;
+allow platform_app cache_file:dir rw_dir_perms;
+allow platform_app cache_file:file create_file_perms;
# Read from /data/local.
-allow trusted_app shell_data_file:dir search;
-allow trusted_app shell_data_file:file { open getattr read };
-allow trusted_app shell_data_file:lnk_file read;
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
# Access the sdcard.
-allow trusted_app sdcard:dir create_dir_perms;
-allow trusted_app sdcard:file create_file_perms;
+allow platform_app sdcard:dir create_dir_perms;
+allow platform_app sdcard:file create_file_perms;
# Populate /data/app/vmdl*.tmp file created by system server.
-allow trusted_app apk_tmp_file:file rw_file_perms;
+allow platform_app apk_tmp_file:file rw_file_perms;
+
+# Apps signed with the media key.
+type media_app, domain;
+app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+# Read logs.
+allow media_app log_device:chr_file read;
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Access sdcard.
+allow media_app sdcard:dir r_dir_perms;
+allow media_app sdcard:file r_file_perms;
+
+# Apps signed with the shared key.
+type shared_app, domain;
+app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+# Read logs.
+allow shared_app log_device:chr_file read;
+
+# Apps signed with the release key (testkey in AOSP).
+type release_app, domain;
+app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+# Read logs.
+allow release_app log_device:chr_file read;
#
# An example of a specific domain for a specific app
diff --git a/seapp_contexts b/seapp_contexts
index c301792..502206a 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -33,5 +33,8 @@
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=app_* domain=untrusted_app type=app_data_file levelFromUid=true
-user=app_* seinfo=systemApp domain=trusted_app levelFromUid=true
-user=app_* seinfo=systemApp name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* seinfo=platform domain=platform_app levelFromUid=true
+user=app_* seinfo=shared domain=shared_app levelFromUid=true
+user=app_* seinfo=media domain=media_app levelFromUid=true
+user=app_* seinfo=release domain=release_app levelFromUid=true
+user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
