2017-01-10 00:34:27 +01:00
|
|
|
###
|
|
|
|
### Ephemeral apps.
|
|
|
|
###
|
|
|
|
### This file defines the security policy for apps with the ephemeral
|
|
|
|
### feature.
|
|
|
|
###
|
|
|
|
### The ephemeral_app domain is a reduced permissions sandbox allowing
|
|
|
|
### ephemeral applications to be safely installed and run. Non ephemeral
|
|
|
|
### applications may also opt-in to ephemeral to take advantage of the
|
|
|
|
### additional security features.
|
|
|
|
###
|
|
|
|
### PackageManager flags an app as ephemeral at install time.
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute ephemeral_app coredomain;
|
|
|
|
|
2017-01-10 00:34:27 +01:00
|
|
|
net_domain(ephemeral_app)
|
2017-01-17 22:28:24 +01:00
|
|
|
app_domain(ephemeral_app)
|
2017-01-10 00:34:27 +01:00
|
|
|
|
2017-01-19 19:42:40 +01:00
|
|
|
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
|
|
|
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
|
|
|
|
|
2017-10-25 21:41:11 +02:00
|
|
|
# Some apps ship with shared libraries and binaries that they write out
|
|
|
|
# to their sandbox directory and then execute.
|
|
|
|
allow ephemeral_app app_data_file:file {r_file_perms execute};
|
|
|
|
|
2017-01-10 00:34:27 +01:00
|
|
|
# services
|
2017-03-29 23:53:09 +02:00
|
|
|
allow ephemeral_app audioserver_service:service_manager find;
|
|
|
|
allow ephemeral_app cameraserver_service:service_manager find;
|
|
|
|
allow ephemeral_app mediaserver_service:service_manager find;
|
|
|
|
allow ephemeral_app mediaextractor_service:service_manager find;
|
|
|
|
allow ephemeral_app mediacodec_service:service_manager find;
|
|
|
|
allow ephemeral_app mediametrics_service:service_manager find;
|
2017-05-30 19:17:34 +02:00
|
|
|
allow ephemeral_app mediadrmserver_service:service_manager find;
|
2017-10-05 01:18:27 +02:00
|
|
|
allow ephemeral_app drmserver_service:service_manager find;
|
2017-01-17 22:28:24 +01:00
|
|
|
allow ephemeral_app radio_service:service_manager find;
|
Start locking down access to services from ephemeral apps
This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.
Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3
2017-02-28 22:59:06 +01:00
|
|
|
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
2017-01-10 00:34:27 +01:00
|
|
|
|
2017-12-21 03:51:15 +01:00
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
|
|
allow ephemeral_app traced:fd use;
|
|
|
|
allow ephemeral_app traced_tmpfs:file { read write getattr map };
|
|
|
|
unix_socket_connect(ephemeral_app, traced_producer, traced)
|
|
|
|
|
2017-12-15 03:20:30 +01:00
|
|
|
# allow ephemeral apps to use UDP sockets provided by the system server but not
|
|
|
|
# modify them other than to connect
|
|
|
|
allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
|
|
|
|
|
2017-01-10 00:34:27 +01:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
2017-10-25 21:41:11 +02:00
|
|
|
neverallow ephemeral_app app_data_file:file execute_no_trans;
|
2017-01-10 00:34:27 +01:00
|
|
|
|
|
|
|
# Receive or send uevent messages.
|
|
|
|
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
|
|
|
|
|
|
|
# Receive or send generic netlink messages
|
|
|
|
neverallow ephemeral_app domain:netlink_socket *;
|
|
|
|
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
|
|
# best practice to ensure these files aren't readable.
|
|
|
|
neverallow ephemeral_app debugfs:file read;
|
|
|
|
|
|
|
|
# execute gpu_device
|
|
|
|
neverallow ephemeral_app gpu_device:chr_file execute;
|
|
|
|
|
|
|
|
# access files in /sys with the default sysfs label
|
|
|
|
neverallow ephemeral_app sysfs:file *;
|
|
|
|
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
|
|
# Create a more specific label if needed
|
|
|
|
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
2017-01-19 19:42:40 +01:00
|
|
|
|
|
|
|
# Directly access external storage
|
|
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
|
|
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
|
2017-03-15 22:26:18 +01:00
|
|
|
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
|
|
# ongoing connections.
|
|
|
|
neverallow ephemeral_app proc_net:file no_rw_file_perms;
|