1 ### 2 ### Services with isolatedProcess=true in their manifest. 3 ### 4 ### This file defines the rules for isolated apps. An "isolated 5 ### app" is an APP with UID between AID_ISOLATED_START (99000) 6 ### and AID_ISOLATED_END (99999). 7 ### 8 9 typeattribute isolated_app coredomain; 10 11 app_domain(isolated_app) 12 13 # Access already open app data files received over Binder or local socket IPC. 14 allow isolated_app app_data_file:file { append read write getattr lock }; 15 16 allow isolated_app activity_service:service_manager find; 17 allow isolated_app display_service:service_manager find; 18 allow isolated_app webviewupdate_service:service_manager find; 19 20 # Google Breakpad (crash reporter for Chrome) relies on ptrace 21 # functionality. Without the ability to ptrace, the crash reporter 22 # tool is broken. 23 # b/20150694 24 # https://code.google.com/p/chromium/issues/detail?id=475270 25 allow isolated_app self:process ptrace; 26 27 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps 28 # by other processes. Open should never be allowed, and is blocked by 29 # neverallow rules below. 30 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs 31 # is modified to change the secontext when accessing the lower filesystem. 32 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock }; 33 34 # For webviews, isolated_app processes can be forked from the webview_zygote 35 # in addition to the zygote. Allow access to resources inherited from the 36 # webview_zygote process. These rules are specialized copies of the ones in app.te. 37 # Inherit FDs from the webview_zygote. 38 allow isolated_app webview_zygote:fd use; 39 # Notify webview_zygote of child death. 40 allow isolated_app webview_zygote:process sigchld; 41 # Inherit logd write socket. 42 allow isolated_app webview_zygote:unix_dgram_socket write; 43 # Read system properties managed by webview_zygote. 44 allow isolated_app webview_zygote_tmpfs:file read; 45 46 # TODO (b/63631799) fix this access 47 # suppress denials to /data/local/tmp 48 dontaudit isolated_app shell_data_file:dir search; 49 50 # Write app-specific trace data to the Perfetto traced damon. This requires 51 # connecting to its producer socket and obtaining a (per-process) tmpfs fd. 52 allow isolated_app traced:fd use; 53 allow isolated_app traced_tmpfs:file { read write getattr map }; 54 unix_socket_connect(isolated_app, traced_producer, traced) 55 56 ##### 57 ##### Neverallow 58 ##### 59 60 # Do not allow isolated_app to directly open tun_device 61 neverallow isolated_app tun_device:chr_file open; 62 63 # Isolated apps should not directly open app data files themselves. 64 neverallow isolated_app app_data_file:file open; 65 66 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 67 # TODO: are there situations where isolated_apps write to this file? 68 # TODO: should we tighten these restrictions further? 69 neverallow isolated_app anr_data_file:file ~{ open append }; 70 neverallow isolated_app anr_data_file:dir ~search; 71 72 # Isolated apps must not be permitted to use HwBinder 73 neverallow isolated_app hwbinder_device:chr_file *; 74 neverallow isolated_app *:hwservice_manager *; 75 76 # Isolated apps must not be permitted to use VndBinder 77 neverallow isolated_app vndbinder_device:chr_file *; 78 79 # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager 80 # except the find actions for services whitelisted below. 81 neverallow isolated_app *:service_manager ~find; 82 83 # b/17487348 84 # Isolated apps can only access three services, 85 # activity_service, display_service and webviewupdate_service. 86 neverallow isolated_app { 87 service_manager_type 88 -activity_service 89 -display_service 90 -webviewupdate_service 91 }:service_manager find; 92 93 # Isolated apps shouldn't be able to access the driver directly. 94 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 95 96 # Do not allow isolated_app access to /cache 97 neverallow isolated_app cache_file:dir ~{ r_dir_perms }; 98 neverallow isolated_app cache_file:file ~{ read getattr }; 99 100 # Do not allow isolated_app to access external storage, except for files passed 101 # via file descriptors (b/32896414). 102 neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; 103 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; 104 neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; 105 neverallow isolated_app sdcard_type:file ~{ read write append getattr lock }; 106 107 # Do not allow USB access 108 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; 109 110 # Restrict the webview_zygote control socket. 111 neverallow isolated_app webview_zygote:sock_file write; 112 113 # Limit the /sys files which isolated_app can access. This is important 114 # for controlling isolated_app attack surface. 115 neverallow isolated_app { 116 sysfs_type 117 -sysfs_devices_system_cpu 118 -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852) 119 }:file no_rw_file_perms; 120