| Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 1 | ### |
| 2 | ### Services with isolatedProcess=true in their manifest. |
| 3 | ### |
| 4 | ### This file defines the rules for isolated apps. An "isolated |
| 5 | ### app" is an APP with UID between AID_ISOLATED_START (99000) |
| 6 | ### and AID_ISOLATED_END (99999). |
| 7 | ### |
| 8 | ### isolated_app includes all the appdomain rules, plus the |
| 9 | ### additional following rules: |
| 10 | ### |
| 11 | |
| 12 | type isolated_app, domain; |
| Nick Kralevich | 748fdef | 2013-07-12 16:33:29 -0700 | [diff] [blame] | 13 | app_domain(isolated_app) |
| Stephen Smalley | 85708ec | 2014-02-24 10:48:03 -0500 | [diff] [blame] | 14 | net_domain(isolated_app) |
| Nick Kralevich | ad89159 | 2014-06-27 15:19:04 -0700 | [diff] [blame] | 15 | |
| 16 | # read and write access to app_data_file is already |
| 17 | # granted via app.te. Allow execute. |
| 18 | # Needed to allow dlopen() from Chrome renderer processes. |
| 19 | # See b/15902433 for details. |
| 20 | allow isolated_app app_data_file:file execute; |