Relax sdk sandbox sepolicy.

auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ic4ce690e82b09ed176495f3b55be6069ffc074ac
Merged-In: Ic4ce690e82b09ed176495f3b55be6069ffc074ac

prebuilts/api/34.0/private/sdk_sandbox.te

@@ -10,208 +10,86 @@ typeattribute sdk_sandbox coredomain;
 net_domain(sdk_sandbox)
 app_domain(sdk_sandbox)
 
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
-    property_type
-    # remove expected properties to reduce noise.
-    -servicemanager_prop
-    -hwservicemanager_prop
-    -use_memfd_prop
-    -binder_cache_system_server_prop
-    -graphics_config_prop
-    -persist_wm_debug_prop
-    -aaudio_config_prop
-    -adbd_config_prop
-    -apex_ready_prop
-    -apexd_select_prop
-    -arm64_memtag_prop
-    -audio_prop
-    -binder_cache_bluetooth_server_prop
-    -binder_cache_telephony_server_prop
-    -bluetooth_config_prop
-    -boot_status_prop
-    -bootloader_prop
-    -bq_config_prop
-    -build_odm_prop
-    -build_prop
-    -build_vendor_prop
-    -camera2_extensions_prop
-    -camera_calibration_prop
-    -camera_config_prop
-    -camerax_extensions_prop
-    -codec2_config_prop
-    -config_prop
-    -cppreopt_prop
-    -dalvik_config_prop_type
-    -dalvik_prop
-    -dalvik_runtime_prop
-    -dck_prop
-    -debug_prop
-    -debuggerd_prop
-    -default_prop
-    -device_config_memory_safety_native_boot_prop
-    -device_config_memory_safety_native_prop
-    -device_config_nnapi_native_prop
-    -device_config_runtime_native_boot_prop
-    -device_config_runtime_native_prop
-    -dhcp_prop
-    -dumpstate_prop
-    -exported3_system_prop
-    -exported_config_prop
-    -exported_default_prop
-    -exported_dumpstate_prop
-    -exported_pm_prop
-    -exported_system_prop
-    -ffs_config_prop
-    -fingerprint_prop
-    -framework_status_prop
-    -gwp_asan_prop
-    -hal_instrumentation_prop
-    -hdmi_config_prop
-    -heapprofd_prop
-    -hw_timeout_multiplier_prop
-    -init_service_status_private_prop
-    -init_service_status_prop
-    -libc_debug_prop
-    -lmkd_config_prop
-    -locale_prop
-    -localization_prop
-    -log_file_logger_prop
-    -log_prop
-    -log_tag_prop
-    -logd_prop
-    -media_config_prop
-    -media_variant_prop
-    -mediadrm_config_prop
-    -module_sdkextensions_prop
-    -net_radio_prop
-    -nfc_prop
-    -nnapi_ext_deny_product_prop
-    -ota_prop
-    -packagemanager_config_prop
-    -pan_result_prop
-    -permissive_mte_prop
-    -persist_debug_prop
-    -persist_sysui_builder_extras_prop
-    -pm_prop
-    -powerctl_prop
-    -property_service_version_prop
-    -radio_control_prop
-    -radio_prop
-    -restorecon_prop
-    -rollback_test_prop
-    -sendbug_config_prop
-    -setupwizard_prop
-    -shell_prop
-    -soc_prop
-    -socket_hook_prop
-    -sqlite_log_prop
-    -storagemanager_config_prop
-    -surfaceflinger_color_prop
-    -surfaceflinger_prop
-    -system_prop
-    -system_user_mode_emulation_prop
-    -systemsound_config_prop
-    -telephony_config_prop
-    -telephony_status_prop
-    -test_harness_prop
-    -timezone_prop
-    -usb_config_prop
-    -usb_control_prop
-    -usb_prop
-    -userdebug_or_eng_prop
-    -userspace_reboot_config_prop
-    -userspace_reboot_exported_prop
-    -userspace_reboot_log_prop
-    -userspace_reboot_test_prop
-    -vendor_socket_hook_prop
-    -vndk_prop
-    -vold_config_prop
-    -vold_prop
-    -vold_status_prop
-    -vts_config_prop
-    -vts_status_prop
-    -wifi_log_prop
-    -zygote_config_prop
-    -zygote_wrap_prop
-    -init_service_status_prop
-}:file { getattr open read map };
-
 # Allow finding services. This is different from ephemeral_app policy.
 # Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
+allow sdk_sandbox {
-allow sdk_sandbox activity_service:service_manager find;
+    activity_service
-allow sdk_sandbox activity_task_service:service_manager find;
+    activity_task_service
-allow sdk_sandbox appops_service:service_manager find;
+    appops_service
-allow sdk_sandbox audio_service:service_manager find;
+    audio_service
-allow sdk_sandbox audioserver_service:service_manager find;
+    audioserver_service
-allow sdk_sandbox batteryproperties_service:service_manager find;
+    batteryproperties_service
-allow sdk_sandbox batterystats_service:service_manager find;
+    batterystats_service
-allow sdk_sandbox connectivity_service:service_manager find;
+    cameraserver_service
-allow sdk_sandbox connmetrics_service:service_manager find;
+    connectivity_service
-allow sdk_sandbox deviceidle_service:service_manager find;
+    connmetrics_service
-allow sdk_sandbox display_service:service_manager find;
+    deviceidle_service
-allow sdk_sandbox dropbox_service:service_manager find;
+    display_service
-allow sdk_sandbox font_service:service_manager find;
+    dropbox_service
-allow sdk_sandbox game_service:service_manager find;
+    ephemeral_app_api_service
-allow sdk_sandbox gpu_service:service_manager find;
+    font_service
-allow sdk_sandbox graphicsstats_service:service_manager find;
+    game_service
-allow sdk_sandbox hardware_properties_service:service_manager find;
+    gpu_service
-allow sdk_sandbox hint_service:service_manager find;
+    graphicsstats_service
-allow sdk_sandbox imms_service:service_manager find;
+    hardware_properties_service
-allow sdk_sandbox input_method_service:service_manager find;
+    hint_service
-allow sdk_sandbox input_service:service_manager find;
+    imms_service
-allow sdk_sandbox IProxyService_service:service_manager find;
+    input_method_service
-allow sdk_sandbox ipsec_service:service_manager find;
+    input_service
-allow sdk_sandbox launcherapps_service:service_manager find;
+    IProxyService_service
-allow sdk_sandbox legacy_permission_service:service_manager find;
+    ipsec_service
-allow sdk_sandbox light_service:service_manager find;
+    launcherapps_service
-allow sdk_sandbox locale_service:service_manager find;
+    legacy_permission_service
-allow sdk_sandbox media_communication_service:service_manager find;
+    light_service
-allow sdk_sandbox mediaextractor_service:service_manager find;
+    locale_service
-allow sdk_sandbox mediametrics_service:service_manager find;
+    media_communication_service
-allow sdk_sandbox media_projection_service:service_manager find;
+    mediadrmserver_service
-allow sdk_sandbox media_router_service:service_manager find;
+    mediaextractor_service
-allow sdk_sandbox mediaserver_service:service_manager find;
+    mediametrics_service
-allow sdk_sandbox media_session_service:service_manager find;
+    media_projection_service
-allow sdk_sandbox memtrackproxy_service:service_manager find;
+    media_router_service
-allow sdk_sandbox midi_service:service_manager find;
+    mediaserver_service
-allow sdk_sandbox netpolicy_service:service_manager find;
+    media_session_service
-allow sdk_sandbox netstats_service:service_manager find;
+    memtrackproxy_service
-allow sdk_sandbox network_management_service:service_manager find;
+    midi_service
-allow sdk_sandbox notification_service:service_manager find;
+    netpolicy_service
-allow sdk_sandbox package_service:service_manager find;
+    netstats_service
-allow sdk_sandbox permission_checker_service:service_manager find;
+    network_management_service
-allow sdk_sandbox permission_service:service_manager find;
+    notification_service
-allow sdk_sandbox permissionmgr_service:service_manager find;
+    package_service
-allow sdk_sandbox platform_compat_service:service_manager find;
+    permission_checker_service
-allow sdk_sandbox power_service:service_manager find;
+    permission_service
-allow sdk_sandbox procstats_service:service_manager find;
+    permissionmgr_service
-allow sdk_sandbox registry_service:service_manager find;
+    platform_compat_service
-allow sdk_sandbox restrictions_service:service_manager find;
+    power_service
-allow sdk_sandbox rttmanager_service:service_manager find;
+    procstats_service
-allow sdk_sandbox search_service:service_manager find;
+    radio_service
-allow sdk_sandbox selection_toolbar_service:service_manager find;
+    registry_service
-allow sdk_sandbox sensor_privacy_service:service_manager find;
+    restrictions_service
-allow sdk_sandbox sensorservice_service:service_manager find;
+    rttmanager_service
-allow sdk_sandbox servicediscovery_service:service_manager find;
+    search_service
-allow sdk_sandbox settings_service:service_manager find;
+    selection_toolbar_service
-allow sdk_sandbox speech_recognition_service:service_manager find;
+    sensor_privacy_service
-allow sdk_sandbox statusbar_service:service_manager find;
+    sensorservice_service
-allow sdk_sandbox storagestats_service:service_manager find;
+    servicediscovery_service
-allow sdk_sandbox surfaceflinger_service:service_manager find;
+    settings_service
-allow sdk_sandbox telecom_service:service_manager find;
+    speech_recognition_service
-allow sdk_sandbox tethering_service:service_manager find;
+    statusbar_service
-allow sdk_sandbox textclassification_service:service_manager find;
+    storagestats_service
-allow sdk_sandbox textservices_service:service_manager find;
+    surfaceflinger_service
-allow sdk_sandbox texttospeech_service:service_manager find;
+    telecom_service
-allow sdk_sandbox thermal_service:service_manager find;
+    tethering_service
-allow sdk_sandbox translation_service:service_manager find;
+    textclassification_service
-allow sdk_sandbox tv_iapp_service:service_manager find;
+    textservices_service
-allow sdk_sandbox tv_input_service:service_manager find;
+    texttospeech_service
-allow sdk_sandbox uimode_service:service_manager find;
+    thermal_service
-allow sdk_sandbox vcn_management_service:service_manager find;
+    translation_service
-allow sdk_sandbox webviewupdate_service:service_manager find;
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
 
