xref: /aosp_15_r20/system/sepolicy/prebuilts/api/34.0/private/isolated_app_all.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1###
2### isolated_app_all.
3###
4### Services with isolatedProcess=true in their manifest.
5###
6### This file defines the rules shared by all isolated apps. An "isolated
7### app" is an APP with UID between AID_ISOLATED_START (99000)
8### and AID_ISOLATED_END (99999).
9###
10
11# Access already open app data files received over Binder or local socket IPC.
12allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
13
14allow isolated_app_all activity_service:service_manager find;
15allow isolated_app_all display_service:service_manager find;
16
17# Google Breakpad (crash reporter for Chrome) relies on ptrace
18# functionality. Without the ability to ptrace, the crash reporter
19# tool is broken.
20# b/20150694
21# https://code.google.com/p/chromium/issues/detail?id=475270
22allow isolated_app_all self:process ptrace;
23
24# Inherit FDs from the app_zygote.
25allow isolated_app_all app_zygote:fd use;
26# Notify app_zygote of child death.
27allow isolated_app_all app_zygote:process sigchld;
28# Inherit logd write socket.
29allow isolated_app_all app_zygote:unix_dgram_socket write;
30
31# TODO (b/63631799) fix this access
32# suppress denials to /data/local/tmp
33dontaudit isolated_app_all shell_data_file:dir search;
34
35#####
36##### Neverallow
37#####
38
39# Isolated apps should not directly open app data files themselves.
40neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
41
42# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
43# TODO: are there situations where isolated_apps write to this file?
44# TODO: should we tighten these restrictions further?
45neverallow isolated_app_all anr_data_file:file ~{ open append };
46neverallow isolated_app_all anr_data_file:dir ~search;
47
48# Isolated apps must not be permitted to use HwBinder
49neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *;
50neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *;
51
52# Isolated apps must not be permitted to use VndBinder
53neverallow isolated_app_all vndbinder_device:chr_file *;
54
55# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
56# except the find actions for services allowlisted below.
57neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find;
58
59# b/17487348
60# Isolated apps can only access three services,
61# activity_service, display_service, webviewupdate_service.
62neverallow { isolated_app_all -isolated_compute_app } {
63    service_manager_type
64    -activity_service
65    -display_service
66    -webviewupdate_service
67}:service_manager find;
68
69# Isolated apps shouldn't be able to access the driver directly.
70neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute };
71
72# Do not allow isolated_apps access to /cache
73neverallow isolated_app_all cache_file:dir ~{ r_dir_perms };
74neverallow isolated_app_all cache_file:file ~{ read getattr };
75
76# Do not allow isolated_app_all to access external storage, except for files passed
77# via file descriptors (b/32896414).
78neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
79neverallow isolated_app_all { storage_file mnt_user_file }:file_class_set *;
80neverallow isolated_app_all { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
81neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map };
82
83# Do not allow USB access
84neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *;
85
86# Restrict the webview_zygote control socket.
87neverallow isolated_app_all webview_zygote:sock_file write;
88
89# Limit the /sys files which isolated_app_all can access. This is important
90# for controlling isolated_app_all attack surface.
91# TODO (b/266555480): The permission should be guarded by compliance test.
92# Remove the negation for member domains when refactorization is done.
93neverallow { isolated_app_all -isolated_compute_app } {
94  sysfs_type
95  -sysfs_devices_system_cpu
96  -sysfs_transparent_hugepage
97  -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
98  -sysfs_fs_fuse_features
99  -sysfs_fs_incfs_features
100}:file no_rw_file_perms;
101
102# No creation of sockets families other than AF_UNIX sockets.
103# List taken from system/sepolicy/public/global_macros - socket_class_set
104# excluding unix_stream_socket and unix_dgram_socket.
105# Many of these are socket families which have never and will never
106# be compiled into the Android kernel.
107neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
108  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
109  key_socket appletalk_socket netlink_route_socket
110  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
111  netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
112  netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
113  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
114  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
115  netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
116  netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
117  rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
118  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
119  ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
120  qipcrtr_socket smc_socket xdp_socket
121} create;
122