1### 2### isolated_app_all. 3### 4### Services with isolatedProcess=true in their manifest. 5### 6### This file defines the rules shared by all isolated apps. An "isolated 7### app" is an APP with UID between AID_ISOLATED_START (99000) 8### and AID_ISOLATED_END (99999). 9### 10 11# Access already open app data files received over Binder or local socket IPC. 12allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map }; 13 14allow isolated_app_all activity_service:service_manager find; 15allow isolated_app_all display_service:service_manager find; 16 17# Google Breakpad (crash reporter for Chrome) relies on ptrace 18# functionality. Without the ability to ptrace, the crash reporter 19# tool is broken. 20# b/20150694 21# https://code.google.com/p/chromium/issues/detail?id=475270 22allow isolated_app_all self:process ptrace; 23 24# Inherit FDs from the app_zygote. 25allow isolated_app_all app_zygote:fd use; 26# Notify app_zygote of child death. 27allow isolated_app_all app_zygote:process sigchld; 28# Inherit logd write socket. 29allow isolated_app_all app_zygote:unix_dgram_socket write; 30 31# TODO (b/63631799) fix this access 32# suppress denials to /data/local/tmp 33dontaudit isolated_app_all shell_data_file:dir search; 34 35# Allow to read, map (but not open) staged apks. 36allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr map }; 37 38##### 39##### Neverallow 40##### 41 42# Isolated apps should not directly open app data files themselves. 43neverallow isolated_app_all app_data_file_type:file open; 44 45# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 46# TODO: are there situations where isolated_apps write to this file? 47# TODO: should we tighten these restrictions further? 48neverallow isolated_app_all anr_data_file:file ~{ open append }; 49neverallow isolated_app_all anr_data_file:dir ~search; 50 51# Isolated apps must not be permitted to use HwBinder 52neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *; 53neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *; 54 55# Isolated apps must not be permitted to use VndBinder 56neverallow isolated_app_all vndbinder_device:chr_file *; 57 58# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager 59# except the find actions for services allowlisted below. 60neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find; 61 62# b/17487348 63# Isolated apps can only access three services, 64# activity_service, display_service, webviewupdate_service. 65neverallow { isolated_app_all -isolated_compute_app } { 66 service_manager_type 67 -activity_service 68 -display_service 69 -webviewupdate_service 70}:service_manager find; 71 72# Isolated apps shouldn't be able to access the driver directly. 73neverallow { isolated_app_all -isolated_compute_app } gpu_device:chr_file { rw_file_perms execute }; 74 75# Do not allow isolated_apps access to /cache 76neverallow isolated_app_all cache_file:dir ~{ r_dir_perms }; 77neverallow isolated_app_all cache_file:file ~{ read getattr }; 78 79# Do not allow isolated_app_all to access external storage, except for files passed 80# via file descriptors (b/32896414). 81neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr; 82neverallow isolated_app_all { storage_file mnt_user_file }:file_class_set *; 83neverallow isolated_app_all { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *; 84neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map }; 85 86# Do not allow USB access 87neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *; 88 89# Restrict the webview_zygote control socket. 90neverallow isolated_app_all webview_zygote:sock_file write; 91 92# Limit the /sys files which isolated_app_all can access. This is important 93# for controlling isolated_app_all attack surface. 94# TODO (b/266555480): The permission should be guarded by compliance test. 95# Remove the negation for member domains when refactorization is done. 96neverallow { isolated_app_all -isolated_compute_app } { 97 sysfs_type 98 -sysfs_devices_system_cpu 99 -sysfs_transparent_hugepage 100 -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852) 101 -sysfs_fs_fuse_features 102 -sysfs_fs_incfs_features 103 -sysfs_pgsize_migration 104}:file no_rw_file_perms; 105 106# No creation of sockets families other than AF_UNIX sockets. 107# List taken from system/sepolicy/public/global_macros - socket_class_set 108# excluding unix_stream_socket and unix_dgram_socket. 109# Many of these are socket families which have never and will never 110# be compiled into the Android kernel. 111neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{ 112 socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket 113 key_socket appletalk_socket netlink_route_socket 114 netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket 115 netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket 116 netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket 117 netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket 118 netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket 119 netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket 120 netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket 121 rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket 122 bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket 123 ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket 124 qipcrtr_socket smc_socket xdp_socket 125} create; 126