39e29b6f29
am: fc3b0dd350
* commit 'fc3b0dd350598fb8a9219b296f15ec241fbcdbb2':
Neverallow isolated and untrusted apps to write system properties
57 lines
1.9 KiB
Text
57 lines
1.9 KiB
Text
###
|
|
### Services with isolatedProcess=true in their manifest.
|
|
###
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
### and AID_ISOLATED_END (99999).
|
|
###
|
|
### isolated_app includes all the appdomain rules, plus the
|
|
### additional following rules:
|
|
###
|
|
|
|
type isolated_app, domain, domain_deprecated;
|
|
app_domain(isolated_app)
|
|
|
|
# Access already open app data files received over Binder or local socket IPC.
|
|
allow isolated_app app_data_file:file { read write getattr lock };
|
|
|
|
allow isolated_app activity_service:service_manager find;
|
|
allow isolated_app display_service:service_manager find;
|
|
|
|
# Google Breakpad (crash reporter for Chrome) relies on ptrace
|
|
# functionality. Without the ability to ptrace, the crash reporter
|
|
# tool is broken.
|
|
# b/20150694
|
|
# https://code.google.com/p/chromium/issues/detail?id=475270
|
|
allow isolated_app self:process ptrace;
|
|
|
|
#####
|
|
##### Neverallow
|
|
#####
|
|
|
|
# Do not allow isolated_app to set system properties.
|
|
neverallow isolated_app property_socket:sock_file write;
|
|
neverallow isolated_app property_type:property_service set;
|
|
|
|
# Isolated apps should not directly open app data files themselves.
|
|
neverallow isolated_app app_data_file:file open;
|
|
|
|
# b/17487348
|
|
# Isolated apps can only access two services,
|
|
# activity_service and display_service
|
|
neverallow isolated_app {
|
|
service_manager_type
|
|
-activity_service
|
|
-display_service
|
|
}:service_manager find;
|
|
|
|
# Isolated apps shouldn't be able to access the driver directly.
|
|
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
|
|
|
|
# Do not allow isolated_app access to /cache
|
|
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
|
|
neverallow isolated_app cache_file:file ~{ read getattr };
|
|
|
|
# do not allow privileged socket ioctl commands
|
|
neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
|