ca0690e8eb
This patch extends the current debug-specific rules to cover user builds. As a reminder, on user, the target process fork-execs a private heapprofd process, which then performs stack unwinding & talking to the central tracing daemon while staying in the target's domain. The central heapprofd daemon is only responsible for identifying targets & sending the activation signal. On the other hand, on debug, the central heapprofd can handle all processes directly, so the necessary SELinux capabilities depend on the build type. These rules are necessary but not sufficient for profiling. For zygote children, the libc triggering logic will also check for the app to either be debuggable, or go/profileable. For more context, see go/heapprofd-security & go/heapprofd-design. Note that I've had to split this into two separate macros, as exec_no_trans - which is necessary on user, but nice-to-have on debug - conflicts with a lot of neverallows (e.g. HALs and system_server) for the wider whitelisting that we do on debug builds. Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat. Bug: 120409382 Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
93 lines
3.6 KiB
Text
93 lines
3.6 KiB
Text
###
|
|
### Ephemeral apps.
|
|
###
|
|
### This file defines the security policy for apps with the ephemeral
|
|
### feature.
|
|
###
|
|
### The ephemeral_app domain is a reduced permissions sandbox allowing
|
|
### ephemeral applications to be safely installed and run. Non ephemeral
|
|
### applications may also opt-in to ephemeral to take advantage of the
|
|
### additional security features.
|
|
###
|
|
### PackageManager flags an app as ephemeral at install time.
|
|
|
|
typeattribute ephemeral_app coredomain;
|
|
|
|
net_domain(ephemeral_app)
|
|
app_domain(ephemeral_app)
|
|
|
|
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
|
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
|
|
|
|
# Some apps ship with shared libraries and binaries that they write out
|
|
# to their sandbox directory and then execute.
|
|
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
|
|
allow ephemeral_app app_data_file:file { r_file_perms execute };
|
|
|
|
# Allow the renderscript compiler to be run.
|
|
domain_auto_trans(ephemeral_app, rs_exec, rs)
|
|
|
|
# Allow loading and deleting shared libraries created by trusted system
|
|
# components within an application home directory.
|
|
allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
|
|
|
|
# services
|
|
allow ephemeral_app audioserver_service:service_manager find;
|
|
allow ephemeral_app cameraserver_service:service_manager find;
|
|
allow ephemeral_app mediaserver_service:service_manager find;
|
|
allow ephemeral_app mediaextractor_service:service_manager find;
|
|
allow ephemeral_app mediacodec_service:service_manager find;
|
|
allow ephemeral_app mediametrics_service:service_manager find;
|
|
allow ephemeral_app mediadrmserver_service:service_manager find;
|
|
allow ephemeral_app drmserver_service:service_manager find;
|
|
allow ephemeral_app radio_service:service_manager find;
|
|
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow ephemeral_app traced:fd use;
|
|
allow ephemeral_app traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(ephemeral_app, traced_producer, traced)
|
|
|
|
# Allow heap profiling if the app opts in by being marked
|
|
# profileable/debuggable.
|
|
can_profile_heap(ephemeral_app)
|
|
|
|
# allow ephemeral apps to use UDP sockets provided by the system server but not
|
|
# modify them other than to connect
|
|
allow ephemeral_app system_server:udp_socket {
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
|
|
|
|
# Receive or send uevent messages.
|
|
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
|
|
|
# Receive or send generic netlink messages
|
|
neverallow ephemeral_app domain:netlink_socket *;
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
# best practice to ensure these files aren't readable.
|
|
neverallow ephemeral_app debugfs:file read;
|
|
|
|
# execute gpu_device
|
|
neverallow ephemeral_app gpu_device:chr_file execute;
|
|
|
|
# access files in /sys with the default sysfs label
|
|
neverallow ephemeral_app sysfs:file *;
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
# Create a more specific label if needed
|
|
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
|
|
|
# Directly access external storage
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
# ongoing connections.
|
|
neverallow ephemeral_app proc_net:file no_rw_file_perms;
|