Merge "Move ephemeral_app policy to private" am: 1b7512a1

am: 398249a6 Change-Id: I00f2cd2807593b9ed6b1eec97d729908b641d083

Merge "Move ephemeral_app policy to private" am: 1b7512a1
379cb28b · Alex Klyubin · android-build-merger · 1405e059 · 398249a6 · 379cb28b
Commit 379cb28b authored Jan 12, 2017 by Alex Klyubin Committed by android-build-merger Jan 12, 2017
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
-# type_transition must be private policy the domain_trans rules could stay
+###
-# public, but conceptually should go with this
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+net_domain(ephemeral_app)
 # Define and allow access to our own type for ashmem regions.
 # Label ashmem objects with our own unique type.
 tmpfs_domain(ephemeral_app)
 # TODO: deal with tmpfs_domain pub/priv split properly
 # Map with PROT_EXEC.
 allow ephemeral_app ephemeral_app_tmpfs:file execute;
+# allow JITing
+allow ephemeral_app self:process execmem;
+allow ephemeral_app ashmem_device:chr_file execute;
+# Send logcat messages to logd.
+write_logd(ephemeral_app)
+# Receive and use open file descriptors inherited from zygote.
+allow ephemeral_app zygote:fd use;
+# Notify zygote of death;
+allow ephemeral_app zygote:process sigchld;
+# application inherit logd write socket (urge is to deprecate this long term)
+allow ephemeral_app zygote:unix_dgram_socket write;
 # Read system properties managed by zygote.
 allow ephemeral_app zygote_tmpfs:file read;
+# App sandbox file accesses.
+allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
+allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
+# Keychain and user-trusted credentials
+r_dir_file(ephemeral_app, keychain_data_file)
+allow ephemeral_app misc_user_data_file:dir r_dir_perms;
+allow ephemeral_app misc_user_data_file:file r_file_perms;
+# Allow apps to read/execute installed binaries
+allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
+# For art.
+allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
+allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
+allow ephemeral_app dalvikcache_data_file:dir getattr;
+# Grant GPU access. ephemeral_app needs that to render the standard UI.
+allow ephemeral_app gpu_device:chr_file rw_file_perms;
+# Use the Binder.
+binder_use(ephemeral_app)
+# Perform binder IPC to binder services.
+binder_call(ephemeral_app, surfaceflinger)
+binder_call(ephemeral_app, system_server)
+# Perform binder IPC to apps.
+binder_call(ephemeral_app, appdomain)
+# Allow read access to ion memory allocation device
+allow ephemeral_app ion_device:chr_file { read open };
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow ephemeral_app system_server:fifo_file rw_file_perms;
+allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
+# Inherit or receive open files from system_server.
+allow ephemeral_app system_server:fd use;
+# Communicate with surfaceflinger.
+allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Read files already opened under /data.
+allow ephemeral_app system_data_file:file { getattr read };
+allow ephemeral_app system_data_file:lnk_file read;
+# System file accesses. Check for libraries
+allow ephemeral_app system_file:dir getattr;
+# services
+allow ephemeral_app accessibility_service:service_manager find;
+allow ephemeral_app activity_service:service_manager find;
+allow ephemeral_app assetatlas_service:service_manager find;
+allow ephemeral_app connectivity_service:service_manager find;
+allow ephemeral_app display_service:service_manager find;
+allow ephemeral_app graphicsstats_service:service_manager find;
+allow ephemeral_app input_method_service:service_manager find;
+allow ephemeral_app input_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app textservices_service:service_manager find;
+###
+### neverallow rules
+###
+# Executable content should never be loaded from an ephemeral app home directory.
+neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -10,109 +10,5 @@
 ### additional security features.
 ###
 ### PackageManager flags an app as ephemeral at install time.
-type ephemeral_app, domain;
-net_domain(ephemeral_app)
-# allow JITing
-allow ephemeral_app self:process execmem;
-allow ephemeral_app ashmem_device:chr_file execute;
-# Send logcat messages to logd.
-write_logd(ephemeral_app)
-# Receive and use open file descriptors inherited from zygote.
-allow ephemeral_app zygote:fd use;
-# Notify zygote of death;
-allow ephemeral_app zygote:process sigchld;
-# application inherit logd write socket (urge is to deprecate this long term)
-allow ephemeral_app zygote:unix_dgram_socket write;
-# App sandbox file accesses.
-allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
-allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-# Keychain and user-trusted credentials
-r_dir_file(ephemeral_app, keychain_data_file)
-allow ephemeral_app misc_user_data_file:dir r_dir_perms;
-allow ephemeral_app misc_user_data_file:file r_file_perms;
-# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir search;
-allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-# For art.
-allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
-allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
-allow ephemeral_app dalvikcache_data_file:dir getattr;
-# Grant GPU access. ephemeral_app needs that to render the standard UI.
-allow ephemeral_app gpu_device:chr_file rw_file_perms;
-# Use the Binder.
-binder_use(ephemeral_app)
-# Perform binder IPC to binder services.
-binder_call(ephemeral_app, surfaceflinger)
-binder_call(ephemeral_app, system_server)
-# Perform binder IPC to apps.
-binder_call(ephemeral_app, appdomain)
-# Allow read access to ion memory allocation device
-allow ephemeral_app ion_device:chr_file { read open };
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow ephemeral_app system_server:fifo_file rw_file_perms;
-allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
-# Inherit or receive open files from system_server.
-allow ephemeral_app system_server:fd use;
-# Communicate with surfaceflinger.
+type ephemeral_app, domain;
-allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-# Read files already opened under /data.
-allow ephemeral_app system_data_file:file { getattr read };
-allow ephemeral_app system_data_file:lnk_file read;
-# System file accesses. Check for libraries
-allow ephemeral_app system_file:dir getattr;
-# services
-allow ephemeral_app accessibility_service:service_manager find;
-allow ephemeral_app activity_service:service_manager find;
-allow ephemeral_app assetatlas_service:service_manager find;
-allow ephemeral_app connectivity_service:service_manager find;
-allow ephemeral_app display_service:service_manager find;
-allow ephemeral_app graphicsstats_service:service_manager find;
-allow ephemeral_app input_method_service:service_manager find;
-allow ephemeral_app input_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app textservices_service:service_manager find;
-###
-### neverallow rules
-###
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };