platform_system_sepolicy/isolated_app.te

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###

type isolated_app, domain, domain_deprecated;
app_domain(isolated_app)

# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { read write getattr lock };

allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;

# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;

#####
##### Neverallow
#####

# Do not allow isolated_app to directly open tun_device
neverallow isolated_app tun_device:chr_file open;

# Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set;

# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;

# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app anr_data_file:file ~{ open append };
neverallow isolated_app anr_data_file:dir ~search;

# b/17487348
# Isolated apps can only access two services,
# activity_service and display_service
neverallow isolated_app {
    service_manager_type
    -activity_service
    -display_service
}:service_manager find;

# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };

# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f 2013-07-13 01:33:29 +02:00			`###`
			`### Services with isolatedProcess=true in their manifest.`
			`###`
			`### This file defines the rules for isolated apps. An "isolated`
			`### app" is an APP with UID between AID_ISOLATED_START (99000)`
			`### and AID_ISOLATED_END (99999).`
			`###`
			`### isolated_app includes all the appdomain rules, plus the`
			`### additional following rules:`
			`###`

Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c 2015-11-03 18:54:39 +01:00			`type isolated_app, domain, domain_deprecated;`
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f 2013-07-13 01:33:29 +02:00			`app_domain(isolated_app)`
isolated_app: allow app_data_file execute Chrome renderer processes dlopen() a shared library from gmscore. Open and read on app data file is already allowed, but execute isn't, so the dlopen() fails. This is a regression from K, where the dlopen succeeded. Longer term, there's questions about whether this is appropriate behavior for an isolated app. For now, allow the behavior. See the discussion in b/15902433 for details. Addresses the following denial: I/auditd ( 5087): type=1400 audit(0.0:76): avc: denied { execute } for comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Bug: 15902433 Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678 2014-06-28 00:19:04 +02:00
Do not allow isolated_app to directly open app data files. Only allow it to read/write/stat already open app data files received via Binder or local socket IPC. Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-11-21 18:28:42 +01:00			`# Access already open app data files received over Binder or local socket IPC.`
isolated_app: allow app_data_file lock Chrome's WebSQL implementation works by running sqlite in the sandboxed renderer process, and sqlite expects to be able to call flock() on the database file. Bug: 20134929 Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54 2015-04-09 18:55:12 +02:00			`allow isolated_app app_data_file:file { read write getattr lock };`
Do not allow isolated_app to directly open app data files. Only allow it to read/write/stat already open app data files received via Binder or local socket IPC. Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-11-21 18:28:42 +01:00
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef 2014-12-17 00:45:26 +01:00			`allow isolated_app activity_service:service_manager find;`
			`allow isolated_app display_service:service_manager find;`

Remove ptrace from app.te Remove ptrace from app.te, and only add it to the app domains which explicitly require it. Change-Id: I327aabd154ae07ce90e3529dee2b324ca125dd16 2015-10-14 01:20:05 +02:00			`# Google Breakpad (crash reporter for Chrome) relies on ptrace`
			`# functionality. Without the ability to ptrace, the crash reporter`
			`# tool is broken.`
			`# b/20150694`
			`# https://code.google.com/p/chromium/issues/detail?id=475270`
			`allow isolated_app self:process ptrace;`

update isolated_app service_manager rules isolated apps should only be able to access 2 services. Remove access permissions for services inappropriately added, and add a neverallow rule to prevent regressions. Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01 2015-03-05 21:10:30 +01:00			`#####`
			`##### Neverallow`
			`#####`

Allow bluetooth access to the tun device. Bluetooth uses the tun device for tethering. Allow access. STEPS TO REPRODUCE: 0. Have two devices to test on, say Device A and Device B 1. On Device A, Go to settings ->Bluetooth . 2. Turn on the Bluetooth . 3. Pair it with device B 4. Tap on the paired device OBSERVED RESULTS: -Bluetooth share crash is observed with "Bluetooth share has stopped" error message -Unable to use Bluetooth tethering due to this issue EXPECTED RESULTS: No crash and Bluetooth devices should be able to connect for tethering Addresses the following denial: com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0 Bug: 27372573 Change-Id: I07724d8d68ffcdda691f1179787a4f40a0ab1c73 2016-02-29 05:52:55 +01:00			`# Do not allow isolated_app to directly open tun_device`
			`neverallow isolated_app tun_device:chr_file open;`

Neverallow isolated and untrusted apps to write system properties and as a consequence open up for other appdomains (e.g. platform_app) to write system properties. Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7 2016-01-08 19:35:19 +01:00			`# Do not allow isolated_app to set system properties.`
			`neverallow isolated_app property_socket:sock_file write;`
			`neverallow isolated_app property_type:property_service set;`

update isolated_app service_manager rules isolated apps should only be able to access 2 services. Remove access permissions for services inappropriately added, and add a neverallow rule to prevent regressions. Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01 2015-03-05 21:10:30 +01:00			`# Isolated apps should not directly open app data files themselves.`
			`neverallow isolated_app app_data_file:file open;`

neverallow /data/anr access for isolated/untrusted apps Add a neverallow rule (compile time assertion + CTS test) that isolated_apps and untrusted_apps can't do anything else but append to /data/anr/traces.txt. In particular, assert that they can't read from the file, or overwrite other data which may already be in the file. Bug: 18340553 Bug: 27853304 Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5 2016-03-25 20:22:32 +01:00			`# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)`
			`# TODO: are there situations where isolated_apps write to this file?`
			`# TODO: should we tighten these restrictions further?`
			`neverallow isolated_app anr_data_file:file ~{ open append };`
			`neverallow isolated_app anr_data_file:dir ~search;`

update isolated_app service_manager rules isolated apps should only be able to access 2 services. Remove access permissions for services inappropriately added, and add a neverallow rule to prevent regressions. Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01 2015-03-05 21:10:30 +01:00			`# b/17487348`
			`# Isolated apps can only access two services,`
			`# activity_service and display_service`
			`neverallow isolated_app {`
			`service_manager_type`
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef 2014-12-17 00:45:26 +01:00			`-activity_service`
			`-display_service`
			`}:service_manager find;`
isolated_app: Do not allow access to the gpu_device. Bug: 17471434 Bug: 18609318 Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc 2015-04-09 23:31:16 +02:00
			`# Isolated apps shouldn't be able to access the driver directly.`
			`neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };`
Remove untrusted_app access to cache neverallow access to untrusted_app and isolated app Access to cache is a system\|signature permission. Only priv/system/platform apps should be allowed access. Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d 2015-10-16 02:11:27 +02:00
			`# Do not allow isolated_app access to /cache`
			`neverallow isolated_app cache_file:dir ~{ r_dir_perms };`
			`neverallow isolated_app cache_file:file ~{ read getattr };`