| ### |
| ### Services with isolatedProcess=true in their manifest. |
| ### |
| ### This file defines the rules for isolated apps. An "isolated |
| ### app" is an APP with UID between AID_ISOLATED_START (99000) |
| ### and AID_ISOLATED_END (99999). |
| ### |
| ### isolated_app includes all the appdomain rules, plus the |
| ### additional following rules: |
| ### |
| |
| type isolated_app, domain; |
| app_domain(isolated_app) |
| |
| # Access already open app data files received over Binder or local socket IPC. |
| allow isolated_app app_data_file:file { read write getattr lock }; |
| |
| allow isolated_app activity_service:service_manager find; |
| allow isolated_app display_service:service_manager find; |
| |
| ##### |
| ##### Neverallow |
| ##### |
| |
| # Isolated apps should not directly open app data files themselves. |
| neverallow isolated_app app_data_file:file open; |
| |
| # b/17487348 |
| # Isolated apps can only access two services, |
| # activity_service and display_service |
| neverallow isolated_app { |
| service_manager_type |
| -activity_service |
| -display_service |
| }:service_manager find; |
| |
| # Isolated apps shouldn't be able to access the driver directly. |
| neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; |