Grant appdomain access to app_api_service The original idea was to compartmentalize services for apps to access. ex. an app that manage display brightness should not have access to audio service. However, identifying all services is hard and we often end up granting app_api_service in practice to avoid unexpected crashes. Bug: 147198856 Test: Remove device app_api_service related sepolicy and related process remain functional Change-Id: I3aafcf1a91847a97c86f1d7992653b806a713bd4

commit: d5a0edd75efb37c8f14905fd705da58058e4c22e [log] [tgz]
author: Adam Shih <adamshih@google.com> Tue Jan 07 08:19:42 2020 +0800
committer: Adam Shih <adamshih@google.com> Tue Jan 07 09:59:34 2020 +0800
tree: 7b0db46ed97fe8e3cbbe9a15d5501621a308eb90
parent: 4c37de9b44432b6ac164aa9dd2513a4961146333 [diff]
diff --git a/public/app.te b/public/app.te
index b771b5f..e4eee82 100644
--- a/public/app.te
+++ b/public/app.te

@@ -50,6 +50,9 @@
 # child shell or gdbserver pty access for runas.
 allow appdomain devpts:chr_file { getattr read write ioctl };
 
+# Allow appdomain to access app_api_service
+allow { appdomain -isolated_app } app_api_service:service_manager find;
+
 # Use pipes and sockets provided by system_server via binder or local socket.
 allow appdomain system_server:fd use;
 allow appdomain system_server:fifo_file rw_file_perms;
commit	d5a0edd75efb37c8f14905fd705da58058e4c22e	[log] [tgz]
author	Adam Shih <adamshih@google.com>	Tue Jan 07 08:19:42 2020 +0800
committer	Adam Shih <adamshih@google.com>	Tue Jan 07 09:59:34 2020 +0800
tree	7b0db46ed97fe8e3cbbe9a15d5501621a308eb90
parent	4c37de9b44432b6ac164aa9dd2513a4961146333 [diff]