tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/isolated_app.te
Torne (Richard Coles) e6d67390cc Allow isolated_app to talk to webviewupdate_service. 
It's okay for isolated apps to connect to the webview update service to
find out which APK is WebView. This enables isolated renderer processes
to load their code from the WebView APK.

Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f
2016-03-09 14:36:56 +00:00

62 lines
2.1 KiB
Text
Raw Blame History

###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###
type isolated_app, domain, domain_deprecated;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
#####
##### Neverallow
#####
# Do not allow isolated_app to directly open tun_device
neverallow isolated_app tun_device:chr_file open;
# Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set;
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service and webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
# do not allow privileged socket ioctl commands
neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
Reference in a new issue View git blame Copy permalink