Ensure /sys restrictions for isolated_apps

isolated_apps are intended to be strictly limited in the /sys files which can be read. Add a neverallow assertion to guarantee this on all Android compatible devices. Test: policy compiles. Change-Id: I47aceefa3f43a7ea9e526f6f0ef377d0b4efbe3a

Ensure /sys restrictions for isolated_apps
579366a0 · Nick Kralevich · 7a83d44f · 579366a0
Commit 579366a0 authored 7 years ago by Nick Kralevich
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -103,3 +103,11 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;

 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+  sysfs_type
+  -sysfs_devices_system_cpu
+  -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+}:file no_rw_file_perms;