Skip to content
Snippets Groups Projects
Commit 579366a0 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Ensure /sys restrictions for isolated_apps

isolated_apps are intended to be strictly limited in the /sys files
which can be read. Add a neverallow assertion to guarantee this on all
Android compatible devices.

Test: policy compiles.
Change-Id: I47aceefa3f43a7ea9e526f6f0ef377d0b4efbe3a
parent 7a83d44f
No related branches found
No related tags found
No related merge requests found
......@@ -103,3 +103,11 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write;
# Limit the /sys files which isolated_app can access. This is important
# for controlling isolated_app attack surface.
neverallow isolated_app {
sysfs_type
-sysfs_devices_system_cpu
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
}:file no_rw_file_perms;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment