### ### isolated_compute_apps. ### ### This file defines the rules for isolated apps that requires the permission ### to gather data with service manager and require computational resources to ### improve the performance to process data under a sandbox. This ### isolated_compute_app restricts data egress to protect the privacy. ### ### TODO(b/266923392): Clean rules for isolated_compute_app characteristics ### type isolated_compute_app, domain; typeattribute isolated_compute_app coredomain; app_domain(isolated_compute_app) isolated_app_domain(isolated_compute_app) allow isolated_compute_app audioserver_service:service_manager find; allow isolated_compute_app cameraserver_service:service_manager find; allow isolated_compute_app content_capture_service:service_manager find; allow isolated_compute_app device_state_service:service_manager find; allow isolated_compute_app speech_recognition_service:service_manager find; allow isolated_compute_app mediaserver_service:service_manager find; # Enable access to hardware services for camera functionalilites hal_client_domain(isolated_compute_app, hal_allocator) hwbinder_use(isolated_compute_app) allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms; # Allow access to network sockets received over IPC. New socket creation is not # permitted. allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; ##### ##### Neverallow ##### # Do not allow isolated_compute_app to access hardware service except for the # ones necessary for camera service. # TODO (b/266555480): The permission should be guarded by compliance test. # Remove the negation for member domains when refactorization is done. # neverallow isolated_compute_app { # hwservice_manager_type # -hal_graphics_allocator_hwservice # -hal_graphics_mapper_hwservice # -hidl_allocator_hwservice # -hidl_manager_hwservice # -hidl_memory_hwservice # }:hwservice_manager *;