commit c8ab3593d02f5bd473453b7eb955d7ea6c7229b4
author Charles Chen <liangyuchen@google.com> Mon Apr 17 22:33:40 2023 +0000
committer Charles Chen <liangyuchen@google.com> Thu Apr 20 05:39:29 2023 +0000
tree e6cf693e92865adda5c39e1393b9edae9dc4dcb5
parent aff0f533983d988ce77901d4608028e891804406

Move isolated_compute_app to be public

This will allow vendor customization of isolated_compute_app. New permissions added should be associated with isolated_compute_allowed.

Bug: 274535894
Test: m
Change-Id: I4239228b80544e6f5ca1dd68ae1f44c0176d1bce

private/isolated_compute_app.te

diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 4ed4b36..cdddd38 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -8,19 +8,14 @@
 ###
 ### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
 ###
-type isolated_compute_app, domain;
 
 typeattribute isolated_compute_app coredomain;
 
 app_domain(isolated_compute_app)
 isolated_app_domain(isolated_compute_app)
 
-allow isolated_compute_app audioserver_service:service_manager find;
-allow isolated_compute_app cameraserver_service:service_manager find;
-allow isolated_compute_app content_capture_service:service_manager find;
-allow isolated_compute_app device_state_service:service_manager find;
-allow isolated_compute_app speech_recognition_service:service_manager find;
-allow isolated_compute_app mediaserver_service:service_manager find;
+allow isolated_compute_app isolated_compute_allowed_services:service_manager find;
+allow isolated_compute_app isolated_compute_allowed_devices:chr_file { read write ioctl map };
 
 # Enable access to hardware services for camera functionalilites
 hal_client_domain(isolated_compute_app, hal_allocator)