1### 2### isolated_compute_apps. 3### 4### This file defines the rules for isolated apps that requires the permission 5### to gather data with service manager and require computational resources to 6### improve the performance to process data under a sandbox. This 7### isolated_compute_app restricts data egress to protect the privacy. 8### 9### TODO(b/266923392): Clean rules for isolated_compute_app characteristics 10### 11 12typeattribute isolated_compute_app coredomain; 13 14app_domain(isolated_compute_app) 15isolated_app_domain(isolated_compute_app) 16 17allow isolated_compute_app isolated_compute_allowed_service:service_manager find; 18allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map }; 19 20# Enable access to hardware services for camera functionalilites 21hal_client_domain(isolated_compute_app, hal_allocator) 22hwbinder_use(isolated_compute_app) 23 24allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms; 25 26# Allow access to network sockets received over IPC. New socket creation is not 27# permitted. 28allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; 29 30# Allow access to the toybox: b/275024392 31allow isolated_compute_app toolbox_exec:file rx_file_perms; 32 33##### 34##### Neverallow 35##### 36 37# Do not allow isolated_compute_app to access hardware service except for the 38# ones necessary for camera service. 39# TODO (b/266555480): The permission should be guarded by compliance test. 40# Remove the negation for member domains when refactorization is done. 41# neverallow isolated_compute_app { 42# hwservice_manager_type 43# -hal_graphics_allocator_hwservice 44# -hal_graphics_mapper_hwservice 45# -hidl_allocator_hwservice 46# -hidl_manager_hwservice 47# -hidl_memory_hwservice 48# }:hwservice_manager *; 49