Introduce sdk_sandbox_audit SELinux domain
Bug: 295861450 Test: atest CtsSdkSandboxInprocessTests and adb shell ps -Z Change-Id: I9c5873181c925c6b8ebb411328d30aa519053acf
This commit is contained in:
parent
012b954125
commit
4db0e27a50
6 changed files with 137 additions and 84 deletions
|
@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false;
|
||||||
|
|
||||||
# All SDK sandbox domains
|
# All SDK sandbox domains
|
||||||
attribute sdk_sandbox_all;
|
attribute sdk_sandbox_all;
|
||||||
|
# The SDK sandbox domains for the current SDK level.
|
||||||
|
attribute sdk_sandbox_current;
|
||||||
|
|
|
@ -3,89 +3,7 @@
|
||||||
###
|
###
|
||||||
### This file defines the security policy for the sdk sandbox processes
|
### This file defines the security policy for the sdk sandbox processes
|
||||||
### for targetSdkVersion=34.
|
### for targetSdkVersion=34.
|
||||||
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
|
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
|
||||||
|
|
||||||
net_domain(sdk_sandbox_34)
|
net_domain(sdk_sandbox_34)
|
||||||
app_domain(sdk_sandbox_34)
|
app_domain(sdk_sandbox_34)
|
||||||
|
|
||||||
# Allow finding services. This is different from ephemeral_app policy.
|
|
||||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
|
||||||
allow sdk_sandbox_34 {
|
|
||||||
activity_service
|
|
||||||
activity_task_service
|
|
||||||
appops_service
|
|
||||||
audio_service
|
|
||||||
audioserver_service
|
|
||||||
batteryproperties_service
|
|
||||||
batterystats_service
|
|
||||||
cameraserver_service
|
|
||||||
connectivity_service
|
|
||||||
connmetrics_service
|
|
||||||
deviceidle_service
|
|
||||||
display_service
|
|
||||||
dropbox_service
|
|
||||||
ephemeral_app_api_service
|
|
||||||
font_service
|
|
||||||
game_service
|
|
||||||
gpu_service
|
|
||||||
graphicsstats_service
|
|
||||||
hardware_properties_service
|
|
||||||
hint_service
|
|
||||||
imms_service
|
|
||||||
input_method_service
|
|
||||||
input_service
|
|
||||||
IProxyService_service
|
|
||||||
ipsec_service
|
|
||||||
launcherapps_service
|
|
||||||
legacy_permission_service
|
|
||||||
light_service
|
|
||||||
locale_service
|
|
||||||
media_communication_service
|
|
||||||
mediadrmserver_service
|
|
||||||
mediaextractor_service
|
|
||||||
mediametrics_service
|
|
||||||
media_projection_service
|
|
||||||
media_router_service
|
|
||||||
mediaserver_service
|
|
||||||
media_session_service
|
|
||||||
memtrackproxy_service
|
|
||||||
midi_service
|
|
||||||
netpolicy_service
|
|
||||||
netstats_service
|
|
||||||
network_management_service
|
|
||||||
notification_service
|
|
||||||
package_service
|
|
||||||
permission_checker_service
|
|
||||||
permission_service
|
|
||||||
permissionmgr_service
|
|
||||||
platform_compat_service
|
|
||||||
power_service
|
|
||||||
procstats_service
|
|
||||||
radio_service
|
|
||||||
registry_service
|
|
||||||
restrictions_service
|
|
||||||
rttmanager_service
|
|
||||||
search_service
|
|
||||||
selection_toolbar_service
|
|
||||||
sensor_privacy_service
|
|
||||||
sensorservice_service
|
|
||||||
servicediscovery_service
|
|
||||||
settings_service
|
|
||||||
speech_recognition_service
|
|
||||||
statusbar_service
|
|
||||||
storagestats_service
|
|
||||||
surfaceflinger_service
|
|
||||||
telecom_service
|
|
||||||
tethering_service
|
|
||||||
textclassification_service
|
|
||||||
textservices_service
|
|
||||||
texttospeech_service
|
|
||||||
thermal_service
|
|
||||||
translation_service
|
|
||||||
tv_iapp_service
|
|
||||||
tv_input_service
|
|
||||||
uimode_service
|
|
||||||
vcn_management_service
|
|
||||||
webviewupdate_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
|
|
34
private/sdk_sandbox_audit.te
Normal file
34
