| Alex Klyubin | a390397 | 2017-01-05 16:06:54 -0800 | [diff] [blame] | 1 | ### |
| Charles Chen | ccf8014 | 2023-01-20 03:34:19 +0000 | [diff] [blame] | 2 | ### isolated_apps. |
| Alex Klyubin | a390397 | 2017-01-05 16:06:54 -0800 | [diff] [blame] | 3 | ### |
| Charles Chen | ccf8014 | 2023-01-20 03:34:19 +0000 | [diff] [blame] | 4 | ### This file defines the rules for isolated apps that does not wish to use |
| 5 | ### service managers and does not require extra computational resources. |
| Alex Klyubin | a390397 | 2017-01-05 16:06:54 -0800 | [diff] [blame] | 6 | ### |
| 7 | |
| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 8 | typeattribute isolated_app coredomain; |
| 9 | |
| dcashman | 3e8dbf0 | 2016-12-08 11:23:34 -0800 | [diff] [blame] | 10 | app_domain(isolated_app) |
| Charles Chen | ccf8014 | 2023-01-20 03:34:19 +0000 | [diff] [blame] | 11 | isolated_app_domain(isolated_app) |
| Charles Chen | 3d4a6b7 | 2023-01-17 08:16:44 +0000 | [diff] [blame] | 12 | |
| 13 | allow isolated_app webviewupdate_service:service_manager find; |
| 14 | |
| 15 | # Allow access to network sockets received over IPC. New socket creation is not |
| 16 | # permitted. |
| 17 | allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; |
| 18 | |
| 19 | # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps |
| 20 | # by other processes. Open should never be allowed, and is blocked by |
| 21 | # neverallow rules in isolated_app_all attribute. |
| 22 | # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs |
| 23 | # is modified to change the secontext when accessing the lower filesystem. |
| 24 | allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map }; |
| 25 | |
| 26 | # For webviews, isolated_app processes can be forked from the webview_zygote |
| 27 | # in addition to the zygote. Allow access to resources inherited from the |
| 28 | # webview_zygote process. These rules are specialized copies of the ones in app.te. |
| 29 | # Inherit FDs from the webview_zygote. |
| 30 | allow isolated_app webview_zygote:fd use; |
| 31 | # Notify webview_zygote of child death. |
| 32 | allow isolated_app webview_zygote:process sigchld; |
| 33 | # Inherit logd write socket. |
| 34 | allow isolated_app webview_zygote:unix_dgram_socket write; |
| 35 | # Read system properties managed by webview_zygote. |
| 36 | allow isolated_app webview_zygote_tmpfs:file read; |