5b00f22349
r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te; delete it from isolated_app.te. binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it. Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
26 lines
919 B
Text
26 lines
919 B
Text
###
|
|
### Services with isolatedProcess=true in their manifest.
|
|
###
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
### and AID_ISOLATED_END (99999).
|
|
###
|
|
### isolated_app includes all the appdomain rules, plus the
|
|
### additional following rules:
|
|
###
|
|
|
|
type isolated_app, domain;
|
|
permissive isolated_app;
|
|
app_domain(isolated_app)
|
|
|
|
# Already connected, unnamed sockets being passed over some other IPC
|
|
# hence no sock_file or connectto permission. This appears to be how
|
|
# Chrome works, may need to be updated as more apps using isolated services
|
|
# are examined.
|
|
allow isolated_app appdomain:unix_stream_socket { read write };
|
|
|
|
allow isolated_app dalvikcache_data_file:file execute;
|
|
allow isolated_app apk_data_file:dir getattr;
|
|
|
|
allow isolated_app init:unix_stream_socket { read write getattr getopt };
|
|
allow isolated_app init_tmpfs:file read;
|