Merge "Introduce sdk_sandbox_audit SELinux domain" into android14-tests-dev

2023-11-14 09:14:57 +00:00 · 2023-11-14 09:14:57 +00:00 · 1b612c280c
commit 1b612c280c
parent c6227550f7 5eb6189fc0
6 changed files with 137 additions and 84 deletions
--- a/private/attributes
+++ b/private/attributes
@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false;

 # All SDK sandbox domains
 attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te
@ -3,89 +3,7 @@
 ###
 ### This file defines the security policy for the sdk sandbox processes
 ### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;

 net_domain(sdk_sandbox_34)
 app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
-    activity_service
-    activity_task_service
-    appops_service
-    audio_service
-    audioserver_service
-    batteryproperties_service
-    batterystats_service
-    cameraserver_service
-    connectivity_service
-    connmetrics_service
-    deviceidle_service
-    display_service
-    dropbox_service
-    ephemeral_app_api_service
-    font_service
-    game_service
-    gpu_service
-    graphicsstats_service
-    hardware_properties_service
-    hint_service
-    imms_service
-    input_method_service
-    input_service
-    IProxyService_service
-    ipsec_service
-    launcherapps_service
-    legacy_permission_service
-    light_service
-    locale_service
-    media_communication_service
-    mediadrmserver_service
-    mediaextractor_service
-    mediametrics_service
-    media_projection_service
-    media_router_service
-    mediaserver_service
-    media_session_service
-    memtrackproxy_service
-    midi_service
-    netpolicy_service
-    netstats_service
-    network_management_service
-    notification_service
-    package_service
-    permission_checker_service
-    permission_service
-    permissionmgr_service
-    platform_compat_service
-    power_service
-    procstats_service
-    radio_service
-    registry_service
-    restrictions_service
-    rttmanager_service
-    search_service
-    selection_toolbar_service
-    sensor_privacy_service
-    sensorservice_service
-    servicediscovery_service
-    settings_service
-    speech_recognition_service
-    statusbar_service
-    storagestats_service
-    surfaceflinger_service
-    telecom_service
-    tethering_service
-    textclassification_service
-    textservices_service
-    texttospeech_service
-    thermal_service
-    translation_service
-    tv_iapp_service
-    tv_input_service
-    uimode_service
-    vcn_management_service
-    webviewupdate_service
-}:service_manager find;
-
--- a/private/sdk_sandbox_audit.te
+++ b/private/sdk_sandbox_audit.te
@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+    cameraserver_service
+    ephemeral_app_api_service
+    mediadrmserver_service
+    radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+    property_type
+    -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+    property_type
+    -system_property_type
+}:dir rw_dir_perms;
--- a/private/sdk_sandbox_current.te
+++ b/private/sdk_sandbox_current.te
@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+    activity_service
+    activity_task_service
+    appops_service
+    audio_service
+    audioserver_service
+    batteryproperties_service
+    batterystats_service
+    cameraserver_service
+    connectivity_service
+    connmetrics_service
+    deviceidle_service
+    display_service
+    dropbox_service
+    ephemeral_app_api_service
+    font_service
+    game_service
+    gpu_service
+    graphicsstats_service
+    hardware_properties_service
+    hint_service
+    imms_service
+    input_method_service
+    input_service
+    IProxyService_service
+    ipsec_service
+    launcherapps_service
+    legacy_permission_service
+    light_service
+    locale_service
+    media_communication_service
+    mediadrmserver_service
+    mediaextractor_service
+    mediametrics_service
+    media_projection_service
+    media_router_service
+    mediaserver_service
+    media_session_service
+    memtrackproxy_service
+    midi_service
+    netpolicy_service
+    netstats_service
+    network_management_service
+    notification_service
+    package_service
+    permission_checker_service
+    permission_service
+    permissionmgr_service
+    platform_compat_service
+    power_service
+    procstats_service
+    radio_service
+    registry_service
+    restrictions_service
+    rttmanager_service
+    search_service
+    selection_toolbar_service
+    sensor_privacy_service
+    sensorservice_service
+    servicediscovery_service
+    settings_service
+    speech_recognition_service
+    statusbar_service
+    storagestats_service
+    surfaceflinger_service
+    telecom_service
+    tethering_service
+    textclassification_service
+    textservices_service
+    texttospeech_service
+    thermal_service
+    translation_service
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
+
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -13,6 +13,7 @@
 #       fromRunAs (boolean)
 #       isIsolatedComputeApp (boolean)
 #       isSdkSandboxNext (boolean)
+#       isSdkSandboxAudit (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@ -48,9 +49,19 @@
 # with user=_isolated. This selector should not be used unless it is intended
 # to provide isolated processes with relaxed security restrictions.
 #
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
 # isSdkSandboxNext=true means sdk sandbox processes will get
 # sdk_sandbox_next sepolicy applied to them.
 #
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@ -171,6 +182,7 @@ user=_isolated domain=isolated_app levelFrom=user
 user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
 user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@ -214,6 +214,7 @@ key_map rules[] = {
                { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
                { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
                { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
                /*Outputs*/
                { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },