microdroid/system/private/microdroid_app.te - platform/system/sepolicy - Git at Google

 # microdroid_app is a domain for microdroid_launcher, which is a binary that
 # loads a shared library from an apk and executes it by calling an entry point
 # in the library. This can be considered as the native counterpart of
 # app_process for Java.
 #
 # Both microdroid_launcher and payload from the shared library run in the
 # context of microdroid_app.

 type microdroid_app, domain, coredomain, microdroid_payload;
 type microdroid_app_exec, exec_type, file_type, system_file_type;

 # Talk to binder services (for keystore)
 binder_use(microdroid_app);

 # Allow payloads to use keystore
 use_keystore(microdroid_app);

 # Allow payloads to use and manage their keys
 allow microdroid_app vm_payload_key:keystore2_key {
     delete
     get_info
     manage_blob
     rebind
     use
 };
	# microdroid_app is a domain for microdroid_launcher, which is a binary that
	# loads a shared library from an apk and executes it by calling an entry point
	# in the library. This can be considered as the native counterpart of
	# app_process for Java.
	#
	# Both microdroid_launcher and payload from the shared library run in the
	# context of microdroid_app.

	type microdroid_app, domain, coredomain, microdroid_payload;
	type microdroid_app_exec, exec_type, file_type, system_file_type;

	# Talk to binder services (for keystore)
	binder_use(microdroid_app);

	# Allow payloads to use keystore
	use_keystore(microdroid_app);

	# Allow payloads to use and manage their keys
	allow microdroid_app vm_payload_key:keystore2_key {
	delete
	get_info
	manage_blob
	rebind
	use
	};