1bbda7e662
The application zygote is a new sort of zygote process that is a child of the regular zygote. Each application zygote is tied to the application for which it's launched. Once it's started, it will pre-load some of the code for that specific application, much like the regular zygote does for framework code. Once the application zygote is up and running, it can spawn isolated service processes that run in the isolated_app domain. These services can then benefit from already having the relevant application code and data pre-loaded. The policy is largely the same as the webview_zygote domain, however there are a few crucial points where the policy is different. 1) The app_zygote runs under the UID of the application that spawned it. 2) During app_zygote launch, it will call a callback that is controlled by the application, that allows the application to pre-load code and data that it thinks is relevant. Especially point 2 is imporant: it means that untrusted code can run in the app_zygote context. This context is severely limited, and the main concern is around the setgid/setuid capabilities. Those conerns are mitigated by installing a seccomp filter that only allows setgid/setuid to be called in a safe range. Bug: 111434506 Test: app_zygote can start and fork children without denials. Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
189 lines
3.9 KiB
Text
189 lines
3.9 KiB
Text
get_prop(coredomain, pm_prop)
|
|
get_prop(coredomain, exported_pm_prop)
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
|
|
# for chowning
|
|
-init
|
|
|
|
# generic access to sysfs_type
|
|
-ueventd
|
|
-vold
|
|
} sysfs_leds:file *;
|
|
')
|
|
|
|
# On TREBLE devices, a limited set of files in /vendor are accessible to
|
|
# only a few whitelisted coredomains to keep system/vendor separation.
|
|
full_treble_only(`
|
|
# Limit access to /vendor/app
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-dex2oat
|
|
-idmap
|
|
-init
|
|
-installd
|
|
userdebug_or_eng(`-perfprofd')
|
|
userdebug_or_eng(`-heapprofd')
|
|
-postinstall_dexopt
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
} vendor_app_file:dir { open read getattr search };
|
|
')
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-dex2oat
|
|
-idmap
|
|
-init
|
|
-installd
|
|
userdebug_or_eng(`-perfprofd')
|
|
userdebug_or_eng(`-heapprofd')
|
|
-postinstall_dexopt
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-mediaserver
|
|
} vendor_app_file:file r_file_perms;
|
|
')
|
|
|
|
full_treble_only(`
|
|
# Limit access to /vendor/overlay
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-idmap
|
|
-init
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-heapprofd')
|
|
} vendor_overlay_file:dir { getattr open read search };
|
|
')
|
|
|
|
full_treble_only(`
|
|
neverallow {
|
|
coredomain
|
|
-appdomain
|
|
-idmap
|
|
-init
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-system_server
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-heapprofd')
|
|
} vendor_overlay_file:file r_file_perms;
|
|
')
|
|
|
|
# Core domains are not permitted to use kernel interfaces which are not
|
|
# explicitly labeled.
|
|
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
|
full_treble_only(`
|
|
# /proc
|
|
neverallow {
|
|
coredomain
|
|
-vold
|
|
} proc:file no_rw_file_perms;
|
|
|
|
# /sys
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-ueventd
|
|
-vold
|
|
} sysfs:file no_rw_file_perms;
|
|
|
|
# /dev
|
|
neverallow {
|
|
coredomain
|
|
-fsck
|
|
-init
|
|
-ueventd
|
|
} device:{ blk_file file } no_rw_file_perms;
|
|
|
|
# debugfs
|
|
neverallow {
|
|
coredomain
|
|
-dumpstate
|
|
-init
|
|
-system_server
|
|
} debugfs:file no_rw_file_perms;
|
|
|
|
# tracefs
|
|
neverallow {
|
|
coredomain
|
|
-atrace
|
|
-dumpstate
|
|
-init
|
|
userdebug_or_eng(`-perfprofd')
|
|
-traced_probes
|
|
-shell
|
|
-traceur_app
|
|
} debugfs_tracing:file no_rw_file_perms;
|
|
|
|
# inotifyfs
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
} inotify:file no_rw_file_perms;
|
|
|
|
# pstorefs
|
|
neverallow {
|
|
coredomain
|
|
-bootstat
|
|
-charger
|
|
-dumpstate
|
|
-healthd
|
|
userdebug_or_eng(`-incidentd')
|
|
-init
|
|
-logd
|
|
-logpersist
|
|
-recovery_persist
|
|
-recovery_refresh
|
|
-shell
|
|
-system_server
|
|
} pstorefs:file no_rw_file_perms;
|
|
|
|
# configfs
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
-system_server
|
|
} configfs:file no_rw_file_perms;
|
|
|
|
# functionfs
|
|
neverallow {
|
|
coredomain
|
|
-adbd
|
|
-init
|
|
-mediaprovider
|
|
-system_server
|
|
} functionfs:file no_rw_file_perms;
|
|
|
|
# usbfs and binfmt_miscfs
|
|
neverallow {
|
|
coredomain
|
|
-init
|
|
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
|
')
|
|
|
|
# Following /dev nodes must not be directly accessed by coredomain, but should
|
|
# instead be wrapped by HALs.
|
|
neverallow coredomain {
|
|
iio_device
|
|
radio_device
|
|
}:chr_file { open read append write ioctl };
|
|
|
|
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
|
|
# on non-Treble devices.
|
|
full_treble_only(`
|
|
neverallow coredomain tee_device:chr_file { open read append write ioctl };
|
|
')
|