Ensure /sys restrictions for isolated_apps am: 62d3b4f103 am: 8f6a5f57f9 am: 9aa56dfb09 am: b59eadbd06 Change-Id: I5646f89c9ddfac78e663d4677275390192db1da1

commit: b9267f3d63d680fcdd3f2b796dbbe3130e06e3de [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Oct 10 20:20:51 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Tue Oct 10 20:20:51 2017 +0000
tree: 9ec309aa9d000851a6fe75b0ff3b45e3351b056e
parent: eceee125d4966f9d5e3af0be646aa534eb4e4d01 [diff]
parent: b59eadbd068d7ff534c9b86846d8524b74a04226 [diff]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 951a0df..30253af 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -103,3 +103,11 @@
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+  sysfs_type
+  -sysfs_devices_system_cpu
+  -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+}:file no_rw_file_perms;
commit	b9267f3d63d680fcdd3f2b796dbbe3130e06e3de	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Oct 10 20:20:51 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Tue Oct 10 20:20:51 2017 +0000
tree	9ec309aa9d000851a6fe75b0ff3b45e3351b056e
parent	eceee125d4966f9d5e3af0be646aa534eb4e4d01 [diff]
parent	b59eadbd068d7ff534c9b86846d8524b74a04226 [diff]