Allow isolated_app to talk to webviewupdate_service.

It's okay for isolated apps to connect to the webview update service to find out which APK is WebView. This enables isolated renderer processes to load their code from the WebView APK. Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f

Allow isolated_app to talk to webviewupdate_service.
It's okay for isolated apps to connect to the webview update service to find out which APK is WebView. This enables isolated renderer processes to load their code from the WebView APK. Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f
e6d67390 · Torne (Richard Coles) · d6c9947f · e6d67390
Commit e6d67390 authored 9 years ago by Torne (Richard Coles)
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -17,6 +17,7 @@ allow isolated_app app_data_file:file { read write getattr lock };

 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;

 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
@@ -40,12 +41,13 @@ neverallow isolated_app property_type:property_service set;
 neverallow isolated_app app_data_file:file open;

 # b/17487348
-# Isolated apps can only access two services,
-# activity_service and display_service
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
 neverallow isolated_app {
    service_manager_type
    -activity_service
    -display_service
+    -webviewupdate_service
 }:service_manager find;

 # Isolated apps shouldn't be able to access the driver directly.