-
Chad Brubaker authored
Ephemeral apps cannot open files from external storage, but can be given access to files via the file picker. Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd. Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8
3d348fd6
ephemeral_app.te 2.30 KiB
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
net_domain(ephemeral_app)
app_domain(ephemeral_app)
# App sandbox file accesses.
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
# Allow apps to read/execute installed binaries
allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# services
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
# TODO: Replace app_api_service with a smaller ephemeral_api_service
allow ephemeral_app app_api_service:service_manager find;
###
### neverallow rules
###
# Executable content should never be loaded from an ephemeral app home directory.
neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow ephemeral_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow ephemeral_app debugfs:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;