Merge "Restrict sandbox access to drmservice" am: 11b691844f am: dabf511c2e

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2038304 Change-Id: I1fd9c39ae89432b3267d2fb4296078f8bdd9e4ea Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-03-25 08:42:08 +00:00 · 2022-03-25 08:42:08 +00:00 · 6af1a00c41
commit 6af1a00c41
parent 15edd98f16 dabf511c2e
2 changed files with 4 additions and 2 deletions
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@ -85,3 +85,5 @@ neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
 neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;

 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@ -20,9 +20,9 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))

-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))

 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language: