Prebuilt updates

Bug: 308058980
Test: m selinux_policy
Change-Id: I23b2265340002b4b9f8d15ad0a8e8324aa0f94e1

prebuilts/api/34.0/private/attributes

@@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false;
 
 # All SDK sandbox domains
 attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;

prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil

@@ -82,4 +82,5 @@
     hal_can_controller_service
     zoned_block_device
     future_pm_prop
+    vfio_device
   ))

prebuilts/api/34.0/private/property_contexts

@@ -1423,9 +1423,6 @@ remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
 # Hostname for the remote provisioning server a device should communicate with
 remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
 
-# Indicates the system should use rkpd instead of RemoteProvisioner
-remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
-
 # Broadcast boot stages, which keystore listens to
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 

prebuilts/api/34.0/private/sdk_sandbox_34.te

@@ -3,89 +3,7 @@
 ###
 ### This file defines the security policy for the sdk sandbox processes
 ### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
 
 net_domain(sdk_sandbox_34)
 app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
-    activity_service
-    activity_task_service
-    appops_service
-    audio_service
-    audioserver_service
-    batteryproperties_service
-    batterystats_service
-    cameraserver_service
-    connectivity_service
-    connmetrics_service
-    deviceidle_service
-    display_service
-    dropbox_service
-    ephemeral_app_api_service
-    font_service
-    game_service
-    gpu_service
-    graphicsstats_service
-    hardware_properties_service
-    hint_service
-    imms_service
-    input_method_service
-    input_service
-    IProxyService_service
-    ipsec_service
-    launcherapps_service
-    legacy_permission_service
-    light_service
-    locale_service
-    media_communication_service
-    mediadrmserver_service
-    mediaextractor_service
-    mediametrics_service
-    media_projection_service
-    media_router_service
-    mediaserver_service
-    media_session_service
-    memtrackproxy_service
-    midi_service
-    netpolicy_service
-    netstats_service
-    network_management_service
-    notification_service
-    package_service
-    permission_checker_service
-    permission_service
-    permissionmgr_service
-    platform_compat_service
-    power_service
-    procstats_service
-    radio_service
-    registry_service
-    restrictions_service
-    rttmanager_service
-    search_service
-    selection_toolbar_service
-    sensor_privacy_service
-    sensorservice_service
-    servicediscovery_service
-    settings_service
-    speech_recognition_service
-    statusbar_service
-    storagestats_service
-    surfaceflinger_service
-    telecom_service
-    tethering_service
-    textclassification_service
-    textservices_service
-    texttospeech_service
-    thermal_service
-    translation_service
-    tv_iapp_service
-    tv_input_service
-    uimode_service
-    vcn_management_service
-    webviewupdate_service
-}:service_manager find;
-

prebuilts/api/34.0/private/sdk_sandbox_audit.te

@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+    cameraserver_service
+    ephemeral_app_api_service
+    mediadrmserver_service
+    radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+    property_type
+    -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+    property_type
+    -system_property_type
+}:dir rw_dir_perms;

prebuilts/api/34.0/private/sdk_sandbox_current.te

@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+    activity_service
+    activity_task_service
+    appops_service
+    audio_service
+    audioserver_service
+    batteryproperties_service
+    batterystats_service
+    cameraserver_service
+    connectivity_service
+    connmetrics_service
+    deviceidle_service
+    display_service
+    dropbox_service
+    ephemeral_app_api_service
+    font_service
+    game_service
+    gpu_service
+    graphicsstats_service
+    hardware_properties_service
+    hint_service
+    imms_service
+    input_method_service
+    input_service
+    IProxyService_service
+    ipsec_service
+    launcherapps_service
+    legacy_permission_service
+    light_service
+    locale_service
+    media_communication_service
+    mediadrmserver_service
+    mediaextractor_service
+    mediametrics_service
+    media_projection_service
+    media_router_service
+    mediaserver_service
+    media_session_service
+    memtrackproxy_service
+    midi_service
+    netpolicy_service
+    netstats_service
+    network_management_service
+    notification_service
+    package_service
+    permission_checker_service
+    permission_service
+    permissionmgr_service
+    platform_compat_service
+    power_service
+    procstats_service
+    radio_service
+    registry_service
+    restrictions_service
+    rttmanager_service
+    search_service
+    selection_toolbar_service
+    sensor_privacy_service
+    sensorservice_service
+    servicediscovery_service
+    settings_service
+    speech_recognition_service
+    statusbar_service
+    storagestats_service
+    surfaceflinger_service
+    telecom_service
+    tethering_service
+    textclassification_service
+    textservices_service
+    texttospeech_service
+    thermal_service
+    translation_service
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
+

prebuilts/api/34.0/private/seapp_contexts

@@ -13,6 +13,7 @@
 #       fromRunAs (boolean)
 #       isIsolatedComputeApp (boolean)
 #       isSdkSandboxNext (boolean)
+#       isSdkSandboxAudit (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -48,9 +49,19 @@
 # with user=_isolated. This selector should not be used unless it is intended
 # to provide isolated processes with relaxed security restrictions.
 #
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
 # isSdkSandboxNext=true means sdk sandbox processes will get
 # sdk_sandbox_next sepolicy applied to them.
 #
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@@ -171,6 +182,7 @@ user=_isolated domain=isolated_app levelFrom=user
 user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
 user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user

private/compat/33.0/33.0.ignore.cil

@@ -82,4 +82,5 @@
     hal_can_controller_service
     zoned_block_device
     future_pm_prop
+    vfio_device
   ))