private/sdk_sandbox_audit.te
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
###
|
||||||
|
### SDK Sandbox process.
|
||||||
|
###
|
||||||
|
### This file defines the audit sdk sandbox security policy for
|
||||||
|
### the set of restrictions proposed for the next SDK level.
|
||||||
|
###
|
||||||
|
### The sdk_sandbox_audit domain has the same rules as the
|
||||||
|
### sdk_sandbox_current domain and additional auditing rules
|
||||||
|
### for the accesses we are considering forbidding in the upcoming
|
||||||
|
### sdk_sandbox_next domain.
|
||||||
|
type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
|
||||||
|
|
||||||
|
net_domain(sdk_sandbox_audit)
|
||||||
|
app_domain(sdk_sandbox_audit)
|
||||||
|
|
||||||
|
# Auditallow rules for accesses that are currently allowed but we
|
||||||
|
# might remove in the future.
|
||||||
|
|
||||||
|
auditallow sdk_sandbox_audit {
|
||||||
|
cameraserver_service
|
||||||
|
ephemeral_app_api_service
|
||||||
|
mediadrmserver_service
|
||||||
|
radio_service
|
||||||
|
}:service_manager find;
|
||||||
|
|
||||||
|
auditallow sdk_sandbox_audit {
|
||||||
|
property_type
|
||||||
|
-system_property_type
|
||||||
|
}:file rw_file_perms;
|
||||||
|
|
||||||
|
auditallow sdk_sandbox_audit {
|
||||||
|
property_type
|
||||||
|
-system_property_type
|
||||||
|
}:dir rw_dir_perms;
|
87
private/sdk_sandbox_current.te
Normal file
87
private/sdk_sandbox_current.te
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
###
|
||||||
|
### SDK Sandbox process.
|
||||||
|
###
|
||||||
|
### This file defines the security policy for the sdk sandbox processes
|
||||||
|
### for the current SDK level.
|
||||||
|
|
||||||
|
# Allow finding services. This is different from ephemeral_app policy.
|
||||||
|
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||||
|
allow sdk_sandbox_current {
|
||||||
|
activity_service
|
||||||
|
activity_task_service
|
||||||
|
appops_service
|
||||||
|
audio_service
|
||||||
|
audioserver_service
|
||||||
|
batteryproperties_service
|
||||||
|
batterystats_service
|
||||||
|
cameraserver_service
|
||||||
|
connectivity_service
|
||||||
|
connmetrics_service
|
||||||
|
deviceidle_service
|
||||||
|
display_service
|
||||||
|
dropbox_service
|
||||||
|
ephemeral_app_api_service
|
||||||
|
font_service
|
||||||
|
game_service
|
||||||
|
gpu_service
|
||||||
|
graphicsstats_service
|
||||||
|
hardware_properties_service
|
||||||
|
hint_service
|
||||||
|
imms_service
|
||||||
|
input_method_service
|
||||||
|
input_service
|
||||||
|
IProxyService_service
|
||||||
|
ipsec_service
|
||||||
|
launcherapps_service
|
||||||
|
legacy_permission_service
|
||||||
|
light_service
|
||||||
|
locale_service
|
||||||
|
media_communication_service
|
||||||
|
mediadrmserver_service
|
||||||
|
mediaextractor_service
|
||||||
|
mediametrics_service
|
||||||
|
media_projection_service
|
||||||
|
media_router_service
|
||||||
|
mediaserver_service
|
||||||
|
media_session_service
|
||||||
|
memtrackproxy_service
|
||||||
|
midi_service
|
||||||
|
netpolicy_service
|
||||||
|
netstats_service
|
||||||
|
network_management_service
|
||||||
|
notification_service
|
||||||
|
package_service
|
||||||
|
permission_checker_service
|
||||||
|
permission_service
|
||||||
|
permissionmgr_service
|
||||||
|
platform_compat_service
|
||||||
|
power_service
|
||||||
|
procstats_service
|
||||||
|
radio_service
|
||||||
|
registry_service
|
||||||
|
restrictions_service
|
||||||
|
rttmanager_service
|
||||||
|
search_service
|
||||||
|
selection_toolbar_service
|
||||||
|
sensor_privacy_service
|
||||||
|
sensorservice_service
|
||||||
|
servicediscovery_service
|
||||||
|
settings_service
|
||||||
|
speech_recognition_service
|
||||||
|
