Lines Matching refs:untrusted_app
8 ### directory). The untrusted_app domain is the default assignment in
19 ### untrusted_app includes all the appdomain rules, plus the
23 type untrusted_app, domain;
24 app_domain(untrusted_app)
25 net_domain(untrusted_app)
26 bluetooth_domain(untrusted_app)
30 allow untrusted_app app_data_file:file { rx_file_perms execmod };
33 allow untrusted_app asec_apk_file:file r_file_perms;
34 allow untrusted_app asec_apk_file:dir r_dir_perms;
36 allow untrusted_app asec_public_file:file { execute execmod };
40 create_pty(untrusted_app)
46 allow untrusted_app shell_data_file:file r_file_perms;
47 allow untrusted_app shell_data_file:dir r_dir_perms;
52 allow untrusted_app system_app_data_file:file { read write getattr };
55 # Rules migrated from old app domains coalesced into untrusted_app.
60 allow untrusted_app media_rw_data_file:dir create_dir_perms;
61 allow untrusted_app media_rw_data_file:file create_file_perms;
65 allow untrusted_app mnt_media_rw_file:dir search;
68 allow untrusted_app servicemanager:service_manager list;
70 allow untrusted_app audioserver_service:service_manager find;
71 allow untrusted_app cameraserver_service:service_manager find;
72 allow untrusted_app drmserver_service:service_manager find;
73 allow untrusted_app mediaserver_service:service_manager find;
74 allow untrusted_app mediaextractor_service:service_manager find;
75 allow untrusted_app mediacodec_service:service_manager find;
76 allow untrusted_app mediadrmserver_service:service_manager find;
77 allow untrusted_app nfc_service:service_manager find;
78 allow untrusted_app radio_service:service_manager find;
79 allow untrusted_app surfaceflinger_service:service_manager find;
80 allow untrusted_app app_api_service:service_manager find;
86 allow untrusted_app perfprofd_data_file:file r_file_perms;
87 allow untrusted_app perfprofd_data_file:dir r_dir_perms;
91 allow untrusted_app self:process ptrace;
95 dontaudit untrusted_app exec_type:file getattr;
98 allow untrusted_app proc_meminfo:file r_file_perms;
101 allow untrusted_app proc:file r_file_perms;
103 r_dir_file(untrusted_app, proc_net)
106 allow untrusted_app sysfs_hwrandom:dir search;
107 allow untrusted_app sysfs_hwrandom:file r_file_perms;
110 allow untrusted_app preloads_data_file:dir r_dir_perms;
111 allow untrusted_app preloads_data_file:file r_file_perms;
118 neverallow untrusted_app domain:netlink_kobject_uevent_socket *;
121 neverallow untrusted_app domain:netlink_socket *;
125 neverallow untrusted_app debugfs_type:file read;
130 neverallow untrusted_app service_manager_type:service_manager add;
134 neverallow untrusted_app property_socket:sock_file write;
135 neverallow untrusted_app init:unix_stream_socket connectto;
136 neverallow untrusted_app property_type:property_service set;
138 # Do not allow untrusted_app to be assigned mlstrustedsubject.
145 # and untrusted_app is allowed fork permission to itself.
146 neverallow untrusted_app mlstrustedsubject:process fork;
148 # Do not allow untrusted_app to hard link to any files.
149 # In particular, if untrusted_app links to other app data
152 # bugs, so we want to ensure untrusted_app never has this
154 neverallow untrusted_app file_type:file link;
156 # Do not allow untrusted_app to access network MAC address file
157 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
161 neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
162 neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
163 neverallow untrusted_app *:{
173 # Do not allow untrusted_app access to /cache
174 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
175 neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
177 # Do not allow untrusted_app to set system properties.
178 neverallow untrusted_app property_socket:sock_file write;
179 neverallow untrusted_app property_type:property_service set;
181 # Do not allow untrusted_app to create/unlink files outside of its sandbox,
186 neverallow untrusted_app {
203 # Do not allow untrusted_app to directly open tun_device
204 neverallow untrusted_app tun_device:chr_file open;
207 neverallow untrusted_app anr_data_file:file ~{ open append };
208 neverallow untrusted_app anr_data_file:dir ~search;
