split base isolated app

prebuilts/api/29.0/private/app_neverallows.te

@@ -5,6 +5,7 @@
 define(`all_untrusted_apps',`{
   ephemeral_app
   isolated_app
+  isolated_base_app
   mediaprovider
   untrusted_app
   untrusted_app_25

prebuilts/api/29.0/private/app_zygote.te

@@ -19,6 +19,7 @@ allow app_zygote self:global_capability_class_set setpcap;
 # Switch SELinux context to isolated app domain.
 allow app_zygote self:process setcurrent;
 allow app_zygote isolated_app:process dyntransition;
+allow app_zygote isolated_base_app:process dyntransition;
 
 # For JIT
 allow app_zygote self:process execmem;
@@ -33,6 +34,7 @@ allow app_zygote system_server:process getpgid;
 
 # Interaction between the app_zygote and its children.
 allow app_zygote isolated_app:process setpgid;
+allow app_zygote isolated_base_app:process setpgid;
 
 # TODO (b/63631799) fix this access
 dontaudit app_zygote mnt_expand_file:dir getattr;
@@ -72,7 +74,7 @@ allow app_zygote system_data_file:file { getattr read map };
 #####
 
 # Only permit transition to isolated_app.
-neverallow app_zygote { domain -isolated_app }:process dyntransition;
+neverallow app_zygote { domain -isolated_app -isolated_base_app }:process dyntransition;
 
 # Only setcon() transitions, no exec() based transitions, except for crash_dump.
 neverallow app_zygote { domain -crash_dump }:process transition;

prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil

@@ -102,6 +102,7 @@
     iorapd_exec
     iorapd_service
     iorapd_tmpfs
+    isolated_base_app
     kmsg_debug_device
     last_boot_reason_prop
     llkd
@@ -187,6 +188,9 @@
     traced_probes_tmpfs
     traced_producer_socket
     traced_tmpfs
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop

prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil

@@ -93,6 +93,7 @@
     iorapd_exec
     iorapd_service
     iorapd_tmpfs
+    isolated_base_app
     last_boot_reason_prop
     llkd
     llkd_exec
@@ -166,6 +167,9 @@
     traceur_app
     traceur_app_tmpfs
     untrusted_app_all_devpts
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
     update_engine_log_data_file
     uri_grants_service
     usbd

prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil

@@ -92,6 +92,7 @@
     iorapd_data_file
     iorapd_service
     iorapd_tmpfs
+    isolated_base_app
     mediaswcodec
     mediaswcodec_exec
     mediaswcodec_tmpfs
@@ -139,6 +140,9 @@
     traced_lazy_prop
     uri_grants_service
     use_memfd_prop
+    untrusted_base_app
+    untrusted_base_app_25
+    untrusted_base_app_27
     vendor_cgroup_desc_file
     vendor_idc_file
     vendor_keychars_file

