Restrict sandbox access to drmservice
Bug: 226390597 Test: atest SdkSandboxRestrictionsTest Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3
This commit is contained in:
Bram Bonne
parent
ee0b51e099
commit
85dfe313e5
2 changed files with 4 additions and 2 deletions
|
|
@ -85,3 +85,5 @@ neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
|
||||||
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
||||||
|
|
||||||
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
||||||
|
|
||||||
|
neverallow sdk_sandbox hal_drm_service:service_manager find;
|
||||||
|
|
|
||||||
|
|
@ -20,9 +20,9 @@
|
||||||
; Unfortunately, we can't currently express this in module policy language:
|
; Unfortunately, we can't currently express this in module policy language:
|
||||||
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
|
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
|
||||||
|
|
||||||
; Apps, except isolated apps, are clients of Drm-related services
|
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
|
||||||
; Unfortunately, we can't currently express this in module policy language:
|
; Unfortunately, we can't currently express this in module policy language:
|
||||||
(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
|
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
|
||||||
|
|
||||||
; Apps, except isolated apps, are clients of Configstore HAL
|
; Apps, except isolated apps, are clients of Configstore HAL
|
||||||
; Unfortunately, we can't currently express this in module policy language:
|
; Unfortunately, we can't currently express this in module policy language:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue