| ### |
| ### Services with isolatedProcess=true in their manifest. |
| ### |
| ### This file defines the rules for isolated apps. An "isolated |
| ### app" is an APP with UID between AID_ISOLATED_START (99000) |
| ### and AID_ISOLATED_END (99999). |
| ### |
| ### isolated_app includes all the appdomain rules, plus the |
| ### additional following rules: |
| ### |
| |
| type isolated_app, domain; |
| app_domain(isolated_app) |
| |
| # Access already open app data files received over Binder or local socket IPC. |
| allow isolated_app app_data_file:file { read write getattr }; |
| |
| # Isolated apps should not directly open app data files themselves. |
| neverallow isolated_app app_data_file:file open; |
| |
| allow isolated_app radio_service:service_manager find; |
| allow isolated_app surfaceflinger_service:service_manager find; |
| allow isolated_app system_server_service:service_manager find; |
| allow isolated_app tmp_system_server_service:service_manager find; |
| |
| # address tmp_system_server_service accesses |
| allow isolated_app activity_service:service_manager find; |
| allow isolated_app connectivity_service:service_manager find; |
| allow isolated_app display_service:service_manager find; |
| allow isolated_app dropbox_service:service_manager find; |
| |
| service_manager_local_audit_domain(isolated_app) |
| auditallow isolated_app { |
| tmp_system_server_service |
| -activity_service |
| -connectivity_service |
| -display_service |
| -dropbox_service |
| }:service_manager find; |
