platform_system_sepolicy/private/isolated_app.te

###
### isolated_apps.
###
### This file defines the rules for isolated apps that does not wish to use
### service managers and does not require extra computational resources.
###

typeattribute isolated_app coredomain;

app_domain(isolated_app)
isolated_app_domain(isolated_app)

allow isolated_app webviewupdate_service:service_manager find;

# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };

# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules in isolated_app_all attribute.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };

# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te.
# Inherit FDs from the webview_zygote.
allow isolated_app webview_zygote:fd use;
# Notify webview_zygote of child death.
allow isolated_app webview_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
Move isolated_app policy to private This leaves only the existence of isolated_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from isolated_app_current attribute (as expected). Bug: 31364497 Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3 2017-01-06 01:06:54 +01:00			`###`
Share isolated properties across islolated apps Introduce isolated_app_all typeattribute to share policies between isolated_app and future similar apps that wish to be enforced with isolation properties. Bug: 255597123 Test: m && presubmit Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89 2023-01-20 04:34:19 +01:00			`### isolated_apps.`
Move isolated_app policy to private This leaves only the existence of isolated_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from isolated_app_current attribute (as expected). Bug: 31364497 Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3 2017-01-06 01:06:54 +01:00			`###`
Share isolated properties across islolated apps Introduce isolated_app_all typeattribute to share policies between isolated_app and future similar apps that wish to be enforced with isolation properties. Bug: 255597123 Test: m && presubmit Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89 2023-01-20 04:34:19 +01:00			`### This file defines the rules for isolated apps that does not wish to use`
			`### service managers and does not require extra computational resources.`
Move isolated_app policy to private This leaves only the existence of isolated_app domain as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules from isolated_app_current attribute (as expected). Bug: 31364497 Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3 2017-01-06 01:06:54 +01:00			`###`

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute isolated_app coredomain;`

Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665 2016-12-08 20:23:34 +01:00			`app_domain(isolated_app)`
Share isolated properties across islolated apps Introduce isolated_app_all typeattribute to share policies between isolated_app and future similar apps that wish to be enforced with isolation properties. Bug: 255597123 Test: m && presubmit Change-Id: I0d53816f71e7d7a91cc379bcba796ba65a197c89 2023-01-20 04:34:19 +01:00			`isolated_app_domain(isolated_app)`
Add isolated_compute_app domain Provides a new domain to enable secure sensitive data processing. This allows processing of sensitive data, while enforcing necessary privacy restrictions to prevent the egress of data via network, IPC or file system. Bug: 255597123 Test: m && manual - sample app with IsolatedProcess=True can use camera service Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d 2023-01-17 09:16:44 +01:00
			`allow isolated_app webviewupdate_service:service_manager find;`

			`# Allow access to network sockets received over IPC. New socket creation is not`
			`# permitted.`
			`allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };`

			`# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps`
			`# by other processes. Open should never be allowed, and is blocked by`
			`# neverallow rules in isolated_app_all attribute.`
			`# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs`
			`# is modified to change the secontext when accessing the lower filesystem.`
			`allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };`

			`# For webviews, isolated_app processes can be forked from the webview_zygote`
			`# in addition to the zygote. Allow access to resources inherited from the`
			`# webview_zygote process. These rules are specialized copies of the ones in app.te.`
			`# Inherit FDs from the webview_zygote.`
			`allow isolated_app webview_zygote:fd use;`
			`# Notify webview_zygote of child death.`
			`allow isolated_app webview_zygote:process sigchld;`
			`# Inherit logd write socket.`
			`allow isolated_app webview_zygote:unix_dgram_socket write;`
			`# Read system properties managed by webview_zygote.`
			`allow isolated_app webview_zygote_tmpfs:file read;`