 allow sdk_sandbox system_linker_exec:file execute_no_trans;
 

private/sdk_sandbox.te

@@ -10,208 +10,86 @@ typeattribute sdk_sandbox coredomain;
 net_domain(sdk_sandbox)
 app_domain(sdk_sandbox)
 
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
-    property_type
-    # remove expected properties to reduce noise.
-    -servicemanager_prop
-    -hwservicemanager_prop
-    -use_memfd_prop
-    -binder_cache_system_server_prop
-    -graphics_config_prop
-    -persist_wm_debug_prop
-    -aaudio_config_prop
-    -adbd_config_prop
-    -apex_ready_prop
-    -apexd_select_prop
-    -arm64_memtag_prop
-    -audio_prop
-    -binder_cache_bluetooth_server_prop
-    -binder_cache_telephony_server_prop
-    -bluetooth_config_prop
-    -boot_status_prop
-    -bootloader_prop
-    -bq_config_prop
-    -build_odm_prop
-    -build_prop
-    -build_vendor_prop
-    -camera2_extensions_prop
-    -camera_calibration_prop
-    -camera_config_prop
-    -camerax_extensions_prop
-    -codec2_config_prop
-    -config_prop
-    -cppreopt_prop
-    -dalvik_config_prop_type
-    -dalvik_prop
-    -dalvik_runtime_prop
-    -dck_prop
-    -debug_prop
-    -debuggerd_prop
-    -default_prop
-    -device_config_memory_safety_native_boot_prop
-    -device_config_memory_safety_native_prop
-    -device_config_nnapi_native_prop
-    -device_config_runtime_native_boot_prop
-    -device_config_runtime_native_prop
-    -dhcp_prop
-    -dumpstate_prop
-    -exported3_system_prop
-    -exported_config_prop
-    -exported_default_prop
-    -exported_dumpstate_prop
-    -exported_pm_prop
-    -exported_system_prop
-    -ffs_config_prop
-    -fingerprint_prop
-    -framework_status_prop
-    -gwp_asan_prop
-    -hal_instrumentation_prop
-    -hdmi_config_prop
-    -heapprofd_prop
-    -hw_timeout_multiplier_prop
-    -init_service_status_private_prop
-    -init_service_status_prop
-    -libc_debug_prop
-    -lmkd_config_prop
-    -locale_prop
-    -localization_prop
-    -log_file_logger_prop
-    -log_prop
-    -log_tag_prop
-    -logd_prop
-    -media_config_prop
-    -media_variant_prop
-    -mediadrm_config_prop
-    -module_sdkextensions_prop
-    -net_radio_prop
-    -nfc_prop
-    -nnapi_ext_deny_product_prop
-    -ota_prop
-    -packagemanager_config_prop
-    -pan_result_prop
-    -permissive_mte_prop
-    -persist_debug_prop
-    -persist_sysui_builder_extras_prop
-    -pm_prop
-    -powerctl_prop
-    -property_service_version_prop
-    -radio_control_prop
-    -radio_prop
-    -restorecon_prop
-    -rollback_test_prop
-    -sendbug_config_prop
-    -setupwizard_prop
-    -shell_prop
-    -soc_prop
-    -socket_hook_prop
-    -sqlite_log_prop
-    -storagemanager_config_prop
-    -surfaceflinger_color_prop
-    -surfaceflinger_prop
-    -system_prop
-    -system_user_mode_emulation_prop
-    -systemsound_config_prop
-    -telephony_config_prop
-    -telephony_status_prop
-    -test_harness_prop
-    -timezone_prop
-    -usb_config_prop
-    -usb_control_prop
-    -usb_prop
-    -userdebug_or_eng_prop
-    -userspace_reboot_config_prop
-    -userspace_reboot_exported_prop
-    -userspace_reboot_log_prop
-    -userspace_reboot_test_prop
-    -vendor_socket_hook_prop
-    -vndk_prop
-    -vold_config_prop
-    -vold_prop
-    -vold_status_prop
-    -vts_config_prop
-    -vts_status_prop
-    -wifi_log_prop
-    -zygote_config_prop
-    -zygote_wrap_prop
-    -init_service_status_prop
-}:file { getattr open read map };
-
 # Allow finding services. This is different from ephemeral_app policy.
 # Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
+allow sdk_sandbox {
-allow sdk_sandbox activity_service:service_manager find;
+    activity_service
-allow sdk_sandbox activity_task_service:service_manager find;
+    activity_task_service
-allow sdk_sandbox appops_service:service_manager find;
+    appops_service
-allow sdk_sandbox audio_service:service_manager find;
+    audio_service
-allow sdk_sandbox audioserver_service:service_manager find;
+    audioserver_service
-allow sdk_sandbox batteryproperties_service:service_manager find;
+    batteryproperties_service
-allow sdk_sandbox batterystats_service:service_manager find;
+    batterystats_service
-allow sdk_sandbox connectivity_service:service_manager find;
+    cameraserver_service
-allow sdk_sandbox connmetrics_service:service_manager find;
+    connectivity_service
-allow sdk_sandbox deviceidle_service:service_manager find;
+    connmetrics_service
-allow sdk_sandbox display_service:service_manager find;
+    deviceidle_service
-allow sdk_sandbox dropbox_service:service_manager find;
+    display_service
-allow sdk_sandbox font_service:service_manager find;
+    dropbox_service
-allow sdk_sandbox game_service:service_manager find;
+    ephemeral_app_api_service
-allow sdk_sandbox gpu_service:service_manager find;
+    font_service
-allow sdk_sandbox graphicsstats_service:service_manager find;
+    game_service
