Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.
Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
when the asec images are mounted
- asec_image_file : the actual encrypted apks under
/data/app-asec
Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.
Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
