platform_system_sepolicy/private/isolated_app_all.te
Charles Chen 3d4a6b7474 Add isolated_compute_app domain
Provides a new domain to enable secure sensitive data processing. This
allows processing of sensitive data, while enforcing necessary privacy
restrictions to prevent the egress of data via network, IPC or file
system.

Bug: 255597123
Test: m &&  manual - sample app with IsolatedProcess=True can use camera
service

Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
2023-01-31 15:24:55 +00:00

120 lines
5.3 KiB
Text

###
### isolated_app_all.
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules shared by all isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
allow isolated_app_all activity_service:service_manager find;
allow isolated_app_all display_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app_all self:process ptrace;
# Inherit FDs from the app_zygote.
allow isolated_app_all app_zygote:fd use;
# Notify app_zygote of child death.
allow isolated_app_all app_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app_all app_zygote:unix_dgram_socket write;
# TODO (b/63631799) fix this access
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
#####
##### Neverallow
#####
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app_all anr_data_file:file ~{ open append };
neverallow isolated_app_all anr_data_file:dir ~search;
# Isolated apps must not be permitted to use HwBinder
neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *;
neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *;
# Isolated apps must not be permitted to use VndBinder
neverallow isolated_app_all vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services allowlisted below.
neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service, webviewupdate_service.
neverallow { isolated_app_all -isolated_compute_app } {
service_manager_type
-activity_service
-display_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ r_dir_perms };
neverallow isolated_app_all cache_file:file ~{ read getattr };
# Do not allow isolated_app_all to access external storage, except for files passed
# via file descriptors (b/32896414).
neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app_all { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app_all { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app_all webview_zygote:sock_file write;
# Limit the /sys files which isolated_app_all can access. This is important
# for controlling isolated_app_all attack surface.
# TODO (b/266555480): The permission should be guarded by compliance test.
# Remove the negation for member domains when refactorization is done.
neverallow { isolated_app_all -isolated_compute_app } {
sysfs_type
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
-sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
# List taken from system/sepolicy/public/global_macros - socket_class_set
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
qipcrtr_socket smc_socket xdp_socket
} create;