| ### |
| ### Services with isolatedProcess=true in their manifest. |
| ### |
| ### This file defines the rules for isolated apps. An "isolated |
| ### app" is an APP with UID between AID_ISOLATED_START (99000) |
| ### and AID_ISOLATED_END (99999). |
| ### |
| |
| typeattribute isolated_app coredomain; |
| |
| app_domain(isolated_app) |
| |
| # Access already open app data files received over Binder or local socket IPC. |
| allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map }; |
| |
| # Allow access to network sockets received over IPC. New socket creation is not |
| # permitted. |
| allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl }; |
| |
| allow isolated_app activity_service:service_manager find; |
| allow isolated_app display_service:service_manager find; |
| allow isolated_app webviewupdate_service:service_manager find; |
| |
| # Google Breakpad (crash reporter for Chrome) relies on ptrace |
| # functionality. Without the ability to ptrace, the crash reporter |
| # tool is broken. |
| # b/20150694 |
| # https://code.google.com/p/chromium/issues/detail?id=475270 |
| allow isolated_app self:process ptrace; |
| |
| # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps |
| # by other processes. Open should never be allowed, and is blocked by |
| # neverallow rules below. |
| # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs |
| # is modified to change the secontext when accessing the lower filesystem. |
| allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map }; |
| |
| # For webviews, isolated_app processes can be forked from the webview_zygote |
| # in addition to the zygote. Allow access to resources inherited from the |
| # webview_zygote process. These rules are specialized copies of the ones in app.te. |
| # Inherit FDs from the webview_zygote. |
| allow isolated_app webview_zygote:fd use; |
| # Notify webview_zygote of child death. |
| allow isolated_app webview_zygote:process sigchld; |
| # Inherit logd write socket. |
| allow isolated_app webview_zygote:unix_dgram_socket write; |
| # Read system properties managed by webview_zygote. |
| allow isolated_app webview_zygote_tmpfs:file read; |
| |
| # Inherit FDs from the app_zygote. |
| allow isolated_app app_zygote:fd use; |
| # Notify app_zygote of child death. |
| allow isolated_app app_zygote:process sigchld; |
| # Inherit logd write socket. |
| allow isolated_app app_zygote:unix_dgram_socket write; |
| |
| # TODO (b/63631799) fix this access |
| # suppress denials to /data/local/tmp |
| dontaudit isolated_app shell_data_file:dir search; |
| |
| # Write app-specific trace data to the Perfetto traced damon. This requires |
| # connecting to its producer socket and obtaining a (per-process) tmpfs fd. |
| perfetto_producer(isolated_app) |
| |
| # Allow profiling if the main app has been marked as profileable or |
| # debuggable. |
| can_profile_heap(isolated_app) |
| can_profile_perf(isolated_app) |
| |
| ##### |
| ##### Neverallow |
| ##### |
| |
| # Isolated apps should not directly open app data files themselves. |
| neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open; |
| |
| # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) |
| # TODO: are there situations where isolated_apps write to this file? |
| # TODO: should we tighten these restrictions further? |
| neverallow isolated_app anr_data_file:file ~{ open append }; |
| neverallow isolated_app anr_data_file:dir ~search; |
| |
| # Isolated apps must not be permitted to use HwBinder |
| neverallow isolated_app hwbinder_device:chr_file *; |
| neverallow isolated_app *:hwservice_manager *; |
| |
| # Isolated apps must not be permitted to use VndBinder |
| neverallow isolated_app vndbinder_device:chr_file *; |
| |
| # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager |
| # except the find actions for services allowlisted below. |
| neverallow isolated_app *:service_manager ~find; |
| |
| # b/17487348 |
| # Isolated apps can only access three services, |
| # activity_service, display_service, webviewupdate_service. |
| neverallow isolated_app { |
| service_manager_type |
| -activity_service |
| -display_service |
| -webviewupdate_service |
| }:service_manager find; |
| |
| # Isolated apps shouldn't be able to access the driver directly. |
| neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; |
| |
| # Do not allow isolated_app access to /cache |
| neverallow isolated_app cache_file:dir ~{ r_dir_perms }; |
| neverallow isolated_app cache_file:file ~{ read getattr }; |
| |
| # Do not allow isolated_app to access external storage, except for files passed |
| # via file descriptors (b/32896414). |
| neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr; |
| neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; |
| neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *; |
| neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map }; |
| |
| # Do not allow USB access |
| neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; |
| |
| # Restrict the webview_zygote control socket. |
| neverallow isolated_app webview_zygote:sock_file write; |
| |
| # Limit the /sys files which isolated_app can access. This is important |
| # for controlling isolated_app attack surface. |
| neverallow isolated_app { |
| sysfs_type |
| -sysfs_devices_system_cpu |
| -sysfs_transparent_hugepage |
| -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852) |
| -sysfs_fs_incfs_features |
| }:file no_rw_file_perms; |
| |
| # No creation of sockets families other than AF_UNIX sockets. |
| # List taken from system/sepolicy/public/global_macros - socket_class_set |
| # excluding unix_stream_socket and unix_dgram_socket. |
| # Many of these are socket families which have never and will never |
| # be compiled into the Android kernel. |
| neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{ |
| socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket |
| key_socket appletalk_socket netlink_route_socket |
| netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket |
| netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket |
| netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket |
| netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket |
| netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket |
| netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket |
| netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket |
| rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket |
| bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket |
| ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket |
| qipcrtr_socket smc_socket xdp_socket |
| } create; |