1*e4a36f41SAndroid Build Coastguard WorkerThe policy defines multiple types and attributes for apps. This document is a 2*e4a36f41SAndroid Build Coastguard Workerhigh-level overview of these. For further details on each type, refer to their 3*e4a36f41SAndroid Build Coastguard Workerspecific files in the public/ and private/ directories. 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker## appdomain 6*e4a36f41SAndroid Build Coastguard WorkerIn general, all apps will have the `appdomain` attribute. You can think of 7*e4a36f41SAndroid Build Coastguard Worker`appdomain` as any app started by Zygote. The macro `app_domain()` should be 8*e4a36f41SAndroid Build Coastguard Workerused to define a type that is considered an app (see public/te_macros). 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker## untrusted_app 11*e4a36f41SAndroid Build Coastguard WorkerThird-party apps (for example, installed from the Play Store), targeting the 12*e4a36f41SAndroid Build Coastguard Workermost recent SDK version will be typed as `untrusted_app`. This is the default 13*e4a36f41SAndroid Build Coastguard Workerdomain for apps, unless a more specific criteria applies. 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard WorkerWhen an app is targeting a previous SDK version, it may have the 16*e4a36f41SAndroid Build Coastguard Worker`untrusted_app_xx` type where xx is the targetSdkVersion. For instance, an app 17*e4a36f41SAndroid Build Coastguard Workerwith `targetSdkVersion = 32` in its manifest will be typed as `untrusted_app_32`. 18*e4a36f41SAndroid Build Coastguard WorkerNot all targetSdkVersion have a specific type, some version are skipped when no 19*e4a36f41SAndroid Build Coastguard Workerdifferences were introduced (see public/untrusted_app.te for more details). 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard WorkerThe `untrusted_app_all` attribute can be used to reference all the types 22*e4a36f41SAndroid Build Coastguard Workerdescribed in this section (that is, `untrusted_app`, `untrusted_app_30`, 23*e4a36f41SAndroid Build Coastguard Worker`untrusted_app_32`, etc.). 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker## isolated_app 26*e4a36f41SAndroid Build Coastguard WorkerApps may be restricted when using isolatedProcess=true in their manifest. In 27*e4a36f41SAndroid Build Coastguard Workerthis case, they will be assigned the `isolated_app` type. A similar type 28*e4a36f41SAndroid Build Coastguard Worker`isolated_compute_app` exist for some restricted services. 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard WorkerBoth types `isolated_app` and `isolated_compute_app` are grouped under the 31*e4a36f41SAndroid Build Coastguard Workerattribute `isolated_app_all`. 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker## ephemeral_app 34*e4a36f41SAndroid Build Coastguard WorkerApps that are run without installation. These are apps deployed for example via 35*e4a36f41SAndroid Build Coastguard WorkerGoogle Play Instant. These are more constrained than `untrusted_app`. 36*e4a36f41SAndroid Build Coastguard Worker 37*e4a36f41SAndroid Build Coastguard Worker## sdk_sandbox 38*e4a36f41SAndroid Build Coastguard WorkerSDK runtime apps, installed as part of the Privacy Sandbox project. These are 39*e4a36f41SAndroid Build Coastguard Workersandboxed to limit their communication channels. 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker## platform_app 42*e4a36f41SAndroid Build Coastguard WorkerApps that are signed with the platform key. These are installed within the 43*e4a36f41SAndroid Build Coastguard Workersystem or vendor image. com.android.systemui is an example of an app running 44*e4a36f41SAndroid Build Coastguard Workerwith this type. 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker## system_app 47*e4a36f41SAndroid Build Coastguard WorkerApps pre-installed on a device, signed by the platform key and running with the 48*e4a36f41SAndroid Build Coastguard Workersystem UID. com.android.settings is an example of an app running with this 49*e4a36f41SAndroid Build Coastguard Workertype. 50*e4a36f41SAndroid Build Coastguard Worker 51*e4a36f41SAndroid Build Coastguard Worker## priv_app 52*e4a36f41SAndroid Build Coastguard WorkerApps shipped as part of the device and installed in one of the 53*e4a36f41SAndroid Build Coastguard Worker`/{system,vendor,product}/priv-app` directories. 54*e4a36f41SAndroid Build Coastguard Workercom.google.android.apps.messaging is an example of an app running as priv_app. 55*e4a36f41SAndroid Build Coastguard WorkerPermissions for these apps need to be explicitly granted, see 56*e4a36f41SAndroid Build Coastguard Workerhttps://source.android.com/docs/core/permissions/perms-allowlist for more 57*e4a36f41SAndroid Build Coastguard Workerdetails. 58