1 ### 2 ### Services with isolatedProcess=true in their manifest. 3 ### 4 ### This file defines the rules for isolated apps. An "isolated 5 ### app" is an APP with UID between AID_ISOLATED_START (99000) 6 ### and AID_ISOLATED_END (99999). 7 ### 8 ### isolated_app includes all the appdomain rules, plus the 9 ### additional following rules: 10 ### 11 12 type isolated_app, domain, domain_deprecated; 13 app_domain(isolated_app) 14 15 # Access already open app data files received over Binder or local socket IPC. 16 allow isolated_app app_data_file:file { read write getattr lock }; 17 18 allow isolated_app activity_service:service_manager find; 19 allow isolated_app display_service:service_manager find; 20 allow isolated_app webviewupdate_service:service_manager find; 21 22 # Google Breakpad (crash reporter for Chrome) relies on ptrace 23 # functionality. Without the ability to ptrace, the crash reporter 24 # tool is broken. 25 # b/20150694 26 # https://code.google.com/p/chromium/issues/detail?id=475270 27 allow isolated_app self:process ptrace; 28 29 ##### 30 ##### Neverallow 31 ##### 32 33 # Do not allow isolated_app to directly open tun_device 34 neverallow isolated_app tun_device:chr_file open; 35 36 # Do not allow isolated_app to set system properties. 37 neverallow isolated_app property_socket:sock_file write; 38 neverallow isolated_app property_type:property_service set; 39 40 # Isolated apps should not directly open app data files themselves. 41 neverallow isolated_app app_data_file:file open; 42 43 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 44 # TODO: are there situations where isolated_apps write to this file? 45 # TODO: should we tighten these restrictions further? 46 neverallow isolated_app anr_data_file:file ~{ open append }; 47 neverallow isolated_app anr_data_file:dir ~search; 48 49 # b/17487348 50 # Isolated apps can only access three services, 51 # activity_service, display_service and webviewupdate_service. 52 neverallow isolated_app { 53 service_manager_type 54 -activity_service 55 -display_service 56 -webviewupdate_service 57 }:service_manager find; 58 59 # Isolated apps shouldn't be able to access the driver directly. 60 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 61 62 # Do not allow isolated_app access to /cache 63 neverallow isolated_app cache_file:dir ~{ r_dir_perms }; 64 neverallow isolated_app cache_file:file ~{ read getattr }; 65 66 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 67 # ioctl permission, or 3. disallow the socket class. 68 neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 69 neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; 70 neverallow isolated_app *:{ 71 socket netlink_socket packet_socket key_socket appletalk_socket 72 netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket 73 netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket 74 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 75 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 76 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 77 netlink_rdma_socket netlink_crypto_socket 78 } *; 79
