cd82557d40
All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
26 lines
956 B
Text
26 lines
956 B
Text
###
|
|
### Services with isolatedProcess=true in their manifest.
|
|
###
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
### and AID_ISOLATED_END (99999).
|
|
###
|
|
### isolated_app includes all the appdomain rules, plus the
|
|
### additional following rules:
|
|
###
|
|
|
|
type isolated_app, domain;
|
|
app_domain(isolated_app)
|
|
|
|
# Access already open app data files received over Binder or local socket IPC.
|
|
allow isolated_app app_data_file:file { read write getattr };
|
|
|
|
# Isolated apps should not directly open app data files themselves.
|
|
neverallow isolated_app app_data_file:file open;
|
|
|
|
# Isolated apps shouldn't be able to access the driver directly.
|
|
neverallow isolated_app gpu_device:file { rw_file_perms execute };
|
|
|
|
allow isolated_app radio_service:service_manager find;
|
|
allow isolated_app surfaceflinger_service:service_manager find;
|
|
allow isolated_app system_server_service:service_manager find;
|