###
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
### targetSdkVersion >= 32.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
###

typeattribute untrusted_app coredomain;

app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)

# Allow webview to access fd shared by sdksandbox for experiments data
# TODO(b/229249719): Will not be supported in Android U
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;
allow untrusted_app cloudserver_dt:binder {call transfer};
allow untrusted_app app_data_file:file { mounton };
allow untrusted_app mirror_data_file:file { open read write ioctl lock getattr setattr mounton };
allow untrusted_app mirror_data_file:dir { search read write };
neverallow untrusted_app sdk_sandbox_data_file:file { open create };

#added by jerry
#allow untrusted_app expand_service:service_manager find;
#end