Ensure /sys restrictions for isolated_apps isolated_apps are intended to be strictly limited in the /sys files which can be read. Add a neverallow assertion to guarantee this on all Android compatible devices. Test: policy compiles. Change-Id: I2980291dcf4e74bb12c81199d61c5eb8a182036c

commit: 62d3b4f103e30b4d0795a8d6438d5a3060b536b1 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Mon Oct 09 15:10:30 2017 -0700
committer: Nick Kralevich <nnk@google.com> Tue Oct 10 10:31:33 2017 -0700
tree: ffad7274c35e86409e77943863ffa6e5f3db2432
parent: f3f194c09a7caf493bb43ac244e62658d19fbc47 [diff] [blame]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 951a0df..30253af 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -103,3 +103,11 @@
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+  sysfs_type
+  -sysfs_devices_system_cpu
+  -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+}:file no_rw_file_perms;
commit	62d3b4f103e30b4d0795a8d6438d5a3060b536b1	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Mon Oct 09 15:10:30 2017 -0700
committer	Nick Kralevich <nnk@google.com>	Tue Oct 10 10:31:33 2017 -0700
tree	ffad7274c35e86409e77943863ffa6e5f3db2432
parent	f3f194c09a7caf493bb43ac244e62658d19fbc47 [diff] [blame]