2023-04-28 11:22:15 +02:00
|
|
|
###
|
|
|
|
### sdk_sandbox_all
|
|
|
|
###
|
|
|
|
### This file defines the rules shared by all sdk_sandbox_all domains.
|
|
|
|
### Apps are labeled based on mac_permissions.xml (maps signer and
|
|
|
|
### optionally package name to seinfo value) and seapp_contexts (maps UID
|
|
|
|
### and optionally seinfo value to domain for process and type for data
|
|
|
|
### directory). The sdk_sandbox_all_all attribute is assigned to all default
|
|
|
|
### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
|
|
|
|
### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
|
|
|
|
### value as determined from mac_permissions.xml.
|
|
|
|
|
|
|
|
allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
|
|
|
|
|
|
|
|
# Required to read CTS tests data from the shell_data_file location.
|
|
|
|
allow sdk_sandbox_all shell_data_file:file r_file_perms;
|
|
|
|
allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
|
|
|
# modify them other than to connect
|
|
|
|
allow sdk_sandbox_all system_server:udp_socket {
|
|
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
|
|
|
|
# allow sandbox to search in sdk system server directory
|
|
|
|
# additionally, for webview to work, getattr has been permitted
|
|
|
|
allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
|
|
|
|
# allow sandbox to create files and dirs in sdk data directory
|
|
|
|
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
|
|
|
|
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
|
|
|
|
|
2023-05-10 18:13:53 +02:00
|
|
|
# allow apps to pass open fds to the sdk sandbox
|
|
|
|
allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
|
|
|
|
|
2023-04-28 11:22:15 +02:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
2023-05-23 01:45:40 +02:00
|
|
|
neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
|
2023-04-28 11:22:15 +02:00
|
|
|
|
|
|
|
# Receive or send uevent messages.
|
|
|
|
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
|
|
|
|
|
|
|
|
# Receive or send generic netlink messages
|
|
|
|
neverallow sdk_sandbox_all domain:netlink_socket *;
|
|
|
|
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
|
|
# best practice to ensure these files aren't readable.
|
2023-05-23 01:02:24 +02:00
|
|
|
neverallow sdk_sandbox_all debugfs_type:file read;
|
2023-04-28 11:22:15 +02:00
|
|
|
|
|
|
|
# execute gpu_device
|
|
|
|
neverallow sdk_sandbox_all gpu_device:chr_file execute;
|
|
|
|
|
|
|
|
# access files in /sys with the default sysfs label
|
|
|
|
neverallow sdk_sandbox_all sysfs:file *;
|
|
|
|
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
|
|
# Create a more specific label if needed
|
|
|
|
neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
|
|
|
|
|
|
|
|
# Directly access external storage
|
|
|
|
neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
|
|
|
|
neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
|
|
|
|
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
|
|
# ongoing connections.
|
|
|
|
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
|
|
|
|
|
|
|
|
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
2023-05-23 01:45:40 +02:00
|
|
|
# TODO(b/280514080): shell_data_file shouldn't be allowed here
|
|
|
|
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
|
|
|
|
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
|
2023-04-28 11:22:15 +02:00
|
|
|
|
|
|
|
# SDK sandbox processes don't have any access to external storage
|
|
|
|
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
|
|
|
|
neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
|
|
|
|
|
|
|
|
neverallow sdk_sandbox_all hal_drm_service:service_manager find;
|
|
|
|
|
|
|
|
# Only certain system components should have access to sdk_sandbox_system_data_file
|
|
|
|
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-system_server
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-sdk_sandbox_all
|
|
|
|
-system_server
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
-zygote
|
|
|
|
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
|
|
|
|
|
|
|
|
# Only certain system components should have access to sdk_sandbox_all_system_data_file
|
|
|
|
# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-system_server
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-installd
|
|
|
|
-sdk_sandbox_all
|
|
|
|
-system_server
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
-zygote
|
|
|
|
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
|
|
|
|
|
|
|
|
# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
|
|
|
|
neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
|
|
|
|
|
|
|
|
# Only dirs should be created at sdk_sandbox_all_system_data_file level
|
|
|
|
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|
|
|
|
|
2024-02-21 15:35:41 +01:00
|
|
|
# Restrict unix stream sockets for IPC.
|
|
|
|
neverallow sdk_sandbox_all {
|
|
|
|
domain
|
|
|
|
-sdk_sandbox_all
|
|
|
|
-surfaceflinger
|
|
|
|
-netd
|
|
|
|
-logd
|
|
|
|
-adbd
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
# needed for profiling
|
|
|
|
-traced
|
|
|
|
-traced_perf
|
|
|
|
-heapprofd
|
|
|
|
# fallback crash handling for processes that can't exec crash_dump.
|
|
|
|
-tombstoned
|
|
|
|
-dumpstate
|
|
|
|
# needed to connect to PRNG seeder daemon.
|
|
|
|
-prng_seeder
|
|
|
|
# needed by the SDK sandbox
|
|
|
|
-system_server
|
|
|
|
}:unix_stream_socket { create_stream_socket_perms connectto };
|