Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a782a816271e48e357faf93a61b4fde259da1e3b / . / private / untrusted_v2_app.te
blob: df37fdda3bc30d2a8dcd55dc0a4c15e261322564 [file] [log] [blame]
Chad Brubakera782a812017-02-06 10:31:45 -0800[diff] [blame^]1###
2### Untrusted v2 sandbox apps.
3###
4app_domain(untrusted_v2_app)
5net_domain(untrusted_v2_app)
6bluetooth_domain(untrusted_v2_app)
7
8# Read and write system app data files passed over Binder.
9# Motivating case was /data/data/com.android.settings/cache/*.jpg for
10# cropping or taking user photos.
11allow untrusted_v2_app system_app_data_file:file { read write getattr };
12
13# Access to /data/media.
14allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
15allow untrusted_v2_app media_rw_data_file:file create_file_perms;
16
17# Traverse into /mnt/media_rw for bypassing FUSE daemon
18# TODO: narrow this to just MediaProvider
19allow untrusted_v2_app mnt_media_rw_file:dir search;
20
21# allow cts to query all services
22allow untrusted_v2_app servicemanager:service_manager list;
23
24allow untrusted_v2_app audioserver_service:service_manager find;
25allow untrusted_v2_app cameraserver_service:service_manager find;
26allow untrusted_v2_app drmserver_service:service_manager find;
27allow untrusted_v2_app mediaserver_service:service_manager find;
28allow untrusted_v2_app mediaextractor_service:service_manager find;
29allow untrusted_v2_app mediacodec_service:service_manager find;
30allow untrusted_v2_app mediametrics_service:service_manager find;
31allow untrusted_v2_app mediadrmserver_service:service_manager find;
32allow untrusted_v2_app nfc_service:service_manager find;
33allow untrusted_v2_app radio_service:service_manager find;
34allow untrusted_v2_app surfaceflinger_service:service_manager find;
35# TODO: potentially provide a tighter list of services here
36allow untrusted_v2_app app_api_service:service_manager find;
37
38# gdbserver for ndk-gdb ptrace attaches to app process.
39allow untrusted_v2_app self:process ptrace;