platform_system_sepolicy/private/sdk_sandbox.te

###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.

type sdk_sandbox;

###
### neverallow rules
###

neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };

# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;

# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;

# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;

# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;

# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;

# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };

# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;

# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;

# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;

# SDK sandbox processes don't  have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;

neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;

neverallow sdk_sandbox hal_drm_service:service_manager find;

# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
    domain
    -init
    -installd
    -system_server
    -vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };

neverallow {
    domain
    -init
    -installd
    -sdk_sandbox
    -system_server
    -vold_prepare_subdirs
    -zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };

# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };

# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
Move sdk_sandbox sepolicy to AOSP. Bug: 224796470 Bug: 203670791 Bug: 204989872 Bug: 211761016 Bug: 217543371 Bug: 217559719 Bug: 215105355 Bug: 220320098 Test: make, ensure device boots Change-Id: Ia96ae5407f5a83390ce1b610da0d49264e90d7e2 Merged-In: Ib085c49f29dab47268e479fe5266490a66adaa87 Merged-In: I2215ffe74e0fa19ff936e90c08c4ebfd177e5258 Merged-In: I478c9a16032dc1f1286f5295fc080cbe574f09c9 Merged-In: Ibf478466e5d6ab0ee08fca4da3b4bae974a82db0 Merged-In: I5d519605d9fbe80c7b4c9fb6572bc72425f6e90a Merged-In: I05d2071e023d0de8a93dcd111674f8d8102a21ce Merged-In: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145 Merged-In: I1b6d1a778cb658bdfd930b684e4ba0640031b226 Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799 2022-03-15 18:28:02 +01:00			`###`
			`### SDK Sandbox process.`
			`###`
			`### This file defines the security policy for the sdk sandbox processes.`

Move parts of sdk_sandbox from private to apex policy Bug: 236691128 Test: atest SeamendcHostTest Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902 2022-05-31 10:50:55 +02:00			`type sdk_sandbox;`
Move sdk_sandbox sepolicy to AOSP. Bug: 224796470 Bug: 203670791 Bug: 204989872 Bug: 211761016 Bug: 217543371 Bug: 217559719 Bug: 215105355 Bug: 220320098 Test: make, ensure device boots Change-Id: Ia96ae5407f5a83390ce1b610da0d49264e90d7e2 Merged-In: Ib085c49f29dab47268e479fe5266490a66adaa87 Merged-In: I2215ffe74e0fa19ff936e90c08c4ebfd177e5258 Merged-In: I478c9a16032dc1f1286f5295fc080cbe574f09c9 Merged-In: Ibf478466e5d6ab0ee08fca4da3b4bae974a82db0 Merged-In: I5d519605d9fbe80c7b4c9fb6572bc72425f6e90a Merged-In: I05d2071e023d0de8a93dcd111674f8d8102a21ce Merged-In: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145 Merged-In: I1b6d1a778cb658bdfd930b684e4ba0640031b226 Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799 2022-03-15 18:28:02 +01:00
			`###`
			`### neverallow rules`
			`###`

Prevent sandbox executing from sdk_sandbox_data_file Bug: 215105355 Test: make Change-Id: I73c6a0d5034f194bf7149336fdac1db51a2b151d 2022-04-25 13:28:52 +02:00			`neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };`
Move sdk_sandbox sepolicy to AOSP. Bug: 224796470 Bug: 203670791 Bug: 204989872 Bug: 211761016 Bug: 217543371 Bug: 217559719 Bug: 215105355 Bug: 220320098 Test: make, ensure device boots Change-Id: Ia96ae5407f5a83390ce1b610da0d49264e90d7e2 Merged-In: Ib085c49f29dab47268e479fe5266490a66adaa87 Merged-In: I2215ffe74e0fa19ff936e90c08c4ebfd177e5258 Merged-In: I478c9a16032dc1f1286f5295fc080cbe574f09c9 Merged-In: Ibf478466e5d6ab0ee08fca4da3b4bae974a82db0 Merged-In: I5d519605d9fbe80c7b4c9fb6572bc72425f6e90a Merged-In: I05d2071e023d0de8a93dcd111674f8d8102a21ce Merged-In: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145 Merged-In: I1b6d1a778cb658bdfd930b684e4ba0640031b226 Merged-In: I9fb98e0caee75bdaaa35d11d174004505f236799 2022-03-15 18:28:02 +01:00
			`# Receive or send uevent messages.`
			`neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;`

			`# Receive or send generic netlink messages`
			`neverallow sdk_sandbox domain:netlink_socket *;`

			`# Too much leaky information in debugfs. It's a security`
			`# best practice to ensure these files aren't readable.`
			`neverallow sdk_sandbox debugfs:file read;`

			`# execute gpu_device`
			`neverallow sdk_sandbox gpu_device:chr_file execute;`

			`# access files in /sys with the default sysfs label`
			`neverallow sdk_sandbox sysfs:file *;`

			`# Avoid reads from generically labeled /proc files`
			`# Create a more specific label if needed`
			`neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };`

			`# Directly access external storage`
			`neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};`
			`neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;`

			`# Avoid reads to proc_net, it contains too much device wide information about`
			`# ongoing connections.`
			`neverallow sdk_sandbox proc_net:file no_rw_file_perms;`

			`# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file`
			`neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;`
			`neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;`

			`# SDK sandbox processes don't have any access to external storage`
			`neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;`
			`neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;`

			`neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;`
Restrict sandbox access to drmservice Bug: 226390597 Test: atest SdkSandboxRestrictionsTest Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3 2022-03-23 17:48:48 +01:00
			`neverallow sdk_sandbox hal_drm_service:service_manager find;`
Create a separate label for sandbox root directory Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed 2022-05-11 22:43:54 +02:00
			`# Only certain system components should have access to sdk_sandbox_system_data_file`
			`# sdk_sandbox only needs search. Restricted in follow up neverallow rule.`
Allow zygote to relabel sdk_sandbox_system_data_file To perform sdk sandbox data isolation, the zygote gets the selinux label of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox) before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It relabels it back once bind mounting of required sandbox data is done. This change allows for the zygote to perform these operations. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b 2022-05-20 13:24:32 +02:00			`neverallow {`
			`domain`
			`-init`
			`-installd`
			`-system_server`
			`-vold_prepare_subdirs`
			`} sdk_sandbox_system_data_file:dir { relabelfrom };`

Create a separate label for sandbox root directory Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed 2022-05-11 22:43:54 +02:00			`neverallow {`
			`domain`
			`-init`
			`-installd`
			`-sdk_sandbox`
			`-system_server`
			`-vold_prepare_subdirs`
Allow zygote to relabel sdk_sandbox_system_data_file To perform sdk sandbox data isolation, the zygote gets the selinux label of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox) before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It relabels it back once bind mounting of required sandbox data is done. This change allows for the zygote to perform these operations. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b 2022-05-20 13:24:32 +02:00			`-zygote`
			`} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };`
Create a separate label for sandbox root directory Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed 2022-05-11 22:43:54 +02:00
			`# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file`
			`neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };`

			`# Only dirs should be created at sdk_sandbox_system_data_file level`
			`neverallow { domain -init } sdk_sandbox_system_data_file:file *;`