isolated_app.te - platform/system/sepolicy - Git at Google

 ###
 ### Services with isolatedProcess=true in their manifest.
 ###
 ### This file defines the rules for isolated apps. An "isolated
 ### app" is an APP with UID between AID_ISOLATED_START (99000)
 ### and AID_ISOLATED_END (99999).
 ###
 ### isolated_app includes all the appdomain rules, plus the
 ### additional following rules:
 ###

 type isolated_app, domain, domain_deprecated;
 app_domain(isolated_app)

 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app app_data_file:file { read write getattr lock };

 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 allow isolated_app webviewupdate_service:service_manager find;

 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
 # b/20150694
 # https://code.google.com/p/chromium/issues/detail?id=475270
 allow isolated_app self:process ptrace;

 #####
 ##### Neverallow
 #####

 # Do not allow isolated_app to directly open tun_device
 neverallow isolated_app tun_device:chr_file open;

 # Do not allow isolated_app to set system properties.
 neverallow isolated_app property_socket:sock_file write;
 neverallow isolated_app property_type:property_service set;

 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;

 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
 # TODO: should we tighten these restrictions further?
 neverallow isolated_app anr_data_file:file ~{ open append };
 neverallow isolated_app anr_data_file:dir ~search;

 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service and webviewupdate_service.
 neverallow isolated_app {
     service_manager_type
     -activity_service
     -display_service
     -webviewupdate_service
 }:service_manager find;

 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };

 # Do not allow isolated_app access to /cache
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };

 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow isolated_app *:{
   socket netlink_socket packet_socket key_socket appletalk_socket
   netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
   netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
   netlink_rdma_socket netlink_crypto_socket
 } *;
	###
	### Services with isolatedProcess=true in their manifest.
	###
	### This file defines the rules for isolated apps. An "isolated
	### app" is an APP with UID between AID_ISOLATED_START (99000)
	### and AID_ISOLATED_END (99999).
	###
	### isolated_app includes all the appdomain rules, plus the
	### additional following rules:
	###

	type isolated_app, domain, domain_deprecated;
	app_domain(isolated_app)

	# Access already open app data files received over Binder or local socket IPC.
	allow isolated_app app_data_file:file { read write getattr lock };

	allow isolated_app activity_service:service_manager find;
	allow isolated_app display_service:service_manager find;
	allow isolated_app webviewupdate_service:service_manager find;

	# Google Breakpad (crash reporter for Chrome) relies on ptrace
	# functionality. Without the ability to ptrace, the crash reporter
	# tool is broken.
	# b/20150694
	# https://code.google.com/p/chromium/issues/detail?id=475270
	allow isolated_app self:process ptrace;

	#####
	##### Neverallow
	#####

	# Do not allow isolated_app to directly open tun_device
	neverallow isolated_app tun_device:chr_file open;

	# Do not allow isolated_app to set system properties.
	neverallow isolated_app property_socket:sock_file write;
	neverallow isolated_app property_type:property_service set;

	# Isolated apps should not directly open app data files themselves.
	neverallow isolated_app app_data_file:file open;

	# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
	# TODO: are there situations where isolated_apps write to this file?
	# TODO: should we tighten these restrictions further?
	neverallow isolated_app anr_data_file:file ~{ open append };
	neverallow isolated_app anr_data_file:dir ~search;

	# b/17487348
	# Isolated apps can only access three services,
	# activity_service, display_service and webviewupdate_service.
	neverallow isolated_app {
	service_manager_type
	-activity_service
	-display_service
	-webviewupdate_service
	}:service_manager find;

	# Isolated apps shouldn't be able to access the driver directly.
	neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };

	# Do not allow isolated_app access to /cache
	neverallow isolated_app cache_file:dir ~{ r_dir_perms };
	neverallow isolated_app cache_file:file ~{ read getattr };

	# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
	# ioctl permission, or 3. disallow the socket class.
	neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
	neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
	neverallow isolated_app *:{
	socket netlink_socket packet_socket key_socket appletalk_socket
	netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
	netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
	netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
	netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
	netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
	netlink_rdma_socket netlink_crypto_socket
	} *;