Add isolated_compute_app domain
Provides a new domain to enable secure sensitive data processing. This
allows processing of sensitive data, while enforcing necessary privacy
restrictions to prevent the egress of data via network, IPC or file
system.
Bug: 255597123
Test: m && manual - sample app with IsolatedProcess=True can use camera
service
Change-Id: I401667dbcf492a1cf8c020a79f8820d61990e72d
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 702879d..d0b859b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -6,6 +6,7 @@
ephemeral_app
isolated_app
isolated_app_all
+ isolated_compute_app
mediaprovider
mediaprovider_app
untrusted_app
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ede2284..e5dd339 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -32,6 +32,7 @@
hal_wifi_service
healthconnect_service
hypervisor_restricted_prop
+ isolated_compute_app
keystore_config_prop
ntfs
permissive_mte_prop
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 730e4af..7230844 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -9,3 +9,37 @@
app_domain(isolated_app)
isolated_app_domain(isolated_app)
+
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules in isolated_app_all attribute.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(isolated_app)
+
+# Allow profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_app)
+can_profile_perf(isolated_app)
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 47de414..bb9da6c 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -11,13 +11,8 @@
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
-# Allow access to network sockets received over IPC. New socket creation is not
-# permitted.
-allow isolated_app_all { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
-
allow isolated_app_all activity_service:service_manager find;
allow isolated_app_all display_service:service_manager find;
-allow isolated_app_all webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
@@ -26,25 +21,6 @@
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app_all self:process ptrace;
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app_all { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app_all webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app_all webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app_all webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app_all webview_zygote_tmpfs:file read;
-
# Inherit FDs from the app_zygote.
allow isolated_app_all app_zygote:fd use;
# Notify app_zygote of child death.
@@ -56,15 +32,6 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app_all)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app_all)
-can_profile_perf(isolated_app_all)
-
#####
##### Neverallow
#####
@@ -79,20 +46,20 @@
neverallow isolated_app_all anr_data_file:dir ~search;
# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app_all hwbinder_device:chr_file *;
-neverallow isolated_app_all *:hwservice_manager *;
+neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *;
+neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *;
# Isolated apps must not be permitted to use VndBinder
neverallow isolated_app_all vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services allowlisted below.
-neverallow isolated_app_all *:service_manager ~find;
+neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service, webviewupdate_service.
-neverallow isolated_app_all {
+neverallow { isolated_app_all -isolated_compute_app } {
service_manager_type
-activity_service
-display_service
@@ -102,7 +69,7 @@
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute };
-# Do not allow isolated_app access to /cache
+# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ r_dir_perms };
neverallow isolated_app_all cache_file:file ~{ read getattr };
@@ -121,7 +88,9 @@
# Limit the /sys files which isolated_app_all can access. This is important
# for controlling isolated_app_all attack surface.
-neverallow isolated_app_all {
+# TODO (b/266555480): The permission should be guarded by compliance test.
+# Remove the negation for member domains when refactorization is done.
+neverallow { isolated_app_all -isolated_compute_app } {
sysfs_type
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
new file mode 100644
index 0000000..2c6d570
--- /dev/null
+++ b/private/isolated_compute_app.te
@@ -0,0 +1,52 @@
+###
+### isolated_compute_apps.
+###
+### This file defines the rules for isolated apps that requires the permission
+### to gather data with service manager and require computational resources to
+### improve the performance to process data under a sandbox. This
+### isolated_compute_app restricts data egress to protect the privacy.
+###
+### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
+###
+type isolated_compute_app, domain;
+
+typeattribute isolated_compute_app coredomain;
+
+app_domain(isolated_compute_app)
+isolated_app_domain(isolated_compute_app)
+
+allow isolated_compute_app audioserver_service:service_manager find;
+allow isolated_compute_app cameraserver_service:service_manager find;
+allow isolated_compute_app content_capture_service:service_manager find;
+allow isolated_compute_app device_state_service:service_manager find;
+allow isolated_compute_app speech_recognition_service:service_manager find;
+
+# Enable access to hardware services for camera functionalilites
+hal_client_domain(isolated_compute_app, hal_allocator)
+hwbinder_use(isolated_compute_app)
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(isolated_compute_app)
+
+# Allow profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_compute_app)
+can_profile_perf(isolated_compute_app)
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_compute_app to access hardware service except for the
+# ones necessary for camera service.
+# TODO (b/266555480): The permission should be guarded by compliance test.
+# Remove the negation for member domains when refactorization is done.
+# neverallow isolated_compute_app {
+# hwservice_manager_type
+# -hal_graphics_allocator_hwservice
+# -hal_graphics_mapper_hwservice
+# -hidl_allocator_hwservice
+# -hidl_manager_hwservice
+# -hidl_memory_hwservice
+# }:hwservice_manager *;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 9d1740d..069bb10 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -31,8 +31,8 @@
; Apps, except isolated apps, are clients of Graphics Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app_all } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Cas HAL
; Unfortunately, we can't currently express this in module policy language:
