2013-07-13 01:33:29 +02:00
|
|
|
###
|
|
|
|
### Services with isolatedProcess=true in their manifest.
|
|
|
|
###
|
|
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
|
|
### and AID_ISOLATED_END (99999).
|
|
|
|
###
|
|
|
|
### isolated_app includes all the appdomain rules, plus the
|
|
|
|
### additional following rules:
|
|
|
|
###
|
|
|
|
|
|
|
|
type isolated_app, domain;
|
|
|
|
app_domain(isolated_app)
|
2014-06-28 00:19:04 +02:00
|
|
|
|
2014-11-21 18:28:42 +01:00
|
|
|
# Access already open app data files received over Binder or local socket IPC.
|
2015-04-09 18:55:12 +02:00
|
|
|
allow isolated_app app_data_file:file { read write getattr lock };
|
2014-11-21 18:28:42 +01:00
|
|
|
|
2014-12-17 00:45:26 +01:00
|
|
|
allow isolated_app activity_service:service_manager find;
|
|
|
|
allow isolated_app display_service:service_manager find;
|
|
|
|
|
2015-06-06 00:28:55 +02:00
|
|
|
# only allow unprivileged socket ioctl commands
|
|
|
|
allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
|
|
|
|
|
2015-03-05 21:10:30 +01:00
|
|
|
#####
|
|
|
|
##### Neverallow
|
|
|
|
#####
|
|
|
|
|
|
|
|
# Isolated apps should not directly open app data files themselves.
|
|
|
|
neverallow isolated_app app_data_file:file open;
|
|
|
|
|
|
|
|
# b/17487348
|
|
|
|
# Isolated apps can only access two services,
|
|
|
|
# activity_service and display_service
|
|
|
|
neverallow isolated_app {
|
|
|
|
service_manager_type
|
2014-12-17 00:45:26 +01:00
|
|
|
-activity_service
|
|
|
|
-display_service
|
|
|
|
}:service_manager find;
|
2015-04-09 23:31:16 +02:00
|
|
|
|
|
|
|
# Isolated apps shouldn't be able to access the driver directly.
|
|
|
|
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|