2017-01-06 01:06:54 +01:00
|
|
|
###
|
|
|
|
### Services with isolatedProcess=true in their manifest.
|
|
|
|
###
|
|
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
|
|
### and AID_ISOLATED_END (99999).
|
|
|
|
###
|
|
|
|
|
2017-03-23 22:27:32 +01:00
|
|
|
typeattribute isolated_app coredomain;
|
|
|
|
|
2016-12-08 20:23:34 +01:00
|
|
|
app_domain(isolated_app)
|
2016-10-12 23:58:09 +02:00
|
|
|
|
2017-01-06 01:06:54 +01:00
|
|
|
# Access already open app data files received over Binder or local socket IPC.
|
2018-10-31 20:47:27 +01:00
|
|
|
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
|
2017-01-06 01:06:54 +01:00
|
|
|
|
|
|
|
allow isolated_app activity_service:service_manager find;
|
|
|
|
allow isolated_app display_service:service_manager find;
|
|
|
|
allow isolated_app webviewupdate_service:service_manager find;
|
|
|
|
|
|
|
|
# Google Breakpad (crash reporter for Chrome) relies on ptrace
|
|
|
|
# functionality. Without the ability to ptrace, the crash reporter
|
|
|
|
# tool is broken.
|
|
|
|
# b/20150694
|
|
|
|
# https://code.google.com/p/chromium/issues/detail?id=475270
|
|
|
|
allow isolated_app self:process ptrace;
|
|
|
|
|
|
|
|
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
|
|
|
|
# by other processes. Open should never be allowed, and is blocked by
|
|
|
|
# neverallow rules below.
|
|
|
|
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
|
|
|
|
# is modified to change the secontext when accessing the lower filesystem.
|
2018-10-31 20:47:27 +01:00
|
|
|
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
|
2017-01-06 01:06:54 +01:00
|
|
|
|
|
|
|
# For webviews, isolated_app processes can be forked from the webview_zygote
|
|
|
|
# in addition to the zygote. Allow access to resources inherited from the
|
|
|
|
# webview_zygote process. These rules are specialized copies of the ones in app.te.
|
|
|
|
# Inherit FDs from the webview_zygote.
|
|
|
|
allow isolated_app webview_zygote:fd use;
|
|
|
|
# Notify webview_zygote of child death.
|
|
|
|
allow isolated_app webview_zygote:process sigchld;
|
|
|
|
# Inherit logd write socket.
|
|
|
|
allow isolated_app webview_zygote:unix_dgram_socket write;
|
2016-10-12 23:58:09 +02:00
|
|
|
# Read system properties managed by webview_zygote.
|
|
|
|
allow isolated_app webview_zygote_tmpfs:file read;
|
2017-01-06 01:06:54 +01:00
|
|
|
|
2018-11-05 11:39:15 +01:00
|
|
|
# Inherit FDs from the app_zygote.
|
|
|
|
allow isolated_app app_zygote:fd use;
|
|
|
|
# Notify app_zygote of child death.
|
|
|
|
allow isolated_app app_zygote:process sigchld;
|
|
|
|
# Inherit logd write socket.
|
|
|
|
allow isolated_app app_zygote:unix_dgram_socket write;
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# TODO (b/63631799) fix this access
|
|
|
|
# suppress denials to /data/local/tmp
|
|
|
|
dontaudit isolated_app shell_data_file:dir search;
|
|
|
|
|
2017-12-21 03:51:15 +01:00
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(isolated_app)
|
2017-12-21 03:51:15 +01:00
|
|
|
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Allow heap profiling if the main app has been marked as profileable or
|
|
|
|
# debuggable.
|
|
|
|
can_profile_heap(isolated_app)
