Add more neverallows to app_zygote policy.
The app_zygote should never use any unix sockets, except the
logd socket and some sockets only available on userdebug/eng.
Prevent it from using ptrace.
Bug: 111434506
Test: builds
Change-Id: Ic47cfca51fba0b150a136194ba0e4a8a488c9996
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 2cb7e0e..aa5be4c 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -126,6 +126,27 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
+# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
+# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Think twice before changing.
+neverallow app_zygote {
+ domain
+ -app_zygote
+ -logd
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+}:unix_dgram_socket *;
+
+neverallow app_zygote {
+ domain
+ -app_zygote
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+}:unix_stream_socket *;
+
+# Never allow ptrace
+neverallow app_zygote *:process ptrace;
+
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {