prebuilts/api/31.0/private/isolated_app.te - LeafOS-Project/android_system_sepolicy - Gitiles

 ###
 ### Services with isolatedProcess=true in their manifest.
 ###
 ### This file defines the rules for isolated apps. An "isolated
 ### app" is an APP with UID between AID_ISOLATED_START (99000)
 ### and AID_ISOLATED_END (99999).
 ###

 typeattribute isolated_app coredomain;

 app_domain(isolated_app)

 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };

 # Allow access to network sockets received over IPC. New socket creation is not
 # permitted.
 allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };

 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 allow isolated_app webviewupdate_service:service_manager find;

 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
 # b/20150694
 # https://code.google.com/p/chromium/issues/detail?id=475270
 allow isolated_app self:process ptrace;

 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
 # by other processes. Open should never be allowed, and is blocked by
 # neverallow rules below.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };

 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
 # webview_zygote process. These rules are specialized copies of the ones in app.te.
 # Inherit FDs from the webview_zygote.
 allow isolated_app webview_zygote:fd use;
 # Notify webview_zygote of child death.
 allow isolated_app webview_zygote:process sigchld;
 # Inherit logd write socket.
 allow isolated_app webview_zygote:unix_dgram_socket write;
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;

 # Inherit FDs from the app_zygote.
 allow isolated_app app_zygote:fd use;
 # Notify app_zygote of child death.
 allow isolated_app app_zygote:process sigchld;
 # Inherit logd write socket.
 allow isolated_app app_zygote:unix_dgram_socket write;

 # TODO (b/63631799) fix this access
 # suppress denials to /data/local/tmp
 dontaudit isolated_app shell_data_file:dir search;

 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(isolated_app)

 # Allow profiling if the main app has been marked as profileable or
 # debuggable.
 can_profile_heap(isolated_app)
 can_profile_perf(isolated_app)

 #####
 ##### Neverallow
 #####

 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app { app_data_file privapp_data_file }:file open;

 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
 # TODO: should we tighten these restrictions further?
 neverallow isolated_app anr_data_file:file ~{ open append };
 neverallow isolated_app anr_data_file:dir ~search;

 # Isolated apps must not be permitted to use HwBinder
 neverallow isolated_app hwbinder_device:chr_file *;
 neverallow isolated_app *:hwservice_manager *;

 # Isolated apps must not be permitted to use VndBinder
 neverallow isolated_app vndbinder_device:chr_file *;

 # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
 # except the find actions for services allowlisted below.
 neverallow isolated_app *:service_manager ~find;

 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service, webviewupdate_service.
 neverallow isolated_app {
     service_manager_type
     -activity_service
     -display_service
     -webviewupdate_service
 }:service_manager find;

 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };

 # Do not allow isolated_app access to /cache
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };

 # Do not allow isolated_app to access external storage, except for files passed
 # via file descriptors (b/32896414).
 neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
 neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
 neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };

 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;

 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote:sock_file write;

 # Limit the /sys files which isolated_app can access. This is important
 # for controlling isolated_app attack surface.
 neverallow isolated_app {
   sysfs_type
   -sysfs_devices_system_cpu
   -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
   -sysfs_fs_incfs_features
 }:file no_rw_file_perms;

 # No creation of sockets families other than AF_UNIX sockets.
 # List taken from system/sepolicy/public/global_macros - socket_class_set
 # excluding unix_stream_socket and unix_dgram_socket.
 # Many of these are socket families which have never and will never
 # be compiled into the Android kernel.
 neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
   socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
   key_socket appletalk_socket netlink_route_socket
   netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
   netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
   netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
   netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
   netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
   netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
   netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
   rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
   ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
   qipcrtr_socket smc_socket xdp_socket
 } create;
	###
	### Services with isolatedProcess=true in their manifest.
	###
	### This file defines the rules for isolated apps. An "isolated
	### app" is an APP with UID between AID_ISOLATED_START (99000)
	### and AID_ISOLATED_END (99999).
	###

	typeattribute isolated_app coredomain;

	app_domain(isolated_app)

	# Access already open app data files received over Binder or local socket IPC.
	allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };

	# Allow access to network sockets received over IPC. New socket creation is not
	# permitted.
	allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };

	allow isolated_app activity_service:service_manager find;
	allow isolated_app display_service:service_manager find;
	allow isolated_app webviewupdate_service:service_manager find;

	# Google Breakpad (crash reporter for Chrome) relies on ptrace
	# functionality. Without the ability to ptrace, the crash reporter
	# tool is broken.
	# b/20150694
	# https://code.google.com/p/chromium/issues/detail?id=475270
	allow isolated_app self:process ptrace;

	# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
	# by other processes. Open should never be allowed, and is blocked by
	# neverallow rules below.
	# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
	# is modified to change the secontext when accessing the lower filesystem.
	allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };

	# For webviews, isolated_app processes can be forked from the webview_zygote
	# in addition to the zygote. Allow access to resources inherited from the
	# webview_zygote process. These rules are specialized copies of the ones in app.te.
	# Inherit FDs from the webview_zygote.
	allow isolated_app webview_zygote:fd use;
	# Notify webview_zygote of child death.
	allow isolated_app webview_zygote:process sigchld;
	# Inherit logd write socket.
	allow isolated_app webview_zygote:unix_dgram_socket write;
	# Read system properties managed by webview_zygote.
	allow isolated_app webview_zygote_tmpfs:file read;

	# Inherit FDs from the app_zygote.
	allow isolated_app app_zygote:fd use;
	# Notify app_zygote of child death.
	allow isolated_app app_zygote:process sigchld;
	# Inherit logd write socket.
	allow isolated_app app_zygote:unix_dgram_socket write;

	# TODO (b/63631799) fix this access
	# suppress denials to /data/local/tmp
	dontaudit isolated_app shell_data_file:dir search;

	# Write app-specific trace data to the Perfetto traced damon. This requires
	# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
	perfetto_producer(isolated_app)

	# Allow profiling if the main app has been marked as profileable or
	# debuggable.
	can_profile_heap(isolated_app)
	can_profile_perf(isolated_app)

	#####
	##### Neverallow
	#####

	# Isolated apps should not directly open app data files themselves.
	neverallow isolated_app { app_data_file privapp_data_file }:file open;

	# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
	# TODO: are there situations where isolated_apps write to this file?
	# TODO: should we tighten these restrictions further?
	neverallow isolated_app anr_data_file:file ~{ open append };
	neverallow isolated_app anr_data_file:dir ~search;

	# Isolated apps must not be permitted to use HwBinder
	neverallow isolated_app hwbinder_device:chr_file *;
	neverallow isolated_app :hwservice_manager ;

	# Isolated apps must not be permitted to use VndBinder
	neverallow isolated_app vndbinder_device:chr_file *;

	# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
	# except the find actions for services allowlisted below.
	neverallow isolated_app *:service_manager ~find;

	# b/17487348
	# Isolated apps can only access three services,
	# activity_service, display_service, webviewupdate_service.
	neverallow isolated_app {
	service_manager_type
	-activity_service
	-display_service
	-webviewupdate_service
	}:service_manager find;

	# Isolated apps shouldn't be able to access the driver directly.
	neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };

	# Do not allow isolated_app access to /cache
	neverallow isolated_app cache_file:dir ~{ r_dir_perms };
	neverallow isolated_app cache_file:file ~{ read getattr };

	# Do not allow isolated_app to access external storage, except for files passed
	# via file descriptors (b/32896414).
	neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
	neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
	neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
	neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };

	# Do not allow USB access
	neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;

	# Restrict the webview_zygote control socket.
	neverallow isolated_app webview_zygote:sock_file write;

	# Limit the /sys files which isolated_app can access. This is important
	# for controlling isolated_app attack surface.
	neverallow isolated_app {
	sysfs_type
	-sysfs_devices_system_cpu
	-sysfs_transparent_hugepage
	-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
	-sysfs_fs_incfs_features
	}:file no_rw_file_perms;

	# No creation of sockets families other than AF_UNIX sockets.
	# List taken from system/sepolicy/public/global_macros - socket_class_set
	# excluding unix_stream_socket and unix_dgram_socket.
	# Many of these are socket families which have never and will never
	# be compiled into the Android kernel.
	neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
	socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
	key_socket appletalk_socket netlink_route_socket
	netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
	netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
	netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
	netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
	netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
	netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
	netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
	rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
	bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
	ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
	qipcrtr_socket smc_socket xdp_socket
	} create;