platform_system_sepolicy/isolated_app.te

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###

type isolated_app, domain;
app_domain(isolated_app)
net_domain(isolated_app)

# read and write access to app_data_file is already
# granted via app.te. Allow execute.
# Needed to allow dlopen() from Chrome renderer processes.
# See b/15902433 for details.
allow isolated_app app_data_file:file execute;
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f 2013-07-13 01:33:29 +02:00			`###`
			`### Services with isolatedProcess=true in their manifest.`
			`###`
			`### This file defines the rules for isolated apps. An "isolated`
			`### app" is an APP with UID between AID_ISOLATED_START (99000)`
			`### and AID_ISOLATED_END (99999).`
			`###`
			`### isolated_app includes all the appdomain rules, plus the`
			`### additional following rules:`
			`###`

			`type isolated_app, domain;`
			`app_domain(isolated_app)`
Resolve overlapping rules between app.te and net.te. There is some overlap between socket rules in app.te and the net.te rules, but they aren't quite identical since not all app domains presently include the net_domain() macro and because the rules in app.te allow more permissions for netlink_route_socket and allow rawip_socket permissions for ping. The current app.te rules prevent one from ever creating a non-networked app domain. Resolve this overlap by: 1) Adding the missing permissions allowed by app.te to net.te for netlink_route_socket and rawip_socket. 2) Adding net_domain() calls to all existing app domains that do not already have it. 3) Deleting the redundant socket rules from app.te. Then we'll have no effective change in what is allowed for apps but allow one to define app domains in the future that are not allowed network access. Also cleanup net.te to use the create_socket_perms macro rather than * and add macros for stream socket permissions. Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 16:48:03 +01:00			`net_domain(isolated_app)`
isolated_app: allow app_data_file execute Chrome renderer processes dlopen() a shared library from gmscore. Open and read on app data file is already allowed, but execute isn't, so the dlopen() fails. This is a regression from K, where the dlopen succeeded. Longer term, there's questions about whether this is appropriate behavior for an isolated app. For now, allow the behavior. See the discussion in b/15902433 for details. Addresses the following denial: I/auditd ( 5087): type=1400 audit(0.0:76): avc: denied { execute } for comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Bug: 15902433 Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678 2014-06-28 00:19:04 +02:00
			`# read and write access to app_data_file is already`
			`# granted via app.te. Allow execute.`
			`# Needed to allow dlopen() from Chrome renderer processes.`
			`# See b/15902433 for details.`
			`allow isolated_app app_data_file:file execute;`