9ec532752d
Any FUSE filesystem will receive the 'fuse' type when mounted. It is possible to change this behaviour by specifying the "context=" or "fscontext=" option in mount(). Because 'fuse' has historically been used only for the emulated storage, it also received the 'sdcard_type' attribute. Replace the 'sdcard_type' attribute from 'fuse' with the new 'fusefs_type'. This attribute can be attached on derived types (such as app_fusefs). This change: - Remove the neverallow restriction on this new type. This means any custom FUSE implementation can be mounted/unmounted (if the correct allow rule is added). See domain.te. - Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'. See file.te. - Modify all references to 'sdcard_type' to explicitly include 'fuse' for compatibility reason. Bug: 177481425 Bug: 190804537 Test: Build and boot aosp_cf_x86_64_phone-userdebug Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
153 lines
6.5 KiB
Text
153 lines
6.5 KiB
Text
###
|
|
### Services with isolatedProcess=true in their manifest.
|
|
###
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
### and AID_ISOLATED_END (99999).
|
|
###
|
|
|
|
typeattribute isolated_app coredomain;
|
|
|
|
app_domain(isolated_app)
|
|
|
|
# Access already open app data files received over Binder or local socket IPC.
|
|
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
|
|
|
|
# Allow access to network sockets received over IPC. New socket creation is not
|
|
# permitted.
|
|
allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
|
|
|
|
allow isolated_app activity_service:service_manager find;
|
|
allow isolated_app display_service:service_manager find;
|
|
allow isolated_app webviewupdate_service:service_manager find;
|
|
|
|
# Google Breakpad (crash reporter for Chrome) relies on ptrace
|
|
# functionality. Without the ability to ptrace, the crash reporter
|
|
# tool is broken.
|
|
# b/20150694
|
|
# https://code.google.com/p/chromium/issues/detail?id=475270
|
|
allow isolated_app self:process ptrace;
|
|
|
|
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
|
|
# by other processes. Open should never be allowed, and is blocked by
|
|
# neverallow rules below.
|
|
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
|
|
# is modified to change the secontext when accessing the lower filesystem.
|
|
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
|
|
|
|
# For webviews, isolated_app processes can be forked from the webview_zygote
|
|
# in addition to the zygote. Allow access to resources inherited from the
|
|
# webview_zygote process. These rules are specialized copies of the ones in app.te.
|
|
# Inherit FDs from the webview_zygote.
|
|
allow isolated_app webview_zygote:fd use;
|
|
# Notify webview_zygote of child death.
|
|
allow isolated_app webview_zygote:process sigchld;
|
|
# Inherit logd write socket.
|
|
allow isolated_app webview_zygote:unix_dgram_socket write;
|
|
# Read system properties managed by webview_zygote.
|
|
allow isolated_app webview_zygote_tmpfs:file read;
|
|
|
|
# Inherit FDs from the app_zygote.
|
|
allow isolated_app app_zygote:fd use;
|
|
# Notify app_zygote of child death.
|
|
allow isolated_app app_zygote:process sigchld;
|
|
# Inherit logd write socket.
|
|
allow isolated_app app_zygote:unix_dgram_socket write;
|
|
|
|
# TODO (b/63631799) fix this access
|
|
# suppress denials to /data/local/tmp
|
|
dontaudit isolated_app shell_data_file:dir search;
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(isolated_app)
|
|
|
|
# Allow profiling if the main app has been marked as profileable or
|
|
# debuggable.
|
|
can_profile_heap(isolated_app)
|
|
can_profile_perf(isolated_app)
|
|
|
|
#####
|
|
##### Neverallow
|
|
#####
|
|
|
|
# Isolated apps should not directly open app data files themselves.
|
|
neverallow isolated_app { app_data_file privapp_data_file }:file open;
|
|
|
|
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
|
|
# TODO: are there situations where isolated_apps write to this file?
|
|
# TODO: should we tighten these restrictions further?
|
|
neverallow isolated_app anr_data_file:file ~{ open append };
|
|
neverallow isolated_app anr_data_file:dir ~search;
|
|
|
|
# Isolated apps must not be permitted to use HwBinder
|
|
neverallow isolated_app hwbinder_device:chr_file *;
|
|
neverallow isolated_app *:hwservice_manager *;
|
|
|
|
# Isolated apps must not be permitted to use VndBinder
|
|
neverallow isolated_app vndbinder_device:chr_file *;
|
|
|
|
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
|
|
# except the find actions for services allowlisted below.
|
|
neverallow isolated_app *:service_manager ~find;
|
|
|
|
# b/17487348
|
|
# Isolated apps can only access three services,
|
|
# activity_service, display_service, webviewupdate_service.
|
|
neverallow isolated_app {
|
|
service_manager_type
|
|
-activity_service
|
|
-display_service
|
|
-webviewupdate_service
|
|
}:service_manager find;
|
|
|
|
# Isolated apps shouldn't be able to access the driver directly.
|
|
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|
|
|
|
# Do not allow isolated_app access to /cache
|
|
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
|
|
neverallow isolated_app cache_file:file ~{ read getattr };
|
|
|
|
# Do not allow isolated_app to access external storage, except for files passed
|
|
# via file descriptors (b/32896414).
|
|
neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
|
|
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
|
|
neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
|
|
neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
|
|
|
|
# Do not allow USB access
|
|
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
|
|
|
|
# Restrict the webview_zygote control socket.
|
|
neverallow isolated_app webview_zygote:sock_file write;
|
|
|
|
# Limit the /sys files which isolated_app can access. This is important
|
|
# for controlling isolated_app attack surface.
|
|
neverallow isolated_app {
|
|
sysfs_type
|
|
-sysfs_devices_system_cpu
|
|
-sysfs_transparent_hugepage
|
|
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
|
|
-sysfs_fs_incfs_features
|
|
}:file no_rw_file_perms;
|
|
|
|
# No creation of sockets families other than AF_UNIX sockets.
|
|
# List taken from system/sepolicy/public/global_macros - socket_class_set
|
|
# excluding unix_stream_socket and unix_dgram_socket.
|
|
# Many of these are socket families which have never and will never
|
|
# be compiled into the Android kernel.
|
|
neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
|
|
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
|
|
key_socket appletalk_socket netlink_route_socket
|
|
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
|
|
netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
|
|
netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
|
|
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
|
|
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
|
|
netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
|
|
netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
|
|
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
|
|
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
|
|
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
|
|
qipcrtr_socket smc_socket xdp_socket
|
|
} create;
|