|
|
|
|
|
2017-01-06 01:06:54 +01:00
|
|
|
#####
|
|
|
|
##### Neverallow
|
|
|
|
#####
|
|
|
|
|
|
|
|
# Isolated apps should not directly open app data files themselves.
|
2018-08-03 00:54:23 +02:00
|
|
|
neverallow isolated_app { app_data_file privapp_data_file }:file open;
|
2017-01-06 01:06:54 +01:00
|
|
|
|
|
|
|
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
|
|
|
|
# TODO: are there situations where isolated_apps write to this file?
|
|
|
|
# TODO: should we tighten these restrictions further?
|
|
|
|
neverallow isolated_app anr_data_file:file ~{ open append };
|
|
|
|
neverallow isolated_app anr_data_file:dir ~search;
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Isolated apps must not be permitted to use HwBinder
|
|
|
|
neverallow isolated_app hwbinder_device:chr_file *;
|
|
|
|
neverallow isolated_app *:hwservice_manager *;
|
|
|
|
|
|
|
|
# Isolated apps must not be permitted to use VndBinder
|
|
|
|
neverallow isolated_app vndbinder_device:chr_file *;
|
|
|
|
|
|
|
|
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
|
|
|
# except the find actions for services whitelisted below.
|
|
|
|
neverallow isolated_app *:service_manager ~find;
|
|
|
|
|
2017-01-06 01:06:54 +01:00
|
|
|
# b/17487348
|
|
|
|
# Isolated apps can only access three services,
|
2019-09-25 20:20:01 +02:00
|
|
|
# activity_service, display_service, webviewupdate_service.
|
2017-01-06 01:06:54 +01:00
|
|
|
neverallow isolated_app {
|
|
|
|
service_manager_type
|
|
|
|
-activity_service
|
|
|
|
-display_service
|
|
|
|
-webviewupdate_service
|
|
|
|
}:service_manager find;
|
|
|
|
|
|
|
|
# Isolated apps shouldn't be able to access the driver directly.
|
|
|
|
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|
|
|
|
|
|
|
|
# Do not allow isolated_app access to /cache
|
|
|
|
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
|
|
|
|
neverallow isolated_app cache_file:file ~{ read getattr };
|
|
|
|
|
|
|
|
# Do not allow isolated_app to access external storage, except for files passed
|
|
|
|
# via file descriptors (b/32896414).
|
|
|
|
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
|
|
|
|
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
|
|
|
|
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
|
2018-10-31 20:47:27 +01:00
|
|
|
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
|
2017-01-06 01:06:54 +01:00
|
|
|
|
|
|
|
# Do not allow USB access
|
|
|
|
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
|
|
|
|
|
|
|
|
# Restrict the webview_zygote control socket.
|
2018-01-30 16:54:33 +01:00
|
|
|
neverallow isolated_app webview_zygote:sock_file write;
|
2017-10-10 00:10:30 +02:00
|
|
|
|
|
|
|
# Limit the /sys files which isolated_app can access. This is important
|
|
|
|
# for controlling isolated_app attack surface.
|
|
|
|
neverallow isolated_app {
|
|
|
|
sysfs_type
|
|
|
|
-sysfs_devices_system_cpu
|
2019-03-13 20:06:01 +01:00
|
|
|
-sysfs_transparent_hugepage
|
2017-10-10 00:10:30 +02:00
|
|
|
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
|
|
|
|
}:file no_rw_file_perms;
|
2018-10-03 06:43:20 +02:00
|
|
|
|
|
|
|
# No creation of sockets families other than AF_UNIX sockets.
|
|
|
|
# List taken from system/sepolicy/public/global_macros - socket_class_set
|
|
|
|
# excluding unix_stream_socket and unix_dgram_socket.
|
|
|
|
# Many of these are socket families which have never and will never
|
|
|
|
# be compiled into the Android kernel.
|
|
|
|
neverallow isolated_app self:{
|
|
|
|
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
|
|
|
|
key_socket appletalk_socket netlink_route_socket
|
|
|
|
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
|
|
|
|
netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
|
|
|
|
netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
|
|
|
|
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
|
|
|
|
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
|
|
|
|
netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
|
|
|
|
netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
|
|
|
|
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
|
|
|
|
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
|
|
|
|
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
|
2018-11-16 11:48:03 +01:00
|
|
|
qipcrtr_socket smc_socket xdp_socket
|
2018-10-03 06:43:20 +02:00
|
|
|
} create;
|