| ### |
| ### A domain for further sandboxing the GooglePermissionController app. |
| ### |
| type permissioncontroller_app, domain, coredomain; |
| |
| # Allow everything. |
| # TODO(b/142672293): remove when no selinux denials are triggered for this |
| # domain |
| # STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around |
| # `permissioncontroller_app` and remove this line once we are confident about |
| # this having the right set of permissions. |
| userdebug_or_eng(`permissive permissioncontroller_app;') |
| |
| app_domain(permissioncontroller_app) |
| |
| # Allow interaction with gpuservice |
| binder_call(permissioncontroller_app, gpuservice) |
| allow permissioncontroller_app gpu_service:service_manager find; |
| |
| # Allow interaction with role_service |
| allow permissioncontroller_app role_service:service_manager find; |
| |
| # Allow interaction with usagestats_service |
| allow permissioncontroller_app usagestats_service:service_manager find; |
| |
| # Allow interaction with activity_service |
| allow permissioncontroller_app activity_service:service_manager find; |
| |
| allow permissioncontroller_app activity_task_service:service_manager find; |
| allow permissioncontroller_app audio_service:service_manager find; |
| allow permissioncontroller_app autofill_service:service_manager find; |
| allow permissioncontroller_app content_capture_service:service_manager find; |
| allow permissioncontroller_app device_policy_service:service_manager find; |
| allow permissioncontroller_app incidentcompanion_service:service_manager find; |
| allow permissioncontroller_app location_service:service_manager find; |
| allow permissioncontroller_app media_session_service:service_manager find; |
| allow permissioncontroller_app surfaceflinger_service:service_manager find; |
| allow permissioncontroller_app telecom_service:service_manager find; |
| allow permissioncontroller_app trust_service:service_manager find; |
