1### 2### Services with isolatedProcess=true in their manifest. 3### 4### This file defines the rules for isolated apps. An "isolated 5### app" is an APP with UID between AID_ISOLATED_START (99000) 6### and AID_ISOLATED_END (99999). 7### 8 9typeattribute isolated_app coredomain; 10 11app_domain(isolated_app) 12 13# Access already open app data files received over Binder or local socket IPC. 14allow isolated_app app_data_file:file { append read write getattr lock }; 15 16allow isolated_app activity_service:service_manager find; 17allow isolated_app display_service:service_manager find; 18allow isolated_app webviewupdate_service:service_manager find; 19 20# Google Breakpad (crash reporter for Chrome) relies on ptrace 21# functionality. Without the ability to ptrace, the crash reporter 22# tool is broken. 23# b/20150694 24# https://code.google.com/p/chromium/issues/detail?id=475270 25allow isolated_app self:process ptrace; 26 27# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps 28# by other processes. Open should never be allowed, and is blocked by 29# neverallow rules below. 30# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs 31# is modified to change the secontext when accessing the lower filesystem. 32allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock }; 33 34# For webviews, isolated_app processes can be forked from the webview_zygote 35# in addition to the zygote. Allow access to resources inherited from the 36# webview_zygote process. These rules are specialized copies of the ones in app.te. 37# Inherit FDs from the webview_zygote. 38allow isolated_app webview_zygote:fd use; 39# Notify webview_zygote of child death. 40allow isolated_app webview_zygote:process sigchld; 41# Inherit logd write socket. 42allow isolated_app webview_zygote:unix_dgram_socket write; 43# Read system properties managed by webview_zygote. 44allow isolated_app webview_zygote_tmpfs:file read; 45 46# TODO (b/63631799) fix this access 47# suppress denials to /data/local/tmp 48dontaudit isolated_app shell_data_file:dir search; 49 50# Write app-specific trace data to the Perfetto traced damon. This requires 51# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 52allow isolated_app traced:fd use; 53allow isolated_app traced_tmpfs:file { read write getattr map }; 54unix_socket_connect(isolated_app, traced_producer, traced) 55 56##### 57##### Neverallow 58##### 59 60# Do not allow isolated_app to directly open tun_device 61neverallow isolated_app tun_device:chr_file open; 62 63# Isolated apps should not directly open app data files themselves. 64neverallow isolated_app app_data_file:file open; 65 66# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 67# TODO: are there situations where isolated_apps write to this file? 68# TODO: should we tighten these restrictions further? 69neverallow isolated_app anr_data_file:file ~{ open append }; 70neverallow isolated_app anr_data_file:dir ~search; 71 72# Isolated apps must not be permitted to use HwBinder 73neverallow isolated_app hwbinder_device:chr_file *; 74neverallow isolated_app *:hwservice_manager *; 75 76# Isolated apps must not be permitted to use VndBinder 77neverallow isolated_app vndbinder_device:chr_file *; 78 79# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager 80# except the find actions for services allowlisted below. 81neverallow isolated_app *:service_manager ~find; 82 83# b/17487348 84# Isolated apps can only access three services, 85# activity_service, display_service and webviewupdate_service. 86neverallow isolated_app { 87 service_manager_type 88 -activity_service 89 -display_service 90 -webviewupdate_service 91}:service_manager find; 92 93# Isolated apps shouldn't be able to access the driver directly. 94neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 95 96# Do not allow isolated_app access to /cache 97neverallow isolated_app cache_file:dir ~{ r_dir_perms }; 98neverallow isolated_app cache_file:file ~{ read getattr }; 99 100# Do not allow isolated_app to access external storage, except for files passed 101# via file descriptors (b/32896414). 102neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; 103neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; 104neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; 105neverallow isolated_app sdcard_type:file ~{ read write append getattr lock }; 106 107# Do not allow USB access 108neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; 109 110# Restrict the webview_zygote control socket. 111neverallow isolated_app webview_zygote:sock_file write; 112 113# Limit the /sys files which isolated_app can access. This is important 114# for controlling isolated_app attack surface. 115neverallow isolated_app { 116 sysfs_type 117 -sysfs_devices_system_cpu 118 -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852) 119}:file no_rw_file_perms; 120