1*e4a36f41SAndroid Build Coastguard Worker### 2*e4a36f41SAndroid Build Coastguard Worker### isolated_compute_apps. 3*e4a36f41SAndroid Build Coastguard Worker### 4*e4a36f41SAndroid Build Coastguard Worker### This file defines the rules for isolated apps that requires the permission 5*e4a36f41SAndroid Build Coastguard Worker### to gather data with service manager and require computational resources to 6*e4a36f41SAndroid Build Coastguard Worker### improve the performance to process data under a sandbox. This 7*e4a36f41SAndroid Build Coastguard Worker### isolated_compute_app restricts data egress to protect the privacy. 8*e4a36f41SAndroid Build Coastguard Worker### 9*e4a36f41SAndroid Build Coastguard Worker### TODO(b/266923392): Clean rules for isolated_compute_app characteristics 10*e4a36f41SAndroid Build Coastguard Worker### 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Workertypeattribute isolated_compute_app coredomain; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workerapp_domain(isolated_compute_app) 15*e4a36f41SAndroid Build Coastguard Workerisolated_app_domain(isolated_compute_app) 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app isolated_compute_allowed_service:service_manager find; 18*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map }; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Enable access to hardware services for camera functionalilites 21*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(isolated_compute_app, hal_allocator) 22*e4a36f41SAndroid Build Coastguard Workerhwbinder_use(isolated_compute_app) 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(isolated_compute_app, hal_codec2) 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Allow access to network sockets received over IPC. New socket creation is not 29*e4a36f41SAndroid Build Coastguard Worker# permitted. 30*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker# Allow access to the toybox: b/275024392 33*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app toolbox_exec:file rx_file_perms; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Grant GPU access to isolated_compute_app as it is required for acceleration. 36*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app gpu_device:chr_file rw_file_perms; 37*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app gpu_device:dir r_dir_perms; 38*e4a36f41SAndroid Build Coastguard Workerallow isolated_compute_app sysfs_gpu:file r_file_perms; 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker##### 42*e4a36f41SAndroid Build Coastguard Worker##### Neverallow 43*e4a36f41SAndroid Build Coastguard Worker##### 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker# Do not allow isolated_compute_app to access hardware service except for the 46*e4a36f41SAndroid Build Coastguard Worker# ones necessary for camera service. 47*e4a36f41SAndroid Build Coastguard Worker# TODO (b/266555480): The permission should be guarded by compliance test. 48*e4a36f41SAndroid Build Coastguard Worker# Remove the negation for member domains when refactorization is done. 49*e4a36f41SAndroid Build Coastguard Worker# neverallow isolated_compute_app { 50*e4a36f41SAndroid Build Coastguard Worker# hwservice_manager_type 51*e4a36f41SAndroid Build Coastguard Worker# -hal_graphics_allocator_hwservice 52*e4a36f41SAndroid Build Coastguard Worker# -hal_graphics_mapper_hwservice 53*e4a36f41SAndroid Build Coastguard Worker# -hidl_allocator_hwservice 54*e4a36f41SAndroid Build Coastguard Worker# -hidl_manager_hwservice 55*e4a36f41SAndroid Build Coastguard Worker# -hidl_memory_hwservice 56*e4a36f41SAndroid Build Coastguard Worker# }:hwservice_manager *; 57