Home | History | Annotate | Download | only in private 
      1 ###
      2 ### Services with isolatedProcess=true in their manifest.
      3 ###
      4 ### This file defines the rules for isolated apps. An "isolated
      5 ### app" is an APP with UID between AID_ISOLATED_START (99000)
      6 ### and AID_ISOLATED_END (99999).
      7 ###
      8 
      9 typeattribute isolated_app coredomain;
     10 
     11 app_domain(isolated_app)
     12 
     13 # Access already open app data files received over Binder or local socket IPC.
     14 allow isolated_app app_data_file:file { append read write getattr lock };
     15 
     16 allow isolated_app activity_service:service_manager find;
     17 allow isolated_app display_service:service_manager find;
     18 allow isolated_app webviewupdate_service:service_manager find;
     19 
     20 # Google Breakpad (crash reporter for Chrome) relies on ptrace
     21 # functionality. Without the ability to ptrace, the crash reporter
     22 # tool is broken.
     23 # b/20150694
     24 # https://code.google.com/p/chromium/issues/detail?id=475270
     25 allow isolated_app self:process ptrace;
     26 
     27 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
     28 # by other processes. Open should never be allowed, and is blocked by
     29 # neverallow rules below.
     30 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
     31 # is modified to change the secontext when accessing the lower filesystem.
     32 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
     33 
     34 # For webviews, isolated_app processes can be forked from the webview_zygote
     35 # in addition to the zygote. Allow access to resources inherited from the
     36 # webview_zygote process. These rules are specialized copies of the ones in app.te.
     37 # Inherit FDs from the webview_zygote.
     38 allow isolated_app webview_zygote:fd use;
     39 # Notify webview_zygote of child death.
     40 allow isolated_app webview_zygote:process sigchld;
     41 # Inherit logd write socket.
     42 allow isolated_app webview_zygote:unix_dgram_socket write;
     43 # Read system properties managed by webview_zygote.
     44 allow isolated_app webview_zygote_tmpfs:file read;
     45 
     46 # TODO (b/63631799) fix this access
     47 # suppress denials to /data/local/tmp
     48 dontaudit isolated_app shell_data_file:dir search;
     49 
     50 # Write app-specific trace data to the Perfetto traced damon. This requires
     51 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
     52 allow isolated_app traced:fd use;
     53 allow isolated_app traced_tmpfs:file { read write getattr map };
     54 unix_socket_connect(isolated_app, traced_producer, traced)
     55 
     56 #####
     57 ##### Neverallow
     58 #####
     59 
     60 # Do not allow isolated_app to directly open tun_device
     61 neverallow isolated_app tun_device:chr_file open;
     62 
     63 # Isolated apps should not directly open app data files themselves.
     64 neverallow isolated_app app_data_file:file open;
     65 
     66 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
     67 # TODO: are there situations where isolated_apps write to this file?
     68 # TODO: should we tighten these restrictions further?
     69 neverallow isolated_app anr_data_file:file ~{ open append };
     70 neverallow isolated_app anr_data_file:dir ~search;
     71 
     72 # Isolated apps must not be permitted to use HwBinder
     73 neverallow isolated_app hwbinder_device:chr_file *;
     74 neverallow isolated_app *:hwservice_manager *;
     75 
     76 # Isolated apps must not be permitted to use VndBinder
     77 neverallow isolated_app vndbinder_device:chr_file *;
     78 
     79 # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
     80 # except the find actions for services whitelisted below.
     81 neverallow isolated_app *:service_manager ~find;
     82 
     83 # b/17487348
     84 # Isolated apps can only access three services,
     85 # activity_service, display_service and webviewupdate_service.
     86 neverallow isolated_app {
     87     service_manager_type
     88     -activity_service
     89     -display_service
     90     -webviewupdate_service
     91 }:service_manager find;
     92 
     93 # Isolated apps shouldn't be able to access the driver directly.
     94 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
     95 
     96 # Do not allow isolated_app access to /cache
     97 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
     98 neverallow isolated_app cache_file:file ~{ read getattr };
     99 
    100 # Do not allow isolated_app to access external storage, except for files passed
    101 # via file descriptors (b/32896414).
    102 neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
    103 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
    104 neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
    105 neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
    106 
    107 # Do not allow USB access
    108 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
    109 
    110 # Restrict the webview_zygote control socket.
    111 neverallow isolated_app webview_zygote:sock_file write;
    112 
    113 # Limit the /sys files which isolated_app can access. This is important
    114 # for controlling isolated_app attack surface.
    115 neverallow isolated_app {
    116   sysfs_type
    117   -sysfs_devices_system_cpu
    118   -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
    119 }:file no_rw_file_perms;
    120