| Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 1 | ### |
| 2 | ### Services with isolatedProcess=true in their manifest. |
| 3 | ### |
| 4 | ### This file defines the rules for isolated apps. An "isolated |
| 5 | ### app" is an APP with UID between AID_ISOLATED_START (99000) |
| 6 | ### and AID_ISOLATED_END (99999). |
| 7 | ### |
| 8 | ### isolated_app includes all the appdomain rules, plus the |
| 9 | ### additional following rules: |
| 10 | ### |
| 11 | |
| 12 | type isolated_app, domain; |
| Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 13 | app_domain(isolated_app) |
| Nick Kralevich | 6634a10 | 2013-07-12 18:45:56 -0700 | [diff] [blame] | 14 | |
| Nick Kralevich | 6634a10 | 2013-07-12 18:45:56 -0700 | [diff] [blame] | 15 | # Already connected, unnamed sockets being passed over some other IPC |
| 16 | # hence no sock_file or connectto permission. This appears to be how |
| 17 | # Chrome works, may need to be updated as more apps using isolated services |
| 18 | # are examined. |
| 19 | allow isolated_app appdomain:unix_stream_socket { read write }; |
| Geremy Condra | 217f8af | 2013-09-05 15:36:30 -0700 | [diff] [blame] | 20 | |
| 21 | allow isolated_app dalvikcache_data_file:file execute; |
| 22 | allow isolated_app apk_data_file:dir getattr; |