private/isolated_compute_app.te - platform/system/sepolicy - Git at Google

 ###
 ### isolated_compute_apps.
 ###
 ### This file defines the rules for isolated apps that requires the permission
 ### to gather data with service manager and require computational resources to
 ### improve the performance to process data under a sandbox. This
 ### isolated_compute_app restricts data egress to protect the privacy.
 ###
 ### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
 ###
 type isolated_compute_app, domain;

 typeattribute isolated_compute_app coredomain;

 app_domain(isolated_compute_app)
 isolated_app_domain(isolated_compute_app)

 allow isolated_compute_app audioserver_service:service_manager find;
 allow isolated_compute_app cameraserver_service:service_manager find;
 allow isolated_compute_app content_capture_service:service_manager find;
 allow isolated_compute_app device_state_service:service_manager find;
 allow isolated_compute_app speech_recognition_service:service_manager find;

 # Enable access to hardware services for camera functionalilites
 hal_client_domain(isolated_compute_app, hal_allocator)
 hwbinder_use(isolated_compute_app)

 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(isolated_compute_app)

 # Allow profiling if the main app has been marked as profileable or
 # debuggable.
 can_profile_heap(isolated_compute_app)
 can_profile_perf(isolated_compute_app)

 #####
 ##### Neverallow
 #####

 # Do not allow isolated_compute_app to access hardware service except for the
 # ones necessary for camera service.
 # TODO (b/266555480): The permission should be guarded by compliance test.
 # Remove the negation for member domains when refactorization is done.
 # neverallow isolated_compute_app {
 # hwservice_manager_type
 #  -hal_graphics_allocator_hwservice
 #  -hal_graphics_mapper_hwservice
 #  -hidl_allocator_hwservice
 #  -hidl_manager_hwservice
 #  -hidl_memory_hwservice
 # }:hwservice_manager *;
	###
	### isolated_compute_apps.
	###
	### This file defines the rules for isolated apps that requires the permission
	### to gather data with service manager and require computational resources to
	### improve the performance to process data under a sandbox. This
	### isolated_compute_app restricts data egress to protect the privacy.
	###
	### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
	###
	type isolated_compute_app, domain;

	typeattribute isolated_compute_app coredomain;

	app_domain(isolated_compute_app)
	isolated_app_domain(isolated_compute_app)

	allow isolated_compute_app audioserver_service:service_manager find;
	allow isolated_compute_app cameraserver_service:service_manager find;
	allow isolated_compute_app content_capture_service:service_manager find;
	allow isolated_compute_app device_state_service:service_manager find;
	allow isolated_compute_app speech_recognition_service:service_manager find;

	# Enable access to hardware services for camera functionalilites
	hal_client_domain(isolated_compute_app, hal_allocator)
	hwbinder_use(isolated_compute_app)

	# Write app-specific trace data to the Perfetto traced damon. This requires
	# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
	perfetto_producer(isolated_compute_app)

	# Allow profiling if the main app has been marked as profileable or
	# debuggable.
	can_profile_heap(isolated_compute_app)
	can_profile_perf(isolated_compute_app)

	#####
	##### Neverallow
	#####

	# Do not allow isolated_compute_app to access hardware service except for the
	# ones necessary for camera service.
	# TODO (b/266555480): The permission should be guarded by compliance test.
	# Remove the negation for member domains when refactorization is done.
	# neverallow isolated_compute_app {
	# hwservice_manager_type
	# -hal_graphics_allocator_hwservice
	# -hal_graphics_mapper_hwservice
	# -hidl_allocator_hwservice
	# -hidl_manager_hwservice
	# -hidl_memory_hwservice
	# }:hwservice_manager *;