Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ccf80144925c0b9b4a86f0eb81fa053998a12c5e^! / . / private / technical_debt.cil
commitccf80144925c0b9b4a86f0eb81fa053998a12c5e[log] [tgz]
authorCharles Chen <liangyuchen@google.com>Fri Jan 20 03:34:19 2023 +0000
committercharleschen <liangyuchen@google.com>Tue Jan 31 12:59:57 2023 +0000
tree8b87de0ef4c1b63f50ad60cb4cad56920a4a6dc0
parentcfdea5f4f3574385d739c1269e6c25783c109857 [diff] [blame]
Share isolated properties across islolated apps

Introduce isolated_app_all typeattribute to share policies between
isolated_app and future similar apps that wish to be enforced with
isolation properties.

Bug: 255597123
Test: m && presubmit
Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fcd4fe7..9d1740d 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil

@@ -7,37 +7,37 @@
 
 ; Apps, except isolated apps, are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_allocator_client;
+;     typeattribute { appdomain -isolated_app_all } hal_allocator_client;
 ;     typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
 ; Apps, except isolated apps, are clients of OMX-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps, are clients of Codec2-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
 
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps, are clients of Graphics Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps, are clients of Cas HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
@@ -46,8 +46,8 @@
 
 ; Apps, except isolated apps, are clients of Neuralnetworks HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
 ; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.