Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/tags/fp2-sibon-17.10.1 / . / isolated_app.te
blob: 535e5de38a540a36dfdbcf3783382e177cc5dfe0 [file] [log] [blame]
Nick Kralevich748fdef2013-07-12 16:33:29 -0700[diff] [blame]1###
2### Services with isolatedProcess=true in their manifest.
3###
4### This file defines the rules for isolated apps. An "isolated
5### app" is an APP with UID between AID_ISOLATED_START (99000)
6### and AID_ISOLATED_END (99999).
7###
8### isolated_app includes all the appdomain rules, plus the
9### additional following rules:
10###
11
12type isolated_app, domain;
Nick Kralevich748fdef2013-07-12 16:33:29 -0700[diff] [blame]13app_domain(isolated_app)
Nick Kralevichad891592014-06-27 15:19:04 -0700[diff] [blame]14
Stephen Smalley7d715162014-11-21 09:28:42 -0800[diff] [blame]15# Access already open app data files received over Binder or local socket IPC.
Nick Kralevich53c84ed2015-04-09 09:55:12 -0700[diff] [blame]16allow isolated_app app_data_file:file { read write getattr lock };
Stephen Smalley7d715162014-11-21 09:28:42 -0800[diff] [blame]17
Nick Kralevich75f34dc2015-03-05 12:10:30 -0800[diff] [blame]18allow isolated_app activity_service:service_manager find;
19allow isolated_app display_service:service_manager find;
20
Jeff Vander Stoepde9b5302015-06-05 15:28:55 -0700[diff] [blame]21# only allow unprivileged socket ioctl commands
Jeff Vander Stoep90ccbcf2016-04-26 11:29:14 -0700[diff] [blame]22allow isolated_app domain:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
Jeff Vander Stoepde9b5302015-06-05 15:28:55 -0700[diff] [blame]23
Nick Kralevich75f34dc2015-03-05 12:10:30 -0800[diff] [blame]24#####
25##### Neverallow
26#####
27
Stephen Smalley7d715162014-11-21 09:28:42 -0800[diff] [blame]28# Isolated apps should not directly open app data files themselves.
29neverallow isolated_app app_data_file:file open;
30
Nick Kralevich75f34dc2015-03-05 12:10:30 -0800[diff] [blame]31# b/17487348
32# Isolated apps can only access two services,
33# activity_service and display_service
34neverallow isolated_app {
35 service_manager_type
dcashman4a89cdf2014-12-16 15:45:26 -0800[diff] [blame]36 -activity_service
dcashman4a89cdf2014-12-16 15:45:26 -0800[diff] [blame]37 -display_service
dcashman4a89cdf2014-12-16 15:45:26 -0800[diff] [blame]38}:service_manager find;
Nick Kralevichf1b5c662015-04-09 14:31:16 -0700[diff] [blame]39
40# Isolated apps shouldn't be able to access the driver directly.
41neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };