Grant appdomain access to app_api_service

The original idea was to compartmentalize services for apps to access. ex. an app that manage display brightness should not have access to audio service. However, identifying all services is hard and we often end up granting app_api_service in practice to avoid unexpected crashes. Bug: 147198856 Test: Remove device app_api_service related sepolicy and related process remain functional Change-Id: I3aafcf1a91847a97c86f1d7992653b806a713bd4
2020-01-07 08:19:42 +08:00 · 2020-01-07 08:19:42 +08:00 · d5a0edd75e
commit d5a0edd75e
parent 4c37de9b44
1 changed files with 3 additions and 0 deletions
--- a/public/app.te
+++ b/public/app.te
@ -50,6 +50,9 @@ allow appdomain adbd:process sigchld;
 # child shell or gdbserver pty access for runas.
 allow appdomain devpts:chr_file { getattr read write ioctl };

+# Allow appdomain to access app_api_service
+allow { appdomain -isolated_app } app_api_service:service_manager find;
+
 # Use pipes and sockets provided by system_server via binder or local socket.
 allow appdomain system_server:fd use;
 allow appdomain system_server:fifo_file rw_file_perms;