1### 2### Untrusted apps. 3### 4### This file defines the rules for untrusted apps running with 5### 29 < targetSdkVersion <= 31. 6### 7### See public/untrusted_app.te for more information about which apps are 8### placed in this selinux domain. 9### 10### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible 11### 12 13typeattribute untrusted_app_30 coredomain; 14 15app_domain(untrusted_app_30) 16untrusted_app_domain(untrusted_app_30) 17net_domain(untrusted_app_30) 18bluetooth_domain(untrusted_app_30) 19 20# allow sending RTM_GETNEIGH{TBL} messages. 21allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; 22auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh; 23 24# Connect to mdnsd via mdnsd socket. 25unix_socket_connect(untrusted_app_30, mdnsd, mdnsd) 26userdebug_or_eng(` 27 auditallow untrusted_app_30 mdnsd_socket:sock_file write; 28 auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto; 29') 30 31# Allow calling inotify on APKs for backwards compatibility. This is disallowed 32# for targetSdkVersion>=34 to remove a sidechannel. 33allow untrusted_app_30 apk_data_file:dir { watch watch_reads }; 34allow untrusted_app_30 apk_data_file:file { watch watch_reads }; 35userdebug_or_eng(` 36 auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads }; 37 auditallow untrusted_app_30 apk_data_file:file { watch watch_reads }; 38') 39