From a3903974075f3ed8f83faf0ab9983187ad928da0 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 5 Jan 2017 16:06:54 -0800
Subject: [PATCH] Move isolated_app policy to private

This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from isolated_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3
---
 private/isolated_app.te | 109 ++++++++++++++++++++++++++++++++++++++++
 public/isolated_app.te  | 105 --------------------------------------
 2 files changed, 109 insertions(+), 105 deletions(-)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index a2777526a..bfe738b5b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -1,4 +1,113 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
 app_domain(isolated_app)
 
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { append read write getattr lock };
+
+allow isolated_app activity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# TODO: consider removing write/append. We want to limit isolated_apps
+# ability to mutate files of any type.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_app to directly open tun_device
+neverallow isolated_app tun_device:chr_file open;
+
+# Do not allow isolated_app to set system properties.
+neverallow isolated_app property_socket:sock_file write;
+neverallow isolated_app property_type:property_service set;
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
+neverallow isolated_app {
+    service_manager_type
+    -activity_service
+    -display_service
+    -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/isolated_app.te b/public/isolated_app.te
index fc9aba80e..a907dacc2 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -5,110 +5,5 @@
 ### app" is an APP with UID between AID_ISOLATED_START (99000)
 ### and AID_ISOLATED_END (99999).
 ###
-### isolated_app includes all the appdomain rules, plus the
-### additional following rules:
-###
 
 type isolated_app, domain;
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-
-#####
-##### Neverallow
-#####
-
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
-# Do not allow isolated_app to set system properties.
-neverallow isolated_app property_socket:sock_file write;
-neverallow isolated_app property_type:property_service set;
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
-neverallow isolated_app {
-    service_manager_type
-    -activity_service
-    -display_service
-    -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow isolated_app *:{
-  socket netlink_socket packet_socket key_socket appletalk_socket
-  netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
-  netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
-  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
-  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
-  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
-  netlink_rdma_socket netlink_crypto_socket
-} *;
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote_socket:sock_file write;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
-- 
GitLab