#
# Domains for apps that do not run with one of the predefined
# platform UIDs (system, radio, nfc, ...).
#

#
# Apps signed with the platform key.
#
type platform_app, domain;
permissive platform_app;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
net_domain(platform_app)
# Access bluetooth.
bluetooth_domain(platform_app)
unconfined_domain(platform_app)

# Apps signed with the media key.
type media_app, domain;
permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
net_domain(media_app)
unconfined_domain(media_app)

# Apps signed with the shared key.
type shared_app, domain;
permissive shared_app;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
unconfined_domain(shared_app)

# Apps signed with the release key (testkey in AOSP).
type release_app, domain;
permissive release_app;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
net_domain(release_app)
# Access bluetooth.
bluetooth_domain(release_app)
unconfined_domain(release_app)

# Services with isolatedProcess=true in their manifest.
# In order for isolated_apps to interact with apps that have levelFromUid=true
# set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
permissive isolated_app;
app_domain(isolated_app)
unconfined_domain(isolated_app)

#
# Untrusted apps.
#
type untrusted_app, domain;
permissive untrusted_app;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
unconfined_domain(untrusted_app)