From c121735f42e73f4c46004ef09b85cdb8359a517a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 15 Nov 2016 12:20:15 -0800
Subject: [PATCH] isolated_app: allow access to pre-opened sdcard FDs

Allow isolated apps to read/write/append/lock already open sdcard
file descriptors passed to it by normal app processes. isolated_apps are
used by processes like Google drive when handling untrusted content.

Addresses the following denial:

  audit(0.0:1508): avc: denied { read } for
  path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310
  scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0
  tclass=file permissive=0

This partially reverts the tightening added in
ce4b5eeaeed88fbaca88eac2f7fd5f7a85d7ba0e.

Add a TODO to consider removing isolated_apps ability to write or append
to files on the sdcard. This limits the damage that can occur should the
isolated_app process be compromised.

Bug: 32896414
Test: Policy compiles. Rule add only, so no possibility of breakage.
Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f
---
 public/isolated_app.te | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/public/isolated_app.te b/public/isolated_app.te
index 8f2175b03..007fc744b 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -26,6 +26,14 @@ allow isolated_app webviewupdate_service:service_manager find;
 # https://code.google.com/p/chromium/issues/detail?id=475270
 allow isolated_app self:process ptrace;
 
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# TODO: consider removing write/append. We want to limit isolated_apps
+# ability to mutate files of any type.
+allow isolated_app sdcard_type:file { read write append getattr lock };
+auditallow isolated_app sdcard_type:file { write append };
+
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
 # webview_zygote process. These rules are specialized copies of the ones in app.te.
@@ -89,9 +97,12 @@ neverallow isolated_app *:{
   netlink_rdma_socket netlink_crypto_socket
 } *;
 
-# Do not allow isolated_app to access external storage
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
 neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:file_class_set *;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
 
 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-- 
GitLab