tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/isolated_app.te
Daniel Rosenberg 02bf4aad9f isolated_app.te: Give permissions for using sdcardfs 
Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.

Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf
2016-12-12 13:16:24 -08:00

114 lines
4.9 KiB
Text
Raw Blame History

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###
type isolated_app, domain;
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { append read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules below.
# TODO: consider removing write/append. We want to limit isolated_apps
# ability to mutate files of any type.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te.
# Inherit FDs from the webview_zygote.
allow isolated_app webview_zygote:fd use;
# Notify webview_zygote of child death.
allow isolated_app webview_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app webview_zygote:unix_dgram_socket write;
#####
##### Neverallow
#####
# Do not allow isolated_app to directly open tun_device
neverallow isolated_app tun_device:chr_file open;
# Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set;
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app anr_data_file:file ~{ open append };
neverallow isolated_app anr_data_file:dir ~search;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service and webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow isolated_app *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
Reference in a new issue View git blame Copy permalink