Skip to content
Snippets Groups Projects
Commit c121735f authored by Nick Kralevich's avatar Nick Kralevich
Browse files

isolated_app: allow access to pre-opened sdcard FDs 

Allow isolated apps to read/write/append/lock already open sdcard
file descriptors passed to it by normal app processes. isolated_apps are
used by processes like Google drive when handling untrusted content.

Addresses the following denial:

  audit(0.0:1508): avc: denied { read } for
  path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310
  scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0
  tclass=file permissive=0

This partially reverts the tightening added in
ce4b5eea.

Add a TODO to consider removing isolated_apps ability to write or append
to files on the sdcard. This limits the damage that can occur should the
isolated_app process be compromised.

Bug: 32896414
Test: Policy compiles. Rule add only, so no possibility of breakage.
Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f
parent 4c7044e0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 13 additions and 2 deletions
public/isolated_app.te
+ 13
2
View file @ c121735f
...@@ -26,6 +26,14 @@ allow isolated_app webviewupdate_service:service_manager find; ...@@ -26,6 +26,14 @@ allow isolated_app webviewupdate_service:service_manager find;
# https://code.google.com/p/chromium/issues/detail?id=475270 # https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace; allow isolated_app self:process ptrace;
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules below.
# TODO: consider removing write/append. We want to limit isolated_apps
# ability to mutate files of any type.
allow isolated_app sdcard_type:file { read write append getattr lock };
auditallow isolated_app sdcard_type:file { write append };
# For webviews, isolated_app processes can be forked from the webview_zygote # For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the # in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te. # webview_zygote process. These rules are specialized copies of the ones in app.te.
...@@ -89,9 +97,12 @@ neverallow isolated_app *:{ ...@@ -89,9 +97,12 @@ neverallow isolated_app *:{
netlink_rdma_socket netlink_crypto_socket netlink_rdma_socket netlink_crypto_socket
} *; } *;
# Do not allow isolated_app to access external storage # Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:file_class_set *; neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
# Do not allow USB access # Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment