| Charles Chen | 3d4a6b7 | 2023-01-17 08:16:44 +0000 | [diff] [blame] | 1 | ### |
| 2 | ### isolated_compute_apps. |
| 3 | ### |
| 4 | ### This file defines the rules for isolated apps that requires the permission |
| 5 | ### to gather data with service manager and require computational resources to |
| 6 | ### improve the performance to process data under a sandbox. This |
| 7 | ### isolated_compute_app restricts data egress to protect the privacy. |
| 8 | ### |
| 9 | ### TODO(b/266923392): Clean rules for isolated_compute_app characteristics |
| 10 | ### |
| Charles Chen | 3d4a6b7 | 2023-01-17 08:16:44 +0000 | [diff] [blame] | 11 | |
| 12 | typeattribute isolated_compute_app coredomain; |
| 13 | |
| 14 | app_domain(isolated_compute_app) |
| 15 | isolated_app_domain(isolated_compute_app) |
| 16 | |
| Charles Chen | 27a8f43 | 2023-04-20 16:38:30 +0000 | [diff] [blame] | 17 | allow isolated_compute_app isolated_compute_allowed_service:service_manager find; |
| 18 | allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map }; |
| Charles Chen | 3d4a6b7 | 2023-01-17 08:16:44 +0000 | [diff] [blame] | 19 | |
| 20 | # Enable access to hardware services for camera functionalilites |
| 21 | hal_client_domain(isolated_compute_app, hal_allocator) |
| 22 | hwbinder_use(isolated_compute_app) |
| 23 | |
| Wonsik Kim | a981983 | 2023-08-21 18:10:35 -0700 | [diff] [blame] | 24 | hal_client_domain(isolated_compute_app, hal_codec2) |
| 25 | |
| Charles Chen | 3e9f05f | 2023-01-31 13:02:12 +0000 | [diff] [blame] | 26 | allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms; |
| 27 | |
| 28 | # Allow access to network sockets received over IPC. New socket creation is not |
| 29 | # permitted. |
| 30 | allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; |
| 31 | |
| ThiƩbaud Weksteen | e9ac9ce | 2023-03-27 12:44:03 +1100 | [diff] [blame] | 32 | # Allow access to the toybox: b/275024392 |
| 33 | allow isolated_compute_app toolbox_exec:file rx_file_perms; |
| 34 | |
| Sandeep Bandaru | 702797d | 2024-09-20 14:55:25 +0000 | [diff] [blame] | 35 | # Grant GPU access to isolated_compute_app as it is required for acceleration. |
| 36 | allow isolated_compute_app gpu_device:chr_file rw_file_perms; |
| 37 | allow isolated_compute_app gpu_device:dir r_dir_perms; |
| 38 | allow isolated_compute_app sysfs_gpu:file r_file_perms; |
| 39 | |
| 40 | |
| Charles Chen | 3d4a6b7 | 2023-01-17 08:16:44 +0000 | [diff] [blame] | 41 | ##### |
| 42 | ##### Neverallow |
| 43 | ##### |
| 44 | |
| 45 | # Do not allow isolated_compute_app to access hardware service except for the |
| 46 | # ones necessary for camera service. |
| 47 | # TODO (b/266555480): The permission should be guarded by compliance test. |
| 48 | # Remove the negation for member domains when refactorization is done. |
| 49 | # neverallow isolated_compute_app { |
| 50 | # hwservice_manager_type |
| 51 | # -hal_graphics_allocator_hwservice |
| 52 | # -hal_graphics_mapper_hwservice |
| 53 | # -hidl_allocator_hwservice |
| 54 | # -hidl_manager_hwservice |
| 55 | # -hidl_memory_hwservice |
| 56 | # }:hwservice_manager *; |