statusbar_service
|
||||||
|
storagestats_service
|
||||||
|
surfaceflinger_service
|
||||||
|
telecom_service
|
||||||
|
tethering_service
|
||||||
|
textclassification_service
|
||||||
|
textservices_service
|
||||||
|
texttospeech_service
|
||||||
|
thermal_service
|
||||||
|
translation_service
|
||||||
|
tv_iapp_service
|
||||||
|
tv_input_service
|
||||||
|
uimode_service
|
||||||
|
vcn_management_service
|
||||||
|
webviewupdate_service
|
||||||
|
}:service_manager find;
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
# fromRunAs (boolean)
|
# fromRunAs (boolean)
|
||||||
# isIsolatedComputeApp (boolean)
|
# isIsolatedComputeApp (boolean)
|
||||||
# isSdkSandboxNext (boolean)
|
# isSdkSandboxNext (boolean)
|
||||||
|
# isSdkSandboxAudit (boolean)
|
||||||
#
|
#
|
||||||
# All specified input selectors in an entry must match (i.e. logical AND).
|
# All specified input selectors in an entry must match (i.e. logical AND).
|
||||||
# An unspecified string or boolean selector with no default will match any
|
# An unspecified string or boolean selector with no default will match any
|
||||||
|
@ -49,10 +50,20 @@
|
||||||
# to provide isolated processes with relaxed security restrictions.
|
# to provide isolated processes with relaxed security restrictions.
|
||||||
# An unspecified isIsolatedComputeApp defaults to false.
|
# An unspecified isIsolatedComputeApp defaults to false.
|
||||||
#
|
#
|
||||||
|
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
|
||||||
|
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
|
||||||
|
# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
|
||||||
|
# as the current dessert release, with additional auditing rules for the accesses
|
||||||
|
# we are considering forbidding in the upcoming release.
|
||||||
|
#
|
||||||
# isSdkSandboxNext=true means sdk sandbox processes will get
|
# isSdkSandboxNext=true means sdk sandbox processes will get
|
||||||
# sdk_sandbox_next sepolicy applied to them.
|
# sdk_sandbox_next sepolicy applied to them.
|
||||||
# An unspecified isSdkSandboxNext defaults to false.
|
# An unspecified isSdkSandboxNext defaults to false.
|
||||||
#
|
#
|
||||||
|
# isSdkSandboxAudit=true means sdk sandbox processes will get
|
||||||
|
# sdk_sandbox_audit sepolicy applied to them.
|
||||||
|
# An unspecified isSdkSandboxAudit defaults to false.
|
||||||
|
#
|
||||||
# Precedence: entries are compared using the following rules, in the order shown
|
# Precedence: entries are compared using the following rules, in the order shown
|
||||||
# (see external/selinux/libselinux/src/android/android_platform.c,
|
# (see external/selinux/libselinux/src/android/android_platform.c,
|
||||||
# seapp_context_cmp()).
|
# seapp_context_cmp()).
|
||||||
|
@ -174,6 +185,7 @@ user=_isolated domain=isolated_app levelFrom=user
|
||||||
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
||||||
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
||||||
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
||||||
|
user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
|
||||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
||||||
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
||||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||||
|
|
|
@ -228,6 +228,7 @@ key_map rules[] = {
|
||||||
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
|
||||||
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
|
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
|
{ .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
|
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
|
||||||
/*Outputs*/
|
/*Outputs*/
|
||||||
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
|
||||||
|
|
Loading…
Reference in a new issue