### ### Services with isolatedProcess=true in their manifest. ### ### This file defines the rules for isolated apps. An "isolated ### app" is an APP with UID between AID_ISOLATED_START (99000) ### and AID_ISOLATED_END (99999). ### ### isolated_app includes all the appdomain rules, plus the ### additional following rules: ### type isolated_app, domain, domain_deprecated; app_domain(isolated_app) # Access already open app data files received over Binder or local socket IPC. allow isolated_app app_data_file:file { read write getattr lock }; allow isolated_app activity_service:service_manager find; allow isolated_app display_service:service_manager find; allow isolated_app webviewupdate_service:service_manager find; # Google Breakpad (crash reporter for Chrome) relies on ptrace # functionality. Without the ability to ptrace, the crash reporter # tool is broken. # b/20150694 # https://code.google.com/p/chromium/issues/detail?id=475270 allow isolated_app self:process ptrace; ##### ##### Neverallow ##### # Do not allow isolated_app to directly open tun_device neverallow isolated_app tun_device:chr_file open; # Do not allow isolated_app to set system properties. neverallow isolated_app property_socket:sock_file write; neverallow isolated_app property_type:property_service set; # Isolated apps should not directly open app data files themselves. neverallow isolated_app app_data_file:file open; # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) # TODO: are there situations where isolated_apps write to this file? # TODO: should we tighten these restrictions further? neverallow isolated_app anr_data_file:file ~{ open append }; neverallow isolated_app anr_data_file:dir ~search; # b/17487348 # Isolated apps can only access three services, # activity_service, display_service and webviewupdate_service. neverallow isolated_app { service_manager_type -activity_service -display_service -webviewupdate_service }:service_manager find; # Isolated apps shouldn't be able to access the driver directly. neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; # Do not allow isolated_app access to /cache neverallow isolated_app cache_file:dir ~{ r_dir_perms }; neverallow isolated_app cache_file:file ~{ read getattr }; # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the # ioctl permission, or 3. disallow the socket class. neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; neverallow isolated_app *:{ socket netlink_socket packet_socket key_socket appletalk_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } *;