Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

commit: 91d398d802b4fbd33c2b88da9f56ecee8bdc363c [log] [tgz]
author: Dan Cashman <dcashman@google.com> Tue Sep 26 12:58:29 2017 -0700
committer: Dan Cashman <dcashman@google.com> Tue Sep 26 14:38:47 2017 -0700
tree: ae80a698d8f48b79a749eb9d0b1668402614c1d0
parent: 6922dfe3661ca7c4043f6ef9c6c61fdb9c7fa89a [diff] [blame]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 418a322..37935c3 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -46,6 +46,10 @@
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;
 
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app shell_data_file:dir search;
+
 #####
 ##### Neverallow
 #####
@@ -62,6 +66,17 @@
 neverallow isolated_app anr_data_file:file ~{ open append };
 neverallow isolated_app anr_data_file:dir ~search;
 
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_app *:service_manager ~find;
+
 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service and webviewupdate_service.
commit	91d398d802b4fbd33c2b88da9f56ecee8bdc363c	[log] [tgz]
author	Dan Cashman <dcashman@google.com>	Tue Sep 26 12:58:29 2017 -0700
committer	Dan Cashman <dcashman@google.com>	Tue Sep 26 14:38:47 2017 -0700
tree	ae80a698d8f48b79a749eb9d0b1668402614c1d0
parent	6922dfe3661ca7c4043f6ef9c6c61fdb9c7fa89a [diff] [blame]