1748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 2748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### Services with isolatedProcess=true in their manifest. 3748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 4748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### This file defines the rules for isolated apps. An "isolated 5748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### app" is an APP with UID between AID_ISOLATED_START (99000) 6748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### and AID_ISOLATED_END (99999). 7748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 8748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### isolated_app includes all the appdomain rules, plus the 9748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### additional following rules: 10748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich### 11748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevich 12d22987b4daf02a8dae5bb10119d9ec5ec9f637cfJeff Vander Stoeptype isolated_app, domain, domain_deprecated; 13748fdef626d1dda2a0a727ea35d85d04363f5307Nick Kralevichapp_domain(isolated_app) 14ad891591e6c5d3ffffd2633672c48ab7e263cdecNick Kralevich 157d7151647f41f562dd324a5def86ee10c234f870Stephen Smalley# Access already open app data files received over Binder or local socket IPC. 1653c84ed4f075833c0af22125e6354f12b901b119Nick Kralevichallow isolated_app app_data_file:file { read write getattr lock }; 177d7151647f41f562dd324a5def86ee10c234f870Stephen Smalley 184a89cdfa89448c8660308a31bfcb517fffaa239edcashmanallow isolated_app activity_service:service_manager find; 194a89cdfa89448c8660308a31bfcb517fffaa239edcashmanallow isolated_app display_service:service_manager find; 20e6d67390cc3e6282d633370cc269517bc5598c90Torne (Richard Coles)allow isolated_app webviewupdate_service:service_manager find; 214a89cdfa89448c8660308a31bfcb517fffaa239edcashman 22de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# Google Breakpad (crash reporter for Chrome) relies on ptrace 23de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# functionality. Without the ability to ptrace, the crash reporter 24de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# tool is broken. 25de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# b/20150694 26de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich# https://code.google.com/p/chromium/issues/detail?id=475270 27de11f5017c53aabba212425406962d21148fd2f6Nick Kralevichallow isolated_app self:process ptrace; 28de11f5017c53aabba212425406962d21148fd2f6Nick Kralevich 2975f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich##### 3075f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich##### Neverallow 3175f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich##### 3275f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich 33ba12da95726e08c1c72ff3e6533899a062131d39Nick Kralevich# Do not allow isolated_app to directly open tun_device 34ba12da95726e08c1c72ff3e6533899a062131d39Nick Kralevichneverallow isolated_app tun_device:chr_file open; 35ba12da95726e08c1c72ff3e6533899a062131d39Nick Kralevich 360d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestig# Do not allow isolated_app to set system properties. 370d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestigneverallow isolated_app property_socket:sock_file write; 380d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestigneverallow isolated_app property_type:property_service set; 390d8e9adf49a1db942ad3c556d87d25bde94e0df5Johan Redestig 4075f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich# Isolated apps should not directly open app data files themselves. 4175f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevichneverallow isolated_app app_data_file:file open; 4275f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich 430e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevich# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 440e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevich# TODO: are there situations where isolated_apps write to this file? 450e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevich# TODO: should we tighten these restrictions further? 460e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevichneverallow isolated_app anr_data_file:file ~{ open append }; 470e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevichneverallow isolated_app anr_data_file:dir ~search; 480e61a7a96d76ea46c65286d64474bb7ba301d1d6Nick Kralevich 4975f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich# b/17487348 50e6d67390cc3e6282d633370cc269517bc5598c90Torne (Richard Coles)# Isolated apps can only access three services, 51e6d67390cc3e6282d633370cc269517bc5598c90Torne (Richard Coles)# activity_service, display_service and webviewupdate_service. 5275f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevichneverallow isolated_app { 5375f34dc392b6d13818565fddd6da0111a4edefe5Nick Kralevich service_manager_type 544a89cdfa89448c8660308a31bfcb517fffaa239edcashman -activity_service 554a89cdfa89448c8660308a31bfcb517fffaa239edcashman -display_service 56e6d67390cc3e6282d633370cc269517bc5598c90Torne (Richard Coles) -webviewupdate_service 574a89cdfa89448c8660308a31bfcb517fffaa239edcashman}:service_manager find; 58f1b5c665adbb666f7534359f7e818b2c9a6e6dc6Nick Kralevich 59f1b5c665adbb666f7534359f7e818b2c9a6e6dc6Nick Kralevich# Isolated apps shouldn't be able to access the driver directly. 60f1b5c665adbb666f7534359f7e818b2c9a6e6dc6Nick Kralevichneverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; 6168748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoep 6268748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoep# Do not allow isolated_app access to /cache 6368748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoepneverallow isolated_app cache_file:dir ~{ r_dir_perms }; 6468748c2166847469a06347e6d22e20d8e35107d8Jeff Vander Stoepneverallow isolated_app cache_file:file ~{ read getattr }; 653a0ce49b8623299ac7458306b30bda6adda12383Jeff Vander Stoep 6632333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 6732333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep# ioctl permission, or 3. disallow the socket class. 68a8d89c31025caa594dae28d528f8a97cfbc3cc79Jeff Vander Stoepneverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 6932333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoepneverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; 7032333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoepneverallow isolated_app *:{ 7132333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep socket netlink_socket packet_socket key_socket appletalk_socket 7232333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket 7332333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket 7432333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 7532333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 7632333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 7732333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep netlink_rdma_socket netlink_crypto_socket 7832333536032bf1d133e56fe4156175b76b7a1779Jeff Vander Stoep} *; 79