1*e4a36f41SAndroid Build Coastguard Worker### 2*e4a36f41SAndroid Build Coastguard Worker### isolated_apps. 3*e4a36f41SAndroid Build Coastguard Worker### 4*e4a36f41SAndroid Build Coastguard Worker### This file defines the rules for isolated apps that does not wish to use 5*e4a36f41SAndroid Build Coastguard Worker### service managers and does not require extra computational resources. 6*e4a36f41SAndroid Build Coastguard Worker### 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Workertypeattribute isolated_app coredomain; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Workerapp_domain(isolated_app) 11*e4a36f41SAndroid Build Coastguard Workerisolated_app_domain(isolated_app) 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Workerallow isolated_app webviewupdate_service:service_manager find; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow access to network sockets received over IPC. New socket creation is not 16*e4a36f41SAndroid Build Coastguard Worker# permitted. 17*e4a36f41SAndroid Build Coastguard Workerallow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps 20*e4a36f41SAndroid Build Coastguard Worker# by other processes. Open should never be allowed, and is blocked by 21*e4a36f41SAndroid Build Coastguard Worker# neverallow rules in isolated_app_all attribute. 22*e4a36f41SAndroid Build Coastguard Worker# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs 23*e4a36f41SAndroid Build Coastguard Worker# is modified to change the secontext when accessing the lower filesystem. 24*e4a36f41SAndroid Build Coastguard Workerallow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map }; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# For webviews, isolated_app processes can be forked from the webview_zygote 27*e4a36f41SAndroid Build Coastguard Worker# in addition to the zygote. Allow access to resources inherited from the 28*e4a36f41SAndroid Build Coastguard Worker# webview_zygote process. These rules are specialized copies of the ones in app.te. 29*e4a36f41SAndroid Build Coastguard Worker# Inherit FDs from the webview_zygote. 30*e4a36f41SAndroid Build Coastguard Workerallow isolated_app webview_zygote:fd use; 31*e4a36f41SAndroid Build Coastguard Worker# Notify webview_zygote of child death. 32*e4a36f41SAndroid Build Coastguard Workerallow isolated_app webview_zygote:process sigchld; 33*e4a36f41SAndroid Build Coastguard Worker# Inherit logd write socket. 34*e4a36f41SAndroid Build Coastguard Workerallow isolated_app webview_zygote:unix_dgram_socket write; 35*e4a36f41SAndroid Build Coastguard Worker# Read system properties managed by webview_zygote. 36*e4a36f41SAndroid Build Coastguard Workerallow isolated_app webview_zygote_tmpfs:file read; 37