Revert^2 "Introduce sdk_sandbox_audit SELinux domain"
This reverts commit a41bfab758
.
Reason for revert: Automerger path causing the regression is no more
Change-Id: I4c9ab6f2e18c9d8157f5667bc98fcce00e78f93d
This commit is contained in:
parent
a41bfab758
commit
1e9eb36ad2
6 changed files with 137 additions and 84 deletions
|
@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false;
|
|||
|
||||
# All SDK sandbox domains
|
||||
attribute sdk_sandbox_all;
|
||||
|
||||
# The SDK sandbox domains for the current SDK level.
|
||||
attribute sdk_sandbox_current;
|
||||
|
|
|
@ -3,89 +3,7 @@
|
|||
###
|
||||
### This file defines the security policy for the sdk sandbox processes
|
||||
### for targetSdkVersion=34.
|
||||
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
|
||||
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
|
||||
|
||||
net_domain(sdk_sandbox_34)
|
||||
app_domain(sdk_sandbox_34)
|
||||
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
allow sdk_sandbox_34 {
|
||||
activity_service
|
||||
activity_task_service
|
||||
appops_service
|
||||
audio_service
|
||||
audioserver_service
|
||||
batteryproperties_service
|
||||
batterystats_service
|
||||
cameraserver_service
|
||||
connectivity_service
|
||||
connmetrics_service
|
||||
deviceidle_service
|
||||
display_service
|
||||
dropbox_service
|
||||
ephemeral_app_api_service
|
||||
font_service
|
||||
game_service
|
||||
gpu_service
|
||||
graphicsstats_service
|
||||
hardware_properties_service
|
||||
hint_service
|
||||
imms_service
|
||||
input_method_service
|
||||
input_service
|
||||
IProxyService_service
|
||||
ipsec_service
|
||||
launcherapps_service
|
||||
legacy_permission_service
|
||||
light_service
|
||||
locale_service
|
||||
media_communication_service
|
||||
mediadrmserver_service
|
||||
mediaextractor_service
|
||||
mediametrics_service
|
||||
media_projection_service
|
||||
media_router_service
|
||||
mediaserver_service
|
||||
media_session_service
|
||||
memtrackproxy_service
|
||||
midi_service
|
||||
netpolicy_service
|
||||
netstats_service
|
||||
network_management_service
|
||||
notification_service
|
||||
package_service
|
||||
permission_checker_service
|
||||
permission_service
|
||||
permissionmgr_service
|
||||
platform_compat_service
|
||||
power_service
|
||||
procstats_service
|
||||
radio_service
|
||||
registry_service
|
||||
restrictions_service
|
||||
rttmanager_service
|
||||
search_service
|
||||
selection_toolbar_service
|
||||
sensor_privacy_service
|
||||
sensorservice_service
|
||||
servicediscovery_service
|
||||
settings_service
|
||||
speech_recognition_service
|
||||
statusbar_service
|
||||
storagestats_service
|
||||
surfaceflinger_service
|
||||
telecom_service
|
||||
tethering_service
|
||||
textclassification_service
|
||||
textservices_service
|
||||
texttospeech_service
|
||||
thermal_service
|
||||
translation_service
|
||||
tv_iapp_service
|
||||
tv_input_service
|
||||
uimode_service
|
||||
vcn_management_service
|
||||
webviewupdate_service
|
||||
}:service_manager find;
|
||||
|
||||
|
|
34
private/sdk_sandbox_audit.te
Normal file
34
private/sdk_sandbox_audit.te
Normal file
|
@ -0,0 +1,34 @@
|
|||
###
|
||||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the audit sdk sandbox security policy for
|
||||
### the set of restrictions proposed for the next SDK level.
|
||||
###
|
||||
### The sdk_sandbox_audit domain has the same rules as the
|
||||
### sdk_sandbox_current domain and additional auditing rules
|
||||
### for the accesses we are considering forbidding in the upcoming
|
||||
### sdk_sandbox_next domain.
|
||||
type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
|
||||
|
||||
net_domain(sdk_sandbox_audit)
|
||||
app_domain(sdk_sandbox_audit)
|
||||
|
||||
# Auditallow rules for accesses that are currently allowed but we
|
||||
# might remove in the future.
|
||||
|
||||
auditallow sdk_sandbox_audit {
|
||||
cameraserver_service
|
||||
ephemeral_app_api_service
|
||||
mediadrmserver_service
|
||||
radio_service
|
||||
}:service_manager find;
|
||||
|
||||
auditallow sdk_sandbox_audit {
|
||||
property_type
|
||||
-system_property_type
|
||||
}:file rw_file_perms;
|
||||
|
||||
auditallow sdk_sandbox_audit {
|
||||
property_type
|
||||
-system_property_type
|
||||
}:dir rw_dir_perms;
|
87
private/sdk_sandbox_current.te
Normal file
87
private/sdk_sandbox_current.te
Normal file
|
@ -0,0 +1,87 @@
|
|||
###
|
||||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the security policy for the sdk sandbox processes
|
||||
### for the current SDK level.
|
||||
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
allow sdk_sandbox_current {
|
||||
activity_service
|
||||
activity_task_service
|
||||
appops_service
|
||||
audio_service
|
||||
audioserver_service
|
||||
batteryproperties_service
|
||||
batterystats_service
|
||||
cameraserver_service
|
||||
connectivity_service
|
||||
connmetrics_service
|
||||
deviceidle_service
|
||||
display_service
|
||||
dropbox_service
|
||||
ephemeral_app_api_service
|
||||
font_service
|
||||
game_service
|
||||
gpu_service
|
||||
graphicsstats_service
|
||||
hardware_properties_service
|
||||
hint_service
|
||||
imms_service
|
||||
input_method_service
|
||||
input_service
|
||||
IProxyService_service
|
||||
ipsec_service
|
||||
launcherapps_service
|
||||
legacy_permission_service
|
||||
light_service
|
||||
locale_service
|
||||
media_communication_service
|
||||
mediadrmserver_service
|
||||
mediaextractor_service
|
||||
mediametrics_service
|
||||
media_projection_service
|
||||
media_router_service
|
||||
mediaserver_service
|
||||
media_session_service
|
||||
memtrackproxy_service
|
||||
midi_service
|
||||
netpolicy_service
|
||||
netstats_service
|
||||
network_management_service
|
||||
notification_service
|
||||
package_service
|
||||
permission_checker_service
|
||||
permission_service
|
||||
permissionmgr_service
|
||||
platform_compat_service
|
||||
power_service
|
||||
procstats_service
|
||||
radio_service
|
||||
registry_service
|
||||
restrictions_service
|
||||
rttmanager_service
|
||||
search_service
|
||||
selection_toolbar_service
|
||||
sensor_privacy_service
|
||||
sensorservice_service
|
||||
servicediscovery_service
|
||||
settings_service
|
||||
speech_recognition_service
|
||||
statusbar_service
|
||||
storagestats_service
|
||||
surfaceflinger_service
|
||||
telecom_service
|
||||
tethering_service
|
||||
textclassification_service
|
||||
textservices_service
|
||||
texttospeech_service
|
||||
thermal_service
|
||||
translation_service
|
||||
tv_iapp_service
|
||||
tv_input_service
|
||||
uimode_service
|
||||
vcn_management_service
|
||||
webviewupdate_service
|
||||
}:service_manager find;
|
||||
|
|
@ -13,6 +13,7 @@
|
|||
# fromRunAs (boolean)
|
||||
# isIsolatedComputeApp (boolean)
|
||||
# isSdkSandboxNext (boolean)
|
||||
# isSdkSandboxAudit (boolean)
|
||||
#
|
||||
# All specified input selectors in an entry must match (i.e. logical AND).
|
||||
# An unspecified string or boolean selector with no default will match any
|
||||
|
@ -48,9 +49,19 @@
|
|||
# with user=_isolated. This selector should not be used unless it is intended
|
||||
# to provide isolated processes with relaxed security restrictions.
|
||||
#
|
||||
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
|
||||
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
|
||||
# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
|
||||
# as the current dessert release, with additional auditing rules for the accesses
|
||||
# we are considering forbidding in the upcoming release.
|
||||
#
|
||||
# isSdkSandboxNext=true means sdk sandbox processes will get
|
||||
# sdk_sandbox_next sepolicy applied to them.
|
||||
#
|
||||
# isSdkSandboxAudit=true means sdk sandbox processes will get
|
||||
# sdk_sandbox_audit sepolicy applied to them.
|
||||
# An unspecified isSdkSandboxAudit defaults to false.
|
||||
#
|
||||
# Precedence: entries are compared using the following rules, in the order shown
|
||||
# (see external/selinux/libselinux/src/android/android_platform.c,
|
||||
# seapp_context_cmp()).
|
||||
|
@ -171,6 +182,7 @@ user=_isolated domain=isolated_app levelFrom=user
|
|||
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
||||
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
||||
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||
|
|
|
@ -214,6 +214,7 @@ key_map rules[] = {
|
|||
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
||||
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
|
||||
/*Outputs*/
|
||||
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
||||
|
|
Loading…
Reference in a new issue