1### 2### Services with isolatedProcess=true in their manifest. 3### 4### This file defines the rules for isolated apps. An "isolated 5### app" is an APP with UID between AID_ISOLATED_START (99000) 6### and AID_ISOLATED_END (99999). 7### 8### isolated_app includes all the appdomain rules, plus the 9### additional following rules: 10### 11 12type isolated_app, domain, domain_deprecated; 13app_domain(isolated_app) 14 15# Access already open app data files received over Binder or local socket IPC. 16allow isolated_app app_data_file:file { read write getattr lock }; 17 18allow isolated_app activity_service:service_manager find; 19allow isolated_app display_service:service_manager find; 20allow isolated_app webviewupdate_service:service_manager find; 21 22# Google Breakpad (crash reporter for Chrome) relies on ptrace 23# functionality. Without the ability to ptrace, the crash reporter 24# tool is broken. 25# b/20150694 26# https://code.google.com/p/chromium/issues/detail?id=475270 27allow isolated_app self:process ptrace; 28 29##### 30##### Neverallow 31##### 32 33# Do not allow isolated_app to directly open tun_device 34neverallow isolated_app tun_device:chr_file open; 35 36# Do not allow isolated_app to set system properties. 37neverallow isolated_app property_socket:sock_file write; 38neverallow isolated_app property_type:property_service set; 39 40# Isolated apps should not directly open app data files themselves. 41neverallow isolated_app app_data_file:file open; 42 43# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 44# TODO: are there situations where isolated_apps write to this file? 45# TODO: should we tighten these restrictions further? 46neverallow isolated_app anr_data_file:file ~{ open append }; 47neverallow isolated_app anr_data_file:dir ~search; 48 49# b/17487348 50# Isolated apps can only access three services, 51# activity_service, display_service and webviewupdate_service. 52neverallow isolated_app { 53 service_manager_type 54 -activity_service 55 -display_service 56 -webviewupdate_service 57}:service_manager find; 58 59# Isolated apps shouldn't be able to access the driver directly. 60neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 61 62# Do not allow isolated_app access to /cache 63neverallow isolated_app cache_file:dir ~{ r_dir_perms }; 64neverallow isolated_app cache_file:file ~{ read getattr }; 65 66# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 67# ioctl permission, or 3. disallow the socket class. 68neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 69neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; 70neverallow isolated_app *:{ 71 socket netlink_socket packet_socket key_socket appletalk_socket 72 netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket 73 netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket 74 netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 75 netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 76 netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 77 netlink_rdma_socket netlink_crypto_socket 78} *; 79