platform_system_sepolicy/private/isolated_app.te
Ryan Savitski 941ba723ba sepolicy: rework perfetto producer/profiler rules for "user" builds
This patch:
* allows for heap and perf profiling of all processes on the system
  (minus undumpable and otherwise incompatible domains). For apps, the
  rest of the platform will still perform checks based on
  profileable/debuggable manifest flags. For native processes, the
  profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
  writers (=perfetto_producer) for the ART java heap graph plugin
  (perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
  graphs.

Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
2023-02-03 15:05:14 +00:00

36 lines
1.6 KiB
Text

###
### isolated_apps.
###
### This file defines the rules for isolated apps that does not wish to use
### service managers and does not require extra computational resources.
###
typeattribute isolated_app coredomain;
app_domain(isolated_app)
isolated_app_domain(isolated_app)
allow isolated_app webviewupdate_service:service_manager find;
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules in isolated_app_all attribute.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te.
# Inherit FDs from the webview_zygote.
allow isolated_app webview_zygote:fd use;
# Notify webview_zygote of child death.
allow isolated_app webview_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;