platform_system_sepolicy/isolated_app.te
Riley Spahn 4a24475b9d Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc20509)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f
2014-07-18 12:24:36 -07:00

29 lines
849 B
Text

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###
type isolated_app, domain;
app_domain(isolated_app)
net_domain(isolated_app)
# read and write access to app_data_file is already
# granted via app.te. Allow execute.
# Needed to allow dlopen() from Chrome renderer processes.
# See b/15902433 for details.
allow isolated_app app_data_file:file execute;
# Audited locally.
service_manager_local_audit_domain(isolated_app)
auditallow isolated_app {
service_manager_type
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;