Create a separate domain for VzwOmaTrigger

This creates a new vzwomatrigger_app domain. The domain is currently in permissive mode (for userdebug and eng builds), while we observe the SELinux denials generated and update permissions. Bug: 142672293 Test: Build, flash, boot successfully Change-Id: I552df772b66e8e7edb1ccee754d1ea8dd1acece0
2019-11-14 14:00:30 -08:00 · 2019-11-14 14:00:30 -08:00 · c77ff3727c
commit c77ff3727c
parent 64e36cf38d
2 changed files with 15 additions and 0 deletions
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -158,6 +158,7 @@ user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
--- a/private/vzwomatrigger_app.te
+++ b/private/vzwomatrigger_app.te
@ -0,0 +1,14 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `vzwomatrigger_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive vzwomatrigger_app;')
+
+app_domain(vzwomatrigger_app)