diff options
Diffstat (limited to 'prebuilts/api/32.0/private/isolated_app.te')
| -rw-r--r-- | prebuilts/api/32.0/private/isolated_app.te | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/isolated_app.te b/prebuilts/api/32.0/private/isolated_app.te new file mode 100644 index 000000000..71749c00f --- /dev/null +++ b/prebuilts/api/32.0/private/isolated_app.te @@ -0,0 +1,153 @@ +### +### Services with isolatedProcess=true in their manifest. +### +### This file defines the rules for isolated apps. An "isolated +### app" is an APP with UID between AID_ISOLATED_START (99000) +### and AID_ISOLATED_END (99999). +### + +typeattribute isolated_app coredomain; + +app_domain(isolated_app) + +# Access already open app data files received over Binder or local socket IPC. +allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map }; + +# Allow access to network sockets received over IPC. New socket creation is not +# permitted. +allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; + +allow isolated_app activity_service:service_manager find; +allow isolated_app display_service:service_manager find; +allow isolated_app webviewupdate_service:service_manager find; + +# Google Breakpad (crash reporter for Chrome) relies on ptrace +# functionality. Without the ability to ptrace, the crash reporter +# tool is broken. +# b/20150694 +# https://code.google.com/p/chromium/issues/detail?id=475270 +allow isolated_app self:process ptrace; + +# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps +# by other processes. Open should never be allowed, and is blocked by +# neverallow rules below. +# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs +# is modified to change the secontext when accessing the lower filesystem. +allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map }; + +# For webviews, isolated_app processes can be forked from the webview_zygote +# in addition to the zygote. Allow access to resources inherited from the +# webview_zygote process. These rules are specialized copies of the ones in app.te. +# Inherit FDs from the webview_zygote. +allow isolated_app webview_zygote:fd use; +# Notify webview_zygote of child death. +allow isolated_app webview_zygote:process sigchld; +# Inherit logd write socket. +allow isolated_app webview_zygote:unix_dgram_socket write; +# Read system properties managed by webview_zygote. +allow isolated_app webview_zygote_tmpfs:file read; + +# Inherit FDs from the app_zygote. +allow isolated_app app_zygote:fd use; +# Notify app_zygote of child death. +allow isolated_app app_zygote:process sigchld; +# Inherit logd write socket. +allow isolated_app app_zygote:unix_dgram_socket write; + +# TODO (b/63631799) fix this access +# suppress denials to /data/local/tmp +dontaudit isolated_app shell_data_file:dir search; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(isolated_app) + +# Allow profiling if the main app has been marked as profileable or +# debuggable. +can_profile_heap(isolated_app) +can_profile_perf(isolated_app) + +##### +##### Neverallow +##### + +# Isolated apps should not directly open app data files themselves. +neverallow isolated_app { app_data_file privapp_data_file }:file open; + +# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) +# TODO: are there situations where isolated_apps write to this file? +# TODO: should we tighten these restrictions further? +neverallow isolated_app anr_data_file:file ~{ open append }; +neverallow isolated_app anr_data_file:dir ~search; + +# Isolated apps must not be permitted to use HwBinder +neverallow isolated_app hwbinder_device:chr_file *; +neverallow isolated_app *:hwservice_manager *; + +# Isolated apps must not be permitted to use VndBinder +neverallow isolated_app vndbinder_device:chr_file *; + +# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager +# except the find actions for services allowlisted below. +neverallow isolated_app *:service_manager ~find; + +# b/17487348 +# Isolated apps can only access three services, +# activity_service, display_service, webviewupdate_service. +neverallow isolated_app { + service_manager_type + -activity_service + -display_service + -webviewupdate_service +}:service_manager find; + +# Isolated apps shouldn't be able to access the driver directly. +neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; + +# Do not allow isolated_app access to /cache +neverallow isolated_app cache_file:dir ~{ r_dir_perms }; +neverallow isolated_app cache_file:file ~{ read getattr }; + +# Do not allow isolated_app to access external storage, except for files passed +# via file descriptors (b/32896414). +neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; +neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; +neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; +neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map }; + +# Do not allow USB access +neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; + +# Restrict the webview_zygote control socket. +neverallow isolated_app webview_zygote:sock_file write; + +# Limit the /sys files which isolated_app can access. This is important +# for controlling isolated_app attack surface. +neverallow isolated_app { + sysfs_type + -sysfs_devices_system_cpu + -sysfs_transparent_hugepage + -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852) + -sysfs_fs_incfs_features +}:file no_rw_file_perms; + +# No creation of sockets families other than AF_UNIX sockets. +# List taken from system/sepolicy/public/global_macros - socket_class_set +# excluding unix_stream_socket and unix_dgram_socket. +# Many of these are socket families which have never and will never +# be compiled into the Android kernel. +neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{ + socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket + key_socket appletalk_socket netlink_route_socket + netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket + netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket + netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket + netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket + netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket + netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket + netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket + rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket + bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket + ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket + qipcrtr_socket smc_socket xdp_socket +} create; |