Something went wrong on our end
-
Nick Kralevich authoredAdd a neverallow rule (compile time assertion + CTS test) that isolated_apps and untrusted_apps can't do anything else but append to /data/anr/traces.txt. In particular, assert that they can't read from the file, or overwrite other data which may already be in the file. Bug: 18340553 Bug: 27853304 Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5
Nick Kralevich authoredAdd a neverallow rule (compile time assertion + CTS test) that isolated_apps and untrusted_apps can't do anything else but append to /data/anr/traces.txt. In particular, assert that they can't read from the file, or overwrite other data which may already be in the file. Bug: 18340553 Bug: 27853304 Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5
isolated_app.te 2.13 KiB
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
### isolated_app includes all the appdomain rules, plus the
### additional following rules:
###
type isolated_app, domain, domain_deprecated;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
#####
##### Neverallow
#####
# Do not allow isolated_app to directly open tun_device
neverallow isolated_app tun_device:chr_file open;
# Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set;
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app anr_data_file:file ~{ open append };
neverallow isolated_app anr_data_file:dir ~search;
# b/17487348
# Isolated apps can only access two services,
# activity_service and display_service
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };