platform_system_sepolicy/private/isolated_compute_app.te

###
### isolated_compute_apps.
###
### This file defines the rules for isolated apps that requires the permission
### to gather data with service manager and require computational resources to
### improve the performance to process data under a sandbox. This
### isolated_compute_app restricts data egress to protect the privacy.
###
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
###
type isolated_compute_app, domain;

typeattribute isolated_compute_app coredomain;

app_domain(isolated_compute_app)
isolated_app_domain(isolated_compute_app)

allow isolated_compute_app audioserver_service:service_manager find;
allow isolated_compute_app cameraserver_service:service_manager find;
allow isolated_compute_app content_capture_service:service_manager find;
allow isolated_compute_app device_state_service:service_manager find;
allow isolated_compute_app speech_recognition_service:service_manager find;
allow isolated_compute_app mediaserver_service:service_manager find;

# Enable access to hardware services for camera functionalilites
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)

allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;

# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };

#####
##### Neverallow
#####

# Do not allow isolated_compute_app to access hardware service except for the
# ones necessary for camera service.
# TODO (b/266555480): The permission should be guarded by compliance test.
# Remove the negation for member domains when refactorization is done.
# neverallow isolated_compute_app {
# hwservice_manager_type
#  -hal_graphics_allocator_hwservice
#  -hal_graphics_mapper_hwservice
#  -hidl_allocator_hwservice
#  -hidl_manager_hwservice
#  -hidl_memory_hwservice
# }:hwservice_manager *;