### ### Untrusted apps. ### ### Apps are labeled based on mac_permissions.xml (maps signer and ### optionally package name to seinfo value) and seapp_contexts (maps UID ### and optionally seinfo value to domain for process and type for data ### directory). The untrusted_app domain is the default assignment in ### seapp_contexts for any app with UID between APP_AID (10000) ### and AID_ISOLATED_START (99000) if the app has no specific seinfo ### value as determined from mac_permissions.xml. In current AOSP, this ### domain is assigned to all non-system apps as well as to any system apps ### that are not signed by the platform key. To move ### a system app into a specific domain, add a signer entry for it to ### mac_permissions.xml and assign it one of the pre-existing seinfo values ### or define and use a new seinfo value in both mac_permissions.xml and ### seapp_contexts. ### # This file defines the rules for untrusted apps running with # targetSdkVersion >= 34. type untrusted_app, domain; # This file defines the rules for untrusted apps running with # 31 < targetSdkVersion <= 33. type untrusted_app_32, domain; # This file defines the rules for untrusted apps running with # 29 < targetSdkVersion <= 31. type untrusted_app_30, domain; # This file defines the rules for untrusted apps running with # targetSdkVersion = 29. type untrusted_app_29, domain; # This file defines the rules for untrusted apps running with # 25 < targetSdkVersion <= 28. type untrusted_app_27, domain; # This file defines the rules for untrusted apps running with # targetSdkVersion <= 25. type untrusted_app_25, domain; # system/sepolicy/public is for vendor-facing type and attribute definitions. # DO NOT ADD allow, neverallow, or dontaudit statements here. # Instead, add such policy rules to system/sepolicy/private/*.te.