microdroid/system/private/microdroid_app.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # microdroid_app is a domain for microdroid_launcher, which is a binary that
 # loads a shared library from an apk and executes it by calling an entry point
 # in the library. This can be considered as the native counterpart of
 # app_process for Java.
 #
 # Both microdroid_launcher and payload from the shared library run in the
 # context of microdroid_app.

 type microdroid_app, domain, coredomain, microdroid_payload;
 type microdroid_app_exec, exec_type, file_type, system_file_type;

 # Talk to binder services (for diced)
 binder_use(microdroid_app);

 allow microdroid_app dice_node_service:service_manager find;
 binder_call(microdroid_app, diced);
 allow microdroid_app diced:diced { get_attestation_chain derive };
	# microdroid_app is a domain for microdroid_launcher, which is a binary that
	# loads a shared library from an apk and executes it by calling an entry point
	# in the library. This can be considered as the native counterpart of
	# app_process for Java.
	#
	# Both microdroid_launcher and payload from the shared library run in the
	# context of microdroid_app.

	type microdroid_app, domain, coredomain, microdroid_payload;
	type microdroid_app_exec, exec_type, file_type, system_file_type;

	# Talk to binder services (for diced)
	binder_use(microdroid_app);

	allow microdroid_app dice_node_service:service_manager find;
	binder_call(microdroid_app, diced);
	allow microdroid_app diced:diced { get_attestation_chain derive };