Add canary restrictions for sdk_sandbox
Apply sdk_sandbox_next it if a new input selector, isSdkSandboxNext, is true. This is set to true by libselinux if a flag is set in the seInfo passed to it. This enables some testers to test out the set of restrictions we're planning for the next SDK version. sdk_sandbox_next is not the final set of restrictions of the next SDK version. Bug: b/270148964 Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest SdkSandboxRestrictionsTest Change-Id: Idbc3ab39a2d9ef6e1feaf8c212d81a1c79b0f787
This commit is contained in:
Mugdha Lakhani
parent
50ad933ebd
commit
49075f9cab
2 changed files with 7 additions and 1 deletions
|
|
@ -12,6 +12,7 @@
|
|||
# minTargetSdkVersion (unsigned integer)
|
||||
# fromRunAs (boolean)
|
||||
# isIsolatedComputeApp (boolean)
|
||||
# isSdkSandboxNext (boolean)
|
||||
#
|
||||
# All specified input selectors in an entry must match (i.e. logical AND).
|
||||
# An unspecified string or boolean selector with no default will match any
|
||||
|
|
@ -47,6 +48,9 @@
|
|||
# with user=_isolated. This selector should not be used unless it is intended
|
||||
# to provide isolated processes with relaxed security restrictions.
|
||||
#
|
||||
# isSdkSandboxNext=true means sdk sandbox processes will get
|
||||
# sdk_sandbox_next sepolicy applied to them.
|
||||
#
|
||||
# Precedence: entries are compared using the following rules, in the order shown
|
||||
# (see external/selinux/libselinux/src/android/android_platform.c,
|
||||
# seapp_context_cmp()).
|
||||
|
|
@ -64,6 +68,7 @@
|
|||
# defaults to 0 if unspecified.
|
||||
# (8) fromRunAs=true before fromRunAs=false.
|
||||
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
|
||||
# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
|
||||
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
|
||||
# longer prefix is more specific than a shorter prefix.)
|
||||
# Apps are checked against entries in precedence order until the first match,
|
||||
|
|
@ -165,7 +170,7 @@ user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
|||
user=_isolated domain=isolated_app levelFrom=user
|
||||
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
||||
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_sdksandbox minTargetSdkVersion=10000 domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
||||
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||
|
|
|
|||
|
|
@ -214,6 +214,7 @@ key_map rules[] = {
|
|||
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
||||
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
|
||||
/*Outputs*/
|
||||
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
||||
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
|
||||
|
|
|
|||
Loading…
Reference in a new issue