eaa18ce0aa
Almost 1:1 of the sepolicy for ephemeral apps Test: make Bug: 203670791 Ignore-AOSP-First: Feature is developed in internal branch Change-Id: Ib085c49f29dab47268e479fe5266490a66adaa87
18 lines
817 B
Text
18 lines
817 B
Text
# Bind to ports.
|
|
allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
|
|
allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind;
|
|
allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind;
|
|
|
|
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
|
|
# untrusted_apps.
|
|
# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
|
|
# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
|
|
# to avoid app-compat breakage.
|
|
allow {
|
|
netdomain
|
|
-ephemeral_app
|
|
-mediaprovider
|
|
-supplemental_process
|
|
-untrusted_app_all
|
|
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
|
|
|