1### 2### isolated_compute_apps. 3### 4### This file defines the rules for isolated apps that requires the permission 5### to gather data with service manager and require computational resources to 6### improve the performance to process data under a sandbox. This 7### isolated_compute_app restricts data egress to protect the privacy. 8### 9### TODO(b/266923392): Clean rules for isolated_compute_app characteristics 10### 11 12typeattribute isolated_compute_app coredomain; 13 14app_domain(isolated_compute_app) 15isolated_app_domain(isolated_compute_app) 16 17allow isolated_compute_app isolated_compute_allowed_service:service_manager find; 18allow isolated_compute_app isolated_compute_allowed_device:chr_file { read write ioctl map }; 19 20# Enable access to hardware services for camera functionalilites 21hal_client_domain(isolated_compute_app, hal_allocator) 22hwbinder_use(isolated_compute_app) 23 24hal_client_domain(isolated_compute_app, hal_codec2) 25 26allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms; 27 28# Allow access to network sockets received over IPC. New socket creation is not 29# permitted. 30allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; 31 32# Allow access to the toybox: b/275024392 33allow isolated_compute_app toolbox_exec:file rx_file_perms; 34 35##### 36##### Neverallow 37##### 38 39# Do not allow isolated_compute_app to access hardware service except for the 40# ones necessary for camera service. 41# TODO (b/266555480): The permission should be guarded by compliance test. 42# Remove the negation for member domains when refactorization is done. 43# neverallow isolated_compute_app { 44# hwservice_manager_type 45# -hal_graphics_allocator_hwservice 46# -hal_graphics_mapper_hwservice 47# -hidl_allocator_hwservice 48# -hidl_manager_hwservice 49# -hidl_memory_hwservice 50# }:hwservice_manager *; 51