xref: /aosp_15_r20/system/sepolicy/private/isolated_compute_app.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1###
2### isolated_compute_apps.
3###
4### This file defines the rules for isolated apps that requires the permission
5### to gather data with service manager and require computational resources to
6### improve the performance to process data under a sandbox. This
7### isolated_compute_app restricts data egress to protect the privacy.
8###
9### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
10###
11
12typeattribute isolated_compute_app coredomain;
13
14app_domain(isolated_compute_app)
15isolated_app_domain(isolated_compute_app)
16
17allow isolated_compute_app isolated_compute_allowed_service:service_manager find;
18allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map };
19
20# Enable access to hardware services for camera functionalilites
21hal_client_domain(isolated_compute_app, hal_allocator)
22hwbinder_use(isolated_compute_app)
23
24hal_client_domain(isolated_compute_app, hal_codec2)
25
26allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
27
28# Allow access to network sockets received over IPC. New socket creation is not
29# permitted.
30allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
31
32# Allow access to the toybox: b/275024392
33allow isolated_compute_app toolbox_exec:file rx_file_perms;
34
35# Grant GPU access to isolated_compute_app as it is required for acceleration.
36allow isolated_compute_app gpu_device:chr_file rw_file_perms;
37allow isolated_compute_app gpu_device:dir r_dir_perms;
38allow isolated_compute_app sysfs_gpu:file r_file_perms;
39
40
41#####
42##### Neverallow
43#####
44
45# Do not allow isolated_compute_app to access hardware service except for the
46# ones necessary for camera service.
47# TODO (b/266555480): The permission should be guarded by compliance test.
48# Remove the negation for member domains when refactorization is done.
49# neverallow isolated_compute_app {
50# hwservice_manager_type
51#  -hal_graphics_allocator_hwservice
52#  -hal_graphics_mapper_hwservice
53#  -hidl_allocator_hwservice
54#  -hidl_manager_hwservice
55#  -hidl_memory_hwservice
56# }:hwservice_manager *;
57