platform_system_sepolicy/isolated_app.te

43 lines
1.5 KiB
Text
Raw Normal View History

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###
type isolated_app, domain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { read write getattr };
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute };
allow isolated_app radio_service:service_manager find;
allow isolated_app surfaceflinger_service:service_manager find;
allow isolated_app system_server_service:service_manager find;
allow isolated_app tmp_system_server_service:service_manager find;
# address tmp_system_server_service accesses
allow isolated_app activity_service:service_manager find;
allow isolated_app connectivity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app dropbox_service:service_manager find;
service_manager_local_audit_domain(isolated_app)
auditallow isolated_app {
tmp_system_server_service
-activity_service
-connectivity_service
-display_service
-dropbox_service
}:service_manager find;