Add untrusted_app_27
This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.
Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.
Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9fc98bb42956198e9f54cabde69464339)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
new file mode 100644
index 0000000..79c7762
--- /dev/null
+++ b/private/untrusted_app_27.te
@@ -0,0 +1,28 @@
+###
+### Untrusted_27.
+###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 27.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_27 domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_27 coredomain;
+
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)