tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/isolated_app.te
Shiwangi Shah 155d318876 Add ThermalService and file access to SdkSandbox 
Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.

Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f
2022-03-25 12:20:07 +00:00

153 lines
6.6 KiB
Text
Raw Blame History

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te.
# Inherit FDs from the webview_zygote.
allow isolated_app webview_zygote:fd use;
# Notify webview_zygote of child death.
allow isolated_app webview_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
# Inherit FDs from the app_zygote.
allow isolated_app app_zygote:fd use;
# Notify app_zygote of child death.
allow isolated_app app_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app app_zygote:unix_dgram_socket write;
# TODO (b/63631799) fix this access
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(isolated_app)
# Allow profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
can_profile_perf(isolated_app)
#####
##### Neverallow
#####
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app anr_data_file:file ~{ open append };
neverallow isolated_app anr_data_file:dir ~search;
# Isolated apps must not be permitted to use HwBinder
neverallow isolated_app hwbinder_device:chr_file *;
neverallow isolated_app *:hwservice_manager *;
# Isolated apps must not be permitted to use VndBinder
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service, webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote:sock_file write;
# Limit the /sys files which isolated_app can access. This is important
# for controlling isolated_app attack surface.
neverallow isolated_app {
sysfs_type
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
-sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
# List taken from system/sepolicy/public/global_macros - socket_class_set
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
qipcrtr_socket smc_socket xdp_socket
} create;
Reference in a new issue View git blame Copy permalink