From 75f34dc392b6d13818565fddd6da0111a4edefe5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 5 Mar 2015 12:10:30 -0800
Subject: [PATCH] update isolated_app service_manager rules

isolated apps should only be able to access 2 services.
Remove access permissions for services inappropriately added,
and add a neverallow rule to prevent regressions.

Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
---
 app.te          |  4 ++--
 isolated_app.te | 28 ++++++++++++----------------
 2 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/app.te b/app.te
index c17c90336..89c81cf89 100644
--- a/app.te
+++ b/app.te
@@ -182,9 +182,9 @@ control_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
-allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
 
-use_keystore(appdomain)
+use_keystore({ appdomain -isolated_app })
 
 ###
 ### Neverallow rules
diff --git a/isolated_app.te b/isolated_app.te
index f6183aa67..8930ae68a 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -15,25 +15,21 @@ app_domain(isolated_app)
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app app_data_file:file { read write getattr };
 
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-allow isolated_app radio_service:service_manager find;
-allow isolated_app surfaceflinger_service:service_manager find;
-allow isolated_app system_server_service:service_manager find;
-allow isolated_app tmp_system_server_service:service_manager find;
-
-# address tmp_system_server_service accesses
 allow isolated_app activity_service:service_manager find;
-allow isolated_app connectivity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
-allow isolated_app dropbox_service:service_manager find;
 
-service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app {
-    tmp_system_server_service
+#####
+##### Neverallow
+#####
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# b/17487348
+# Isolated apps can only access two services,
+# activity_service and display_service
+neverallow isolated_app {
+    service_manager_type
     -activity_service
-    -connectivity_service
     -display_service
-    -dropbox_service
 }:service_manager find;
-- 
GitLab