Merge "Add services and allow app to write to sdk_sandbox" into tm-dev

prebuilts/api/33.0/private/sdk_sandbox.te

@@ -33,6 +33,7 @@ allow sdk_sandbox font_service:service_manager find;
 allow sdk_sandbox game_service:service_manager find;
 allow sdk_sandbox gpu_service:service_manager find;
 allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
 allow sdk_sandbox hint_service:service_manager find;
 allow sdk_sandbox imms_service:service_manager find;
 allow sdk_sandbox input_method_service:service_manager find;
@@ -89,6 +90,8 @@ allow sdk_sandbox uimode_service:service_manager find;
 allow sdk_sandbox vcn_management_service:service_manager find;
 allow sdk_sandbox webviewupdate_service:service_manager find;
 
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(sdk_sandbox)

prebuilts/api/33.0/private/untrusted_app.te

@@ -14,3 +14,10 @@ app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app sdk_sandbox_data_file:fd use;
+allow untrusted_app sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };

private/sdk_sandbox.te

@@ -33,6 +33,7 @@ allow sdk_sandbox font_service:service_manager find;
 allow sdk_sandbox game_service:service_manager find;
 allow sdk_sandbox gpu_service:service_manager find;
 allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
 allow sdk_sandbox hint_service:service_manager find;
 allow sdk_sandbox imms_service:service_manager find;
 allow sdk_sandbox input_method_service:service_manager find;
@@ -89,6 +90,8 @@ allow sdk_sandbox uimode_service:service_manager find;
 allow sdk_sandbox vcn_management_service:service_manager find;
 allow sdk_sandbox webviewupdate_service:service_manager find;
 
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(sdk_sandbox)

private/untrusted_app.te

@@ -14,3 +14,10 @@ app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app sdk_sandbox_data_file:fd use;
+allow untrusted_app sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };