From 1e9eb36ad2da833a4940936479535d66b64a31ce Mon Sep 17 00:00:00 2001 From: Sandro Montanari Date: Fri, 17 Nov 2023 09:54:33 +0000 Subject: [PATCH] Revert^2 "Introduce sdk_sandbox_audit SELinux domain" This reverts commit a41bfab7587079c6d583b48a413672336bb177ea. Reason for revert: Automerger path causing the regression is no more Change-Id: I4c9ab6f2e18c9d8157f5667bc98fcce00e78f93d --- private/attributes | 3 +- private/sdk_sandbox_34.te | 84 +------------------------------- private/sdk_sandbox_audit.te | 34 +++++++++++++ private/sdk_sandbox_current.te | 87 ++++++++++++++++++++++++++++++++++ private/seapp_contexts | 12 +++++ tools/check_seapp.c | 1 + 6 files changed, 137 insertions(+), 84 deletions(-) create mode 100644 private/sdk_sandbox_audit.te create mode 100644 private/sdk_sandbox_current.te diff --git a/private/attributes b/private/attributes index 77143a3ca..fe50b0dfb 100644 --- a/private/attributes +++ b/private/attributes @@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false; # All SDK sandbox domains attribute sdk_sandbox_all; - +# The SDK sandbox domains for the current SDK level. +attribute sdk_sandbox_current; diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te index d45da8888..bb150576b 100644 --- a/private/sdk_sandbox_34.te +++ b/private/sdk_sandbox_34.te @@ -3,89 +3,7 @@ ### ### This file defines the security policy for the sdk sandbox processes ### for targetSdkVersion=34. -type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all; +type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; net_domain(sdk_sandbox_34) app_domain(sdk_sandbox_34) - -# Allow finding services. This is different from ephemeral_app policy. -# Adding services manually to the allowlist is preferred hence app_api_service is not used. -allow sdk_sandbox_34 { - activity_service - activity_task_service - appops_service - audio_service - audioserver_service - batteryproperties_service - batterystats_service - cameraserver_service - connectivity_service - connmetrics_service - deviceidle_service - display_service - dropbox_service - ephemeral_app_api_service - font_service - game_service - gpu_service - graphicsstats_service - hardware_properties_service - hint_service - imms_service - input_method_service - input_service - IProxyService_service - ipsec_service - launcherapps_service - legacy_permission_service - light_service - locale_service - media_communication_service - mediadrmserver_service - mediaextractor_service - mediametrics_service - media_projection_service - media_router_service - mediaserver_service - media_session_service - memtrackproxy_service - midi_service - netpolicy_service - netstats_service - network_management_service - notification_service - package_service - permission_checker_service - permission_service - permissionmgr_service - platform_compat_service - power_service - procstats_service - radio_service - registry_service - restrictions_service - rttmanager_service - search_service - selection_toolbar_service - sensor_privacy_service - sensorservice_service - servicediscovery_service - settings_service - speech_recognition_service - statusbar_service - storagestats_service - surfaceflinger_service - telecom_service - tethering_service - textclassification_service - textservices_service - texttospeech_service - thermal_service - translation_service - tv_iapp_service - tv_input_service - uimode_service - vcn_management_service - webviewupdate_service -}:service_manager find; - diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te new file mode 100644 index 000000000..bb531ca44 --- /dev/null +++ b/private/sdk_sandbox_audit.te @@ -0,0 +1,34 @@ +### +### SDK Sandbox process. +### +### This file defines the audit sdk sandbox security policy for +### the set of restrictions proposed for the next SDK level. +### +### The sdk_sandbox_audit domain has the same rules as the +### sdk_sandbox_current domain and additional auditing rules +### for the accesses we are considering forbidding in the upcoming +### sdk_sandbox_next domain. +type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; + +net_domain(sdk_sandbox_audit) +app_domain(sdk_sandbox_audit) + +# Auditallow rules for accesses that are currently allowed but we +# might remove in the future. + +auditallow sdk_sandbox_audit { + cameraserver_service + ephemeral_app_api_service + mediadrmserver_service + radio_service +}:service_manager find; + +auditallow sdk_sandbox_audit { + property_type + -system_property_type +}:file rw_file_perms; + +auditallow sdk_sandbox_audit { + property_type + -system_property_type +}:dir rw_dir_perms; diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te new file mode 100644 index 000000000..55e5bc135 --- /dev/null +++ b/private/sdk_sandbox_current.te @@ -0,0 +1,87 @@ +### +### SDK Sandbox process. +### +### This file defines the security policy for the sdk sandbox processes +### for the current SDK level. + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +allow sdk_sandbox_current { + activity_service + activity_task_service + appops_service + audio_service + audioserver_service + batteryproperties_service + batterystats_service + cameraserver_service + connectivity_service + connmetrics_service + deviceidle_service + display_service + dropbox_service + ephemeral_app_api_service + font_service + game_service + gpu_service + graphicsstats_service + hardware_properties_service + hint_service + imms_service + input_method_service + input_service + IProxyService_service + ipsec_service + launcherapps_service + legacy_permission_service + light_service + locale_service + media_communication_service + mediadrmserver_service + mediaextractor_service + mediametrics_service + media_projection_service + media_router_service + mediaserver_service + media_session_service + memtrackproxy_service + midi_service + netpolicy_service + netstats_service + network_management_service + notification_service + package_service + permission_checker_service + permission_service + permissionmgr_service + platform_compat_service + power_service + procstats_service + radio_service + registry_service + restrictions_service + rttmanager_service + search_service + selection_toolbar_service + sensor_privacy_service + sensorservice_service + servicediscovery_service + settings_service + speech_recognition_service + statusbar_service + storagestats_service + surfaceflinger_service + telecom_service + tethering_service + textclassification_service + textservices_service + texttospeech_service + thermal_service + translation_service + tv_iapp_service + tv_input_service + uimode_service + vcn_management_service + webviewupdate_service +}:service_manager find; + diff --git a/private/seapp_contexts b/private/seapp_contexts index 4454bd73f..8f3cae9f8 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -13,6 +13,7 @@ # fromRunAs (boolean) # isIsolatedComputeApp (boolean) # isSdkSandboxNext (boolean) +# isSdkSandboxAudit (boolean) # # All specified input selectors in an entry must match (i.e. logical AND). # An unspecified string or boolean selector with no default will match any @@ -48,9 +49,19 @@ # with user=_isolated. This selector should not be used unless it is intended # to provide isolated processes with relaxed security restrictions. # +# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the +# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed +# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions +# as the current dessert release, with additional auditing rules for the accesses +# we are considering forbidding in the upcoming release. +# # isSdkSandboxNext=true means sdk sandbox processes will get # sdk_sandbox_next sepolicy applied to them. # +# isSdkSandboxAudit=true means sdk sandbox processes will get +# sdk_sandbox_audit sepolicy applied to them. +# An unspecified isSdkSandboxAudit defaults to false. +# # Precedence: entries are compared using the following rules, in the order shown # (see external/selinux/libselinux/src/android/android_platform.c, # seapp_context_cmp()). @@ -171,6 +182,7 @@ user=_isolated domain=isolated_app levelFrom=user user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all +user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user diff --git a/tools/check_seapp.c b/tools/check_seapp.c index 0d7a4d108..13299dc7c 100644 --- a/tools/check_seapp.c +++ b/tools/check_seapp.c @@ -214,6 +214,7 @@ key_map rules[] = { { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint }, { .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool }, { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool }, + { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool }, { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool }, /*Outputs*/ { .name = "domain", .dir = dir_out, .fn_validate = validate_domain },