### ### isolated_app_all. ### ### Services with isolatedProcess=true in their manifest. ### ### This file defines the rules shared by all isolated apps. An "isolated ### app" is an APP with UID between AID_ISOLATED_START (99000) ### and AID_ISOLATED_END (99999). ### # Access already open app data files received over Binder or local socket IPC. allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map }; allow isolated_app_all activity_service:service_manager find; allow isolated_app_all display_service:service_manager find; # Google Breakpad (crash reporter for Chrome) relies on ptrace # functionality. Without the ability to ptrace, the crash reporter # tool is broken. # b/20150694 # https://code.google.com/p/chromium/issues/detail?id=475270 allow isolated_app_all self:process ptrace; # Inherit FDs from the app_zygote. allow isolated_app_all app_zygote:fd use; # Notify app_zygote of child death. allow isolated_app_all app_zygote:process sigchld; # Inherit logd write socket. allow isolated_app_all app_zygote:unix_dgram_socket write; # TODO (b/63631799) fix this access # suppress denials to /data/local/tmp dontaudit isolated_app_all shell_data_file:dir search; # Allow to read (but not open) staged apks. allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr }; ##### ##### Neverallow ##### # Isolated apps should not directly open app data files themselves. neverallow isolated_app_all app_data_file_type:file open; # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) # TODO: are there situations where isolated_apps write to this file? # TODO: should we tighten these restrictions further? neverallow isolated_app_all anr_data_file:file ~{ open append }; neverallow isolated_app_all anr_data_file:dir ~search; # Isolated apps must not be permitted to use HwBinder neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *; neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *; # Isolated apps must not be permitted to use VndBinder neverallow isolated_app_all vndbinder_device:chr_file *; # Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager # except the find actions for services allowlisted below. neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find; # b/17487348 # Isolated apps can only access three services, # activity_service, display_service, webviewupdate_service. neverallow { isolated_app_all -isolated_compute_app } { service_manager_type -activity_service -display_service -webviewupdate_service }:service_manager find; # Isolated apps shouldn't be able to access the driver directly. neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute }; # Do not allow isolated_apps access to /cache neverallow isolated_app_all cache_file:dir ~{ r_dir_perms }; neverallow isolated_app_all cache_file:file ~{ read getattr }; # Do not allow isolated_app_all to access external storage, except for files passed # via file descriptors (b/32896414). neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr; neverallow isolated_app_all { storage_file mnt_user_file }:file_class_set *; neverallow isolated_app_all { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *; neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map }; # Do not allow USB access neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *; # Restrict the webview_zygote control socket. neverallow isolated_app_all webview_zygote:sock_file write; # Limit the /sys files which isolated_app_all can access. This is important # for controlling isolated_app_all attack surface. # TODO (b/266555480): The permission should be guarded by compliance test. # Remove the negation for member domains when refactorization is done. neverallow { isolated_app_all -isolated_compute_app } { sysfs_type -sysfs_devices_system_cpu -sysfs_transparent_hugepage -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852) -sysfs_fs_fuse_features -sysfs_fs_incfs_features }:file no_rw_file_perms; # No creation of sockets families other than AF_UNIX sockets. # List taken from system/sepolicy/public/global_macros - socket_class_set # excluding unix_stream_socket and unix_dgram_socket. # Many of these are socket families which have never and will never # be compiled into the Android kernel. neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket } create;