-allow sdk_sandbox hardware_properties_service:service_manager find;
+    gpu_service
-allow sdk_sandbox hint_service:service_manager find;
+    graphicsstats_service
-allow sdk_sandbox imms_service:service_manager find;
+    hardware_properties_service
-allow sdk_sandbox input_method_service:service_manager find;
+    hint_service
-allow sdk_sandbox input_service:service_manager find;
+    imms_service
-allow sdk_sandbox IProxyService_service:service_manager find;
+    input_method_service
-allow sdk_sandbox ipsec_service:service_manager find;
+    input_service
-allow sdk_sandbox launcherapps_service:service_manager find;
+    IProxyService_service
-allow sdk_sandbox legacy_permission_service:service_manager find;
+    ipsec_service
-allow sdk_sandbox light_service:service_manager find;
+    launcherapps_service
-allow sdk_sandbox locale_service:service_manager find;
+    legacy_permission_service
-allow sdk_sandbox media_communication_service:service_manager find;
+    light_service
-allow sdk_sandbox mediaextractor_service:service_manager find;
+    locale_service
-allow sdk_sandbox mediametrics_service:service_manager find;
+    media_communication_service
-allow sdk_sandbox media_projection_service:service_manager find;
+    mediadrmserver_service
-allow sdk_sandbox media_router_service:service_manager find;
+    mediaextractor_service
-allow sdk_sandbox mediaserver_service:service_manager find;
+    mediametrics_service
-allow sdk_sandbox media_session_service:service_manager find;
+    media_projection_service
-allow sdk_sandbox memtrackproxy_service:service_manager find;
+    media_router_service
-allow sdk_sandbox midi_service:service_manager find;
+    mediaserver_service
-allow sdk_sandbox netpolicy_service:service_manager find;
+    media_session_service
-allow sdk_sandbox netstats_service:service_manager find;
+    memtrackproxy_service
-allow sdk_sandbox network_management_service:service_manager find;
+    midi_service
-allow sdk_sandbox notification_service:service_manager find;
+    netpolicy_service
-allow sdk_sandbox package_service:service_manager find;
+    netstats_service
-allow sdk_sandbox permission_checker_service:service_manager find;
+    network_management_service
-allow sdk_sandbox permission_service:service_manager find;
+    notification_service
-allow sdk_sandbox permissionmgr_service:service_manager find;
+    package_service
-allow sdk_sandbox platform_compat_service:service_manager find;
+    permission_checker_service
-allow sdk_sandbox power_service:service_manager find;
+    permission_service
-allow sdk_sandbox procstats_service:service_manager find;
+    permissionmgr_service
-allow sdk_sandbox registry_service:service_manager find;
+    platform_compat_service
-allow sdk_sandbox restrictions_service:service_manager find;
+    power_service
-allow sdk_sandbox rttmanager_service:service_manager find;
+    procstats_service
-allow sdk_sandbox search_service:service_manager find;
+    radio_service
-allow sdk_sandbox selection_toolbar_service:service_manager find;
+    registry_service
-allow sdk_sandbox sensor_privacy_service:service_manager find;
+    restrictions_service
-allow sdk_sandbox sensorservice_service:service_manager find;
+    rttmanager_service
-allow sdk_sandbox servicediscovery_service:service_manager find;
+    search_service
-allow sdk_sandbox settings_service:service_manager find;
+    selection_toolbar_service
-allow sdk_sandbox speech_recognition_service:service_manager find;
+    sensor_privacy_service
-allow sdk_sandbox statusbar_service:service_manager find;
+    sensorservice_service
-allow sdk_sandbox storagestats_service:service_manager find;
+    servicediscovery_service
-allow sdk_sandbox surfaceflinger_service:service_manager find;
+    settings_service
-allow sdk_sandbox telecom_service:service_manager find;
+    speech_recognition_service
-allow sdk_sandbox tethering_service:service_manager find;
+    statusbar_service
-allow sdk_sandbox textclassification_service:service_manager find;
+    storagestats_service
-allow sdk_sandbox textservices_service:service_manager find;
+    surfaceflinger_service
-allow sdk_sandbox texttospeech_service:service_manager find;
+    telecom_service
-allow sdk_sandbox thermal_service:service_manager find;
+    tethering_service
-allow sdk_sandbox translation_service:service_manager find;
+    textclassification_service
-allow sdk_sandbox tv_iapp_service:service_manager find;
+    textservices_service
-allow sdk_sandbox tv_input_service:service_manager find;
+    texttospeech_service
-allow sdk_sandbox uimode_service:service_manager find;
+    thermal_service
-allow sdk_sandbox vcn_management_service:service_manager find;
+    translation_service
-allow sdk_sandbox webviewupdate_service:service_manager find;
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
 
 allow sdk_sandbox system_linker_exec:file execute_no_trans;