1### 2### isolated_apps. 3### 4### This file defines the rules for isolated apps that does not wish to use 5### service managers and does not require extra computational resources. 6### 7 8typeattribute isolated_app coredomain; 9 10app_domain(isolated_app) 11isolated_app_domain(isolated_app) 12 13allow isolated_app webviewupdate_service:service_manager find; 14 15# Allow access to network sockets received over IPC. New socket creation is not 16# permitted. 17allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; 18 19# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps 20# by other processes. Open should never be allowed, and is blocked by 21# neverallow rules in isolated_app_all attribute. 22# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs 23# is modified to change the secontext when accessing the lower filesystem. 24allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map }; 25 26# For webviews, isolated_app processes can be forked from the webview_zygote 27# in addition to the zygote. Allow access to resources inherited from the 28# webview_zygote process. These rules are specialized copies of the ones in app.te. 29# Inherit FDs from the webview_zygote. 30allow isolated_app webview_zygote:fd use; 31# Notify webview_zygote of child death. 32allow isolated_app webview_zygote:process sigchld; 33# Inherit logd write socket. 34allow isolated_app webview_zygote:unix_dgram_socket write; 35# Read system properties managed by webview_zygote. 36allow isolated_app webview_zygote_tmpfs:file read; 37