diff --git a/prebuilts/api/34.0/private/app.te b/prebuilts/api/34.0/private/app.te index 94f84af10..6914fd3ea 100644 --- a/prebuilts/api/34.0/private/app.te +++ b/prebuilts/api/34.0/private/app.te @@ -9,7 +9,7 @@ r_dir_file({ -platform_app -priv_app -shell - -sdk_sandbox + -sdk_sandbox_all -system_app -untrusted_app_all }, proc_net_type) @@ -23,7 +23,7 @@ userdebug_or_eng(` -priv_app -shell -su - -sdk_sandbox + -sdk_sandbox_all -system_app -untrusted_app_all } proc_net_type:{ dir file lnk_file } { getattr open read }; @@ -76,7 +76,7 @@ dontaudit appdomain system_data_file:dir write; dontaudit appdomain vendor_default_prop:file read; # Access to /mnt/media_rw/ (limited by DAC to apps with external_storage gid) -allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search; +allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search; # allow apps to use UDP sockets provided by the system server but not # modify them other than to connect @@ -132,67 +132,67 @@ allow appdomain tombstone_data_file:file { getattr read }; neverallow appdomain tombstone_data_file:file ~{ getattr read }; # Execute the shell or other system executables. -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms; -not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;') +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms; +not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;') # Allow apps access to /vendor/app except for privileged # apps which cannot be in /vendor. -r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file) -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute; +r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file) +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute; # Perform binder IPC to sdk sandbox. -binder_call(appdomain, sdk_sandbox) +binder_call(appdomain, sdk_sandbox_all) # Allow access to external storage; we have several visible mount points under /storage # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms; # Read/write visible storage -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms; # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl }; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr }; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl }; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr }; #logd access -control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }) +control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }) # application inherit logd write socket (urge is to deprecate this long term) -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify }; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update }; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify }; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update }; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find; -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state; -use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }) +use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }) -use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }) +use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }) # For app fuse. -pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client) -pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager) -pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync) -pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client) +pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client) +pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager) +pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync) +pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client) # Apps do not directly open the IPC socket for bufferhubd. -pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client) +pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client) # Apps receive an open tun fd from the framework for # device traffic. Do not allow untrusted app to directly open tun_device -allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl }; -allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF; +allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl }; +allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF; # WebView and other application-specific JIT compilers @@ -218,11 +218,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr }; allow appdomain dalvikcache_data_file:file r_file_perms; # Read the /sdcard and /mnt/sdcard symlinks -allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms; -allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms; +allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms; +allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms; # Search /storage/emulated tmpfs mount. -allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms; +allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms; # Notify zygote of the wrapped process PID when using --invoke-with. allow appdomain zygote:fifo_file write; @@ -256,11 +256,14 @@ allow appdomain appdomain:fifo_file rw_file_perms; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; # App sandbox file accesses. -allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms; -allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms; +allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms; +allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms; # Access via already open fds is ok even for mlstrustedsubject. -allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; +allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; + +# Access open fds from SDK sandbox +allow appdomain sdk_sandbox_data_file:file { getattr read }; # Traverse into expanded storage allow appdomain mnt_expand_file:dir r_dir_perms; @@ -406,7 +409,7 @@ allow appdomain system_data_file:lnk_file r_file_perms; allow appdomain system_data_file:file { getattr read map }; # Allow read/stat of /data/media files passed by Binder or local socket IPC. -allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr }; +allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr }; @@ -498,7 +501,7 @@ neverallow { nfc radio shared_relro - sdk_sandbox + sdk_sandbox_all system_app } { data_file_type diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes index 991bac1d6..77143a3ca 100644 --- a/prebuilts/api/34.0/private/attributes +++ b/prebuilts/api/34.0/private/attributes @@ -10,3 +10,7 @@ attribute mlsvendorcompat; # property owner attributes must be exclusive. attribute system_and_vendor_property_type; expandattribute system_and_vendor_property_type false; + +# All SDK sandbox domains +attribute sdk_sandbox_all; + diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te index c08f04160..f98a285cb 100644 --- a/prebuilts/api/34.0/private/domain.te +++ b/prebuilts/api/34.0/private/domain.te @@ -758,7 +758,7 @@ neverallow { isolated_app_all ephemeral_app priv_app - sdk_sandbox + sdk_sandbox_all untrusted_app_all } system_app_data_file:dir_file_class_set { create unlink open }; diff --git a/prebuilts/api/34.0/private/isolated_app_all.te b/prebuilts/api/34.0/private/isolated_app_all.te index 200af1b7e..0617a5753 100644 --- a/prebuilts/api/34.0/private/isolated_app_all.te +++ b/prebuilts/api/34.0/private/isolated_app_all.te @@ -104,7 +104,7 @@ neverallow { isolated_app_all -isolated_compute_app } { # excluding unix_stream_socket and unix_dgram_socket. # Many of these are socket families which have never and will never # be compiled into the Android kernel. -neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{ +neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket diff --git a/prebuilts/api/34.0/private/mediaprovider_app.te b/prebuilts/api/34.0/private/mediaprovider_app.te index 1f84eca1f..7ad8febf3 100644 --- a/prebuilts/api/34.0/private/mediaprovider_app.te +++ b/prebuilts/api/34.0/private/mediaprovider_app.te @@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find; # Talk to regular app services allow mediaprovider_app app_api_service:service_manager find; -# Read SDK sandbox data files -allow mediaprovider_app sdk_sandbox_data_file:file { getattr read }; - # Talk to the GPU service binder_call(mediaprovider_app, gpuservice) diff --git a/prebuilts/api/34.0/private/net.te b/prebuilts/api/34.0/private/net.te index 07e4271f7..4adf84c6f 100644 --- a/prebuilts/api/34.0/private/net.te +++ b/prebuilts/api/34.0/private/net.te @@ -1,7 +1,7 @@ # Bind to ports. -allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; -allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind; -allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind; +allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; +allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind; +allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind; # b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from # untrusted_apps. @@ -13,7 +13,7 @@ allow { -ephemeral_app -mediaprovider -priv_app - -sdk_sandbox + -sdk_sandbox_all -untrusted_app_all } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts index df79ab3da..3afb6616c 100644 --- a/prebuilts/api/34.0/private/property_contexts +++ b/prebuilts/api/34.0/private/property_contexts @@ -953,6 +953,8 @@ ro.product.cpu.abilist u:object_r:build_prop:s0 exact string ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string +ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536 + ro.product.system.brand u:object_r:build_prop:s0 exact string ro.product.system.device u:object_r:build_prop:s0 exact string ro.product.system.manufacturer u:object_r:build_prop:s0 exact string diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te new file mode 100644 index 000000000..d45da8888 --- /dev/null +++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te @@ -0,0 +1,91 @@ +### +### SDK Sandbox process. +### +### This file defines the security policy for the sdk sandbox processes +### for targetSdkVersion=34. +type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all; + +net_domain(sdk_sandbox_34) +app_domain(sdk_sandbox_34) + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +allow sdk_sandbox_34 { + activity_service + activity_task_service + appops_service + audio_service + audioserver_service + batteryproperties_service + batterystats_service + cameraserver_service + connectivity_service + connmetrics_service + deviceidle_service + display_service + dropbox_service + ephemeral_app_api_service + font_service + game_service + gpu_service + graphicsstats_service + hardware_properties_service + hint_service + imms_service + input_method_service + input_service + IProxyService_service + ipsec_service + launcherapps_service + legacy_permission_service + light_service + locale_service + media_communication_service + mediadrmserver_service + mediaextractor_service + mediametrics_service + media_projection_service + media_router_service + mediaserver_service + media_session_service + memtrackproxy_service + midi_service + netpolicy_service + netstats_service + network_management_service + notification_service + package_service + permission_checker_service + permission_service + permissionmgr_service + platform_compat_service + power_service + procstats_service + radio_service + registry_service + restrictions_service + rttmanager_service + search_service + selection_toolbar_service + sensor_privacy_service + sensorservice_service + servicediscovery_service + settings_service + speech_recognition_service + statusbar_service + storagestats_service + surfaceflinger_service + telecom_service + tethering_service + textclassification_service + textservices_service + texttospeech_service + thermal_service + translation_service + tv_iapp_service + tv_input_service + uimode_service + vcn_management_service + webviewupdate_service +}:service_manager find; + diff --git a/prebuilts/api/34.0/private/sdk_sandbox_all.te b/prebuilts/api/34.0/private/sdk_sandbox_all.te new file mode 100644 index 000000000..6e7ba5025 --- /dev/null +++ b/prebuilts/api/34.0/private/sdk_sandbox_all.te @@ -0,0 +1,125 @@ +### +### sdk_sandbox_all +### +### This file defines the rules shared by all sdk_sandbox_all domains. +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The sdk_sandbox_all_all attribute is assigned to all default +### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000) +### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo +### value as determined from mac_permissions.xml. + +allow sdk_sandbox_all system_linker_exec:file execute_no_trans; + +# Required to read CTS tests data from the shell_data_file location. +allow sdk_sandbox_all shell_data_file:file r_file_perms; +allow sdk_sandbox_all shell_data_file:dir r_dir_perms; + +# allow sdk sandbox to use UDP sockets provided by the system server but not +# modify them other than to connect +allow sdk_sandbox_all system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# allow sandbox to search in sdk system server directory +# additionally, for webview to work, getattr has been permitted +allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search }; +# allow sandbox to create files and dirs in sdk data directory +allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms; +allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms; + +# allow apps to pass open fds to the sdk sandbox +allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read }; + +### +### neverallow rules +### + +neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans }; + +# Receive or send uevent messages. +neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow sdk_sandbox_all domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow sdk_sandbox_all debugfs:file read; + +# execute gpu_device +neverallow sdk_sandbox_all gpu_device:chr_file execute; + +# access files in /sys with the default sysfs label +neverallow sdk_sandbox_all sysfs:file *; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms }; + +# Directly access external storage +neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create}; +neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search; + +# Avoid reads to proc_net, it contains too much device wide information about +# ongoing connections. +neverallow sdk_sandbox_all proc_net:file no_rw_file_perms; + +# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file +neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms; +neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read }; + +# SDK sandbox processes don't have any access to external storage +neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms; +neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms; + +neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms; + +neverallow sdk_sandbox_all hal_drm_service:service_manager find; + +# Only certain system components should have access to sdk_sandbox_system_data_file +# sdk_sandbox only needs search. Restricted in follow up neverallow rule. +neverallow { + domain + -init + -installd + -system_server + -vold_prepare_subdirs +} sdk_sandbox_system_data_file:dir { relabelfrom }; + +neverallow { + domain + -init + -installd + -sdk_sandbox_all + -system_server + -vold_prepare_subdirs + -zygote +} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; + +# Only certain system components should have access to sdk_sandbox_all_system_data_file +# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule. +neverallow { + domain + -init + -installd + -system_server + -vold_prepare_subdirs +} sdk_sandbox_system_data_file:dir { relabelfrom }; + +neverallow { + domain + -init + -installd + -sdk_sandbox_all + -system_server + -vold_prepare_subdirs + -zygote +} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; + +# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file +neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search }; + +# Only dirs should be created at sdk_sandbox_all_system_data_file level +neverallow { domain -init } sdk_sandbox_system_data_file:file *; + diff --git a/prebuilts/api/34.0/private/sdk_sandbox_next.te b/prebuilts/api/34.0/private/sdk_sandbox_next.te index 6fd16ca4c..87884a9fb 100644 --- a/prebuilts/api/34.0/private/sdk_sandbox_next.te +++ b/prebuilts/api/34.0/private/sdk_sandbox_next.te @@ -2,9 +2,7 @@ ### SDK Sandbox process. ### ### This file defines the security policy for the sdk sandbox processes -### for a test set of restrictions. These restrictions will be adapted -### with modifications, into the set of restrictions for the next SDK -### level. +### for targetSdkVersion=34. type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all; net_domain(sdk_sandbox_next) diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts index a0418aa47..4454bd73f 100644 --- a/prebuilts/api/34.0/private/seapp_contexts +++ b/prebuilts/api/34.0/private/seapp_contexts @@ -153,8 +153,8 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* isSystemServer=true domain=system_server_startup -# sdksandbox must run in the sdksandbox domain -neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)* +# sdksandbox must run in an sdksandbox domain +neverallow user=_sdksandbox domain=((?!sdk_sandbox).)* user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all user=system seinfo=platform domain=system_app type=system_app_data_file diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts index 5ceaa78c3..3bb9c8502 100644 --- a/prebuilts/api/34.0/private/service_contexts +++ b/prebuilts/api/34.0/private/service_contexts @@ -382,6 +382,7 @@ statusbar u:object_r:statusbar_service:s0 storaged u:object_r:storaged_service:s0 storaged_pri u:object_r:storaged_service:s0 storagestats u:object_r:storagestats_service:s0 +# sdk_sandbox here refers to the service name, not the domain name. sdk_sandbox u:object_r:sdk_sandbox_service:s0 SurfaceFlinger u:object_r:surfaceflinger_service:s0 SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0 diff --git a/prebuilts/api/34.0/private/technical_debt.cil b/prebuilts/api/34.0/private/technical_debt.cil index 485ce53b6..4286053ca 100644 --- a/prebuilts/api/34.0/private/technical_debt.cil +++ b/prebuilts/api/34.0/private/technical_debt.cil @@ -22,7 +22,7 @@ ; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services ; Unfortunately, we can't currently express this in module policy language: -(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox))))))) +(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all))))))) ; Apps, except isolated apps, are clients of Configstore HAL ; Unfortunately, we can't currently express this in module policy language: diff --git a/prebuilts/api/34.0/public/modprobe.te b/prebuilts/api/34.0/public/modprobe.te index 2c7d64b0b..910aebd01 100644 --- a/prebuilts/api/34.0/public/modprobe.te +++ b/prebuilts/api/34.0/public/modprobe.te @@ -4,6 +4,9 @@ allow modprobe proc_modules:file r_file_perms; allow modprobe proc_cmdline:file r_file_perms; allow modprobe self:global_capability_class_set sys_module; allow modprobe kernel:key search; +allow modprobe system_dlkm_file:dir search; +allow modprobe system_dlkm_file:file r_file_perms; +allow modprobe system_dlkm_file:system module_load; recovery_only(` allow modprobe rootfs:system module_load; allow modprobe rootfs:file r_file_perms; diff --git a/prebuilts/api/34.0/public/ueventd.te b/prebuilts/api/34.0/public/ueventd.te index 4e3c7c205..094594b2c 100644 --- a/prebuilts/api/34.0/public/ueventd.te +++ b/prebuilts/api/34.0/public/ueventd.te @@ -65,6 +65,10 @@ use_bootstrap_libs(ueventd) # Allow ueventd to run shell scripts from vendor allow ueventd vendor_shell_exec:file execute; +# Query device-mapper to extract name/uuid in response to uevents. +allow ueventd dm_device:chr_file rw_file_perms; +allow ueventd self:capability sys_admin; + ##### ##### neverallow rules #####