Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a3903974075f3ed8f83faf0ab9983187ad928da0 / . / private / isolated_app.te
blob: bfe738b5be4269c9eb0e0ea37adfdacb3c86bc7d [file] [log] [blame]
Alex Klyubina3903972017-01-05 16:06:54 -0800[diff] [blame^]1###
2### Services with isolatedProcess=true in their manifest.
3###
4### This file defines the rules for isolated apps. An "isolated
5### app" is an APP with UID between AID_ISOLATED_START (99000)
6### and AID_ISOLATED_END (99999).
7###
8
dcashman3e8dbf02016-12-08 11:23:34 -0800[diff] [blame]9app_domain(isolated_app)
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]10
Alex Klyubina3903972017-01-05 16:06:54 -0800[diff] [blame^]11# Access already open app data files received over Binder or local socket IPC.
12allow isolated_app app_data_file:file { append read write getattr lock };
13
14allow isolated_app activity_service:service_manager find;
15allow isolated_app display_service:service_manager find;
16allow isolated_app webviewupdate_service:service_manager find;
17
18# Google Breakpad (crash reporter for Chrome) relies on ptrace
19# functionality. Without the ability to ptrace, the crash reporter
20# tool is broken.
21# b/20150694
22# https://code.google.com/p/chromium/issues/detail?id=475270
23allow isolated_app self:process ptrace;
24
25# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
26# by other processes. Open should never be allowed, and is blocked by
27# neverallow rules below.
28# TODO: consider removing write/append. We want to limit isolated_apps
29# ability to mutate files of any type.
30# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
31# is modified to change the secontext when accessing the lower filesystem.
32allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
33auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
34
35# For webviews, isolated_app processes can be forked from the webview_zygote
36# in addition to the zygote. Allow access to resources inherited from the
37# webview_zygote process. These rules are specialized copies of the ones in app.te.
38# Inherit FDs from the webview_zygote.
39allow isolated_app webview_zygote:fd use;
40# Notify webview_zygote of child death.
41allow isolated_app webview_zygote:process sigchld;
42# Inherit logd write socket.
43allow isolated_app webview_zygote:unix_dgram_socket write;
dcashman2e00e632016-10-12 14:58:09 -0700[diff] [blame]44# Read system properties managed by webview_zygote.
45allow isolated_app webview_zygote_tmpfs:file read;
Alex Klyubina3903972017-01-05 16:06:54 -0800[diff] [blame^]46
47#####
48##### Neverallow
49#####
50
51# Do not allow isolated_app to directly open tun_device
52neverallow isolated_app tun_device:chr_file open;
53
54# Do not allow isolated_app to set system properties.
55neverallow isolated_app property_socket:sock_file write;
56neverallow isolated_app property_type:property_service set;
57
58# Isolated apps should not directly open app data files themselves.
59neverallow isolated_app app_data_file:file open;
60
61# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
62# TODO: are there situations where isolated_apps write to this file?
63# TODO: should we tighten these restrictions further?
64neverallow isolated_app anr_data_file:file ~{ open append };
65neverallow isolated_app anr_data_file:dir ~search;
66
67# b/17487348
68# Isolated apps can only access three services,
69# activity_service, display_service and webviewupdate_service.
70neverallow isolated_app {
71 service_manager_type
72 -activity_service
73 -display_service
74 -webviewupdate_service
75}:service_manager find;
76
77# Isolated apps shouldn't be able to access the driver directly.
78neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
79
80# Do not allow isolated_app access to /cache
81neverallow isolated_app cache_file:dir ~{ r_dir_perms };
82neverallow isolated_app cache_file:file ~{ read getattr };
83
84# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
85# ioctl permission, or 3. disallow the socket class.
86neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
87neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
88neverallow isolated_app *:{
89 socket netlink_socket packet_socket key_socket appletalk_socket
90 netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
91 netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
92 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
93 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
94 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
95 netlink_rdma_socket netlink_crypto_socket
96} *;
97
98# Do not allow isolated_app to access external storage, except for files passed
99# via file descriptors (b/32896414).
100neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
101neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
102neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
103neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
104
105# Do not allow USB access
106neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
107
108# Restrict the webview_zygote control socket.
109neverallow isolated_app webview_zygote_socket:sock_file write;
110
111# Avoid reads from generically labeled /proc files
112# Create a more specific label if needed
113neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };