platform_system_sepolicy/README.apps.md
Thiébaud Weksteen f263552b75 Add README.apps.md
Add a high-level overview of the app domains and attributes. This
documentation can be used as an entry point to find the correct type.
Detailed documentation should still be part of the type/attribute
definition in public/<type>.te or private/<type>.te.

Test: Render markdown locally
Change-Id: If91ecfbb079b90f7a7b8753cef5341a2335ca467
2023-05-15 10:42:00 +10:00

2.5 KiB

The policy defines multiple types and attributes for apps. This document is a high-level overview of these. For further details on each type, refer to their specific files in the public/ and private/ directories.

appdomain

In general, all apps will have the appdomain attribute. You can think of appdomain as any app started by Zygote. The macro app_domain() should be used to define a type that is considered an app (see public/te_macros).

untrusted_app

Third-party apps (for example, installed from the Play Store), targeting the most recent SDK version will be typed as untrusted_app. This is the default domain for apps, unless a more specific criteria applies.

When an app is targeting a previous SDK version, it may have the untrusted_app_xx type where xx is the targetSdkVersion. For instance, an app with targetSdkVersion = 32 in its manifest will be typed as untrusted_app_32. Not all targetSdkVersion have a specific type, some version are skipped when no differences were introduced (see public/untrusted_app.te for more details).

The untrusted_app_all attribute can be used to reference all the types described in this section (that is, untrusted_app, untrusted_app_30, untrusted_app_32, etc.).

isolated_app

Apps may be restricted when using isolatedProcess=true in their manifest. In this case, they will be assigned the isolated_app type. A similar type isolated_compute_app exist for some restricted services.

Both types isolated_app and isolated_compute_app are grouped under the attribute isolated_app_all.

ephemeral_app

Apps that are run without installation. These are apps deployed for example via Google Play Instant. These are more constrained than untrusted_app.

sdk_sandbox

SDK runtime apps, installed as part of the Privacy Sandbox project. These are sandboxed to limit their communication channels.

platform_app

Apps that are signed with the platform key. These are installed within the system or vendor image. com.android.systemui is an example of an app running with this type.

system_app

Apps pre-installed on a device, signed by the platform key and running with the system UID. com.android.settings is an example of an app running with this type.

priv_app

Apps shipped as part of the device and installed in one of the /{system,vendor,product}/priv-app directories. com.google.android.apps.messaging is an example of an app running as priv_app. Permissions for these apps need to be explicitly granted, see https://source.android.com/docs/core/permissions/perms-allowlist for more details.