1 ### 2 ### Services with isolatedProcess=true in their manifest. 3 ### 4 ### This file defines the rules for isolated apps. An "isolated 5 ### app" is an APP with UID between AID_ISOLATED_START (99000) 6 ### and AID_ISOLATED_END (99999). 7 ### 8 ### isolated_app includes all the appdomain rules, plus the 9 ### additional following rules: 10 ### 11 12 type isolated_app, domain; 13 app_domain(isolated_app) 14 15 # Access already open app data files received over Binder or local socket IPC. 16 allow isolated_app app_data_file:file { read write getattr lock }; 17 18 allow isolated_app activity_service:service_manager find; 19 allow isolated_app display_service:service_manager find; 20 21 # only allow unprivileged socket ioctl commands 22 allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; 23 24 ##### 25 ##### Neverallow 26 ##### 27 28 # Isolated apps should not directly open app data files themselves. 29 neverallow isolated_app app_data_file:file open; 30 31 # b/17487348 32 # Isolated apps can only access two services, 33 # activity_service and display_service 34 neverallow isolated_app { 35 service_manager_type 36 -activity_service 37 -display_service 38 }:service_manager find; 39 40 # Isolated apps shouldn't be able to access the driver directly. 41 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 42