f5446eb148
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
61 lines
2.1 KiB
Plaintext
61 lines
2.1 KiB
Plaintext
###
|
|
### Ephemeral apps.
|
|
###
|
|
### This file defines the security policy for apps with the ephemeral
|
|
### feature.
|
|
###
|
|
### The ephemeral_app domain is a reduced permissions sandbox allowing
|
|
### ephemeral applications to be safely installed and run. Non ephemeral
|
|
### applications may also opt-in to ephemeral to take advantage of the
|
|
### additional security features.
|
|
###
|
|
### PackageManager flags an app as ephemeral at install time.
|
|
|
|
typeattribute ephemeral_app coredomain;
|
|
|
|
net_domain(ephemeral_app)
|
|
app_domain(ephemeral_app)
|
|
|
|
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
|
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
|
|
|
|
# services
|
|
allow ephemeral_app surfaceflinger_service:service_manager find;
|
|
allow ephemeral_app radio_service:service_manager find;
|
|
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# Executable content should never be loaded from an ephemeral app home directory.
|
|
neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
|
|
|
|
# Receive or send uevent messages.
|
|
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
|
|
|
# Receive or send generic netlink messages
|
|
neverallow ephemeral_app domain:netlink_socket *;
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
# best practice to ensure these files aren't readable.
|
|
neverallow ephemeral_app debugfs:file read;
|
|
|
|
# execute gpu_device
|
|
neverallow ephemeral_app gpu_device:chr_file execute;
|
|
|
|
# access files in /sys with the default sysfs label
|
|
neverallow ephemeral_app sysfs:file *;
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
# Create a more specific label if needed
|
|
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
|
|
|
# Directly access external storage
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
# ongoing connections.
|
|
neverallow ephemeral_app proc_net:file no_rw_file_perms;
|