e9ac9ce0f3
In commit 7ba4801, the execute permission for all isolated_app was
removed. Grant access to isolated_compute_app which requires it.
The new treble test TestIsolatedAttributeConsistency is updated to
capture the new permission. See b/275263760.
Bug: 265960698
Bug: 275024392
Bug: 275263760
Test: atest CtsVoiceInteractionTestCases:android.voiceinteraction.cts.VoiceInteractionServiceTest
Change-Id: Ide27a7e351e8f53b0f5b1ad918a508d04ef515a1
53 lines
2 KiB
Text
53 lines
2 KiB
Text
###
|
|
### isolated_compute_apps.
|
|
###
|
|
### This file defines the rules for isolated apps that requires the permission
|
|
### to gather data with service manager and require computational resources to
|
|
### improve the performance to process data under a sandbox. This
|
|
### isolated_compute_app restricts data egress to protect the privacy.
|
|
###
|
|
### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
|
|
###
|
|
type isolated_compute_app, domain;
|
|
|
|
typeattribute isolated_compute_app coredomain;
|
|
|
|
app_domain(isolated_compute_app)
|
|
isolated_app_domain(isolated_compute_app)
|
|
|
|
allow isolated_compute_app audioserver_service:service_manager find;
|
|
allow isolated_compute_app cameraserver_service:service_manager find;
|
|
allow isolated_compute_app content_capture_service:service_manager find;
|
|
allow isolated_compute_app device_state_service:service_manager find;
|
|
allow isolated_compute_app speech_recognition_service:service_manager find;
|
|
allow isolated_compute_app mediaserver_service:service_manager find;
|
|
|
|
# Enable access to hardware services for camera functionalilites
|
|
hal_client_domain(isolated_compute_app, hal_allocator)
|
|
hwbinder_use(isolated_compute_app)
|
|
|
|
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
|
|
|
|
# Allow access to network sockets received over IPC. New socket creation is not
|
|
# permitted.
|
|
allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
|
|
|
|
# Allow access to the toybox: b/275024392
|
|
allow isolated_compute_app toolbox_exec:file rx_file_perms;
|
|
|
|
#####
|
|
##### Neverallow
|
|
#####
|
|
|
|
# Do not allow isolated_compute_app to access hardware service except for the
|
|
# ones necessary for camera service.
|
|
# TODO (b/266555480): The permission should be guarded by compliance test.
|
|
# Remove the negation for member domains when refactorization is done.
|
|
# neverallow isolated_compute_app {
|
|
# hwservice_manager_type
|
|
# -hal_graphics_allocator_hwservice
|
|
# -hal_graphics_mapper_hwservice
|
|
# -hidl_allocator_hwservice
|
|
# -hidl_manager_hwservice
|
|
# -hidl_memory_hwservice
|
|
# }:hwservice_manager *;
|