isolated_app.te - platform/external/sepolicy - Git at Google

 ###
 ### Services with isolatedProcess=true in their manifest.
 ###
 ### This file defines the rules for isolated apps. An "isolated
 ### app" is an APP with UID between AID_ISOLATED_START (99000)
 ### and AID_ISOLATED_END (99999).
 ###
 ### isolated_app includes all the appdomain rules, plus the
 ### additional following rules:
 ###

 type isolated_app, domain;
 app_domain(isolated_app)

 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
 allow isolated_app appdomain:unix_stream_socket { read write };

 allow isolated_app dalvikcache_data_file:file execute;
 allow isolated_app apk_data_file:dir getattr;

 allow isolated_app init:unix_stream_socket { read write getattr getopt };
 allow isolated_app init_tmpfs:file read;
	###
	### Services with isolatedProcess=true in their manifest.
	###
	### This file defines the rules for isolated apps. An "isolated
	### app" is an APP with UID between AID_ISOLATED_START (99000)
	### and AID_ISOLATED_END (99999).
	###
	### isolated_app includes all the appdomain rules, plus the
	### additional following rules:
	###

	type isolated_app, domain;
	app_domain(isolated_app)

	# Already connected, unnamed sockets being passed over some other IPC
	# hence no sock_file or connectto permission. This appears to be how
	# Chrome works, may need to be updated as more apps using isolated services
	# are examined.
	allow isolated_app appdomain:unix_stream_socket { read write };

	allow isolated_app dalvikcache_data_file:file execute;
	allow isolated_app apk_data_file:dir getattr;

	allow isolated_app init:unix_stream_socket { read write getattr getopt };
	allow isolated_app init_tmpfs:file read;