prebuilts/api/29.0/private/isolated_base_app.te

@@ -0,0 +1,153 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+typeattribute isolated_base_app coredomain;
+
+app_domain(isolated_base_app)
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_base_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+
+allow isolated_base_app activity_service:service_manager find;
+allow isolated_base_app display_service:service_manager find;
+allow isolated_base_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_base_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_base_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_base_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+
+# For webviews, isolated_base_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_base_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_base_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_base_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_base_app webview_zygote_tmpfs:file read;
+
+# Inherit FDs from the app_zygote.
+allow isolated_base_app app_zygote:fd use;
+# Notify app_zygote of child death.
+allow isolated_base_app app_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_base_app app_zygote:unix_dgram_socket write;
+
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_base_app shell_data_file:dir search;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow isolated_base_app traced:fd use;
+allow isolated_base_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(isolated_base_app, traced_producer, traced)
+
+# Allow heap profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_base_app)
+
+allow isolated_base_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
+#####
+##### Neverallow
+#####
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_base_app { app_data_file privapp_data_file }:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_base_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_base_app anr_data_file:file ~{ open append };
+neverallow isolated_base_app anr_data_file:dir ~search;
+
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_base_app hwbinder_device:chr_file *;
+neverallow isolated_base_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_base_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_base_app *:service_manager ~find;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
+neverallow isolated_base_app {
+    service_manager_type
+    -activity_service
+    -ashmem_device_service
+    -display_service
+    -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_base_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_base_app access to /cache
+neverallow isolated_base_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_base_app cache_file:file ~{ read getattr };
+
+# Do not allow isolated_base_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_base_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_base_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_base_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_base_app sdcard_type:file ~{ read write append getattr lock map };
+
+# Do not allow USB access
+neverallow isolated_base_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_base_app webview_zygote:sock_file write;
+
+# Limit the /sys files which isolated_base_app can access. This is important
+# for controlling isolated_base_app attack surface.
+neverallow isolated_base_app {
+  sysfs_type
+  -sysfs_devices_system_cpu
+  -sysfs_transparent_hugepage
+  -sysfs_usb # TODO: check with audio team if needed for isolated_base_app (b/28417852)
+}:file no_rw_file_perms;
+
+# No creation of sockets families other than AF_UNIX sockets.
+# List taken from system/sepolicy/public/global_macros - socket_class_set
+# excluding unix_stream_socket and unix_dgram_socket.
+# Many of these are socket families which have never and will never
+# be compiled into the Android kernel.
+neverallow isolated_base_app self:{
+  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+  key_socket appletalk_socket netlink_route_socket
+  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+  netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
+  netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
+  netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
+  netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
+  rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
+  ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
+  qipcrtr_socket smc_socket xdp_socket
+} create;

prebuilts/api/29.0/private/seapp_contexts

@@ -124,8 +124,8 @@ neverallow user=((?!shared_relro).)* domain=shared_relro
 
 # neverallow non-isolated uids into isolated_app domain
 # and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
+neverallow user=_isolated domain=((?!isolated_(base_)?app).)*
+neverallow user=((?!_isolated).)* domain=isolated_base_app
 
 # uid shell should always be in shell domain, however non-shell
 # uid's can be in shell domain
@@ -150,6 +150,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
 user=webview_zygote seinfo=webview_zygote domain=webview_zygote
+user=_isolated seinfo=base domain=isolated_base_app levelFrom=user
 user=_isolated domain=isolated_app levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user

prebuilts/api/29.0/private/technical_debt.cil

@@ -7,33 +7,33 @@
 
 ; Apps, except isolated apps, are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_allocator_client;
+;     typeattribute { appdomain -isolated_app -isolated_base_app } hal_allocator_client;
 ;     typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
 ; Apps, except isolated apps, are clients of OMX-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_omx_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 
 ; Apps, except isolated apps, are clients of Codec2-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app -isolated_base_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 
 ; Apps, except isolated apps, are clients of Graphics Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app -isolated_base_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 
 ; Apps, except isolated apps, are clients of Cas HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app -isolated_base_app } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
@@ -42,8 +42,8 @@
 
 ; Apps, except isolated apps, are clients of Neuralnetworks HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app -isolated_base_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))
 
 ; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
 ; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
@@ -57,5 +57,5 @@
 
 ; Apps, except isolated apps, are clients of BufferHub HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app -isolated_base_app } hal_cas_client;
+(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (or (isolated_app) (isolated_base_app)))))))

prebuilts/api/29.0/private/webview_zygote.te

@@ -26,6 +26,7 @@ allow webview_zygote self:global_capability_class_set setpcap;
 # Switch SELinux context to app domains.
 allow webview_zygote self:process setcurrent;
 allow webview_zygote isolated_app:process dyntransition;
+allow webview_zygote isolated_base_app:process dyntransition;
 
 # For art.
 allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
@@ -45,6 +46,7 @@ allow webview_zygote system_server:process getpgid;
 
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;
+allow webview_zygote isolated_base_app:process setpgid;
 
 # TODO (b/63631799) fix this access
 # Suppress denials to storage. Webview zygote should not be accessing.
@@ -82,7 +84,7 @@ allow webview_zygote system_data_file:lnk_file r_file_perms;
 #####
 
 # Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+neverallow webview_zygote { domain -isolated_app -isolated_base_app }:process dyntransition;
 
 # Only setcon() transitions, no exec() based transitions, except for crash_dump.
 neverallow webview_zygote { domain -crash_dump }:process transition;