| ### |
| ### isolated_apps. |
| ### |
| ### This file defines the rules for isolated apps that does not wish to use |
| ### service managers and does not require extra computational resources. |
| ### |
| |
| typeattribute isolated_app coredomain; |
| |
| app_domain(isolated_app) |
| isolated_app_domain(isolated_app) |
| |
| allow isolated_app webviewupdate_service:service_manager find; |
| |
| # Allow access to network sockets received over IPC. New socket creation is not |
| # permitted. |
| allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; |
| |
| # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps |
| # by other processes. Open should never be allowed, and is blocked by |
| # neverallow rules in isolated_app_all attribute. |
| # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs |
| # is modified to change the secontext when accessing the lower filesystem. |
| allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map }; |
| |
| # For webviews, isolated_app processes can be forked from the webview_zygote |
| # in addition to the zygote. Allow access to resources inherited from the |
| # webview_zygote process. These rules are specialized copies of the ones in app.te. |
| # Inherit FDs from the webview_zygote. |
| allow isolated_app webview_zygote:fd use; |
| # Notify webview_zygote of child death. |
| allow isolated_app webview_zygote:process sigchld; |
| # Inherit logd write socket. |
| allow isolated_app webview_zygote:unix_dgram_socket write; |
| # Read system properties managed by webview_zygote. |
| allow isolated_app webview_zygote_tmpfs:file read; |