Merge "Sync 34.0 prebuilts with udc-d1-dev" into udc-d1-dev-plus-aosp
This commit is contained in:
commit
a055c09d45
15 changed files with 284 additions and 56 deletions
|
@ -9,7 +9,7 @@ r_dir_file({
|
|||
-platform_app
|
||||
-priv_app
|
||||
-shell
|
||||
-sdk_sandbox
|
||||
-sdk_sandbox_all
|
||||
-system_app
|
||||
-untrusted_app_all
|
||||
}, proc_net_type)
|
||||
|
@ -23,7 +23,7 @@ userdebug_or_eng(`
|
|||
-priv_app
|
||||
-shell
|
||||
-su
|
||||
-sdk_sandbox
|
||||
-sdk_sandbox_all
|
||||
-system_app
|
||||
-untrusted_app_all
|
||||
} proc_net_type:{ dir file lnk_file } { getattr open read };
|
||||
|
@ -76,7 +76,7 @@ dontaudit appdomain system_data_file:dir write;
|
|||
dontaudit appdomain vendor_default_prop:file read;
|
||||
|
||||
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
|
||||
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
|
||||
allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
|
||||
|
||||
# allow apps to use UDP sockets provided by the system server but not
|
||||
# modify them other than to connect
|
||||
|
@ -132,67 +132,67 @@ allow appdomain tombstone_data_file:file { getattr read };
|
|||
neverallow appdomain tombstone_data_file:file ~{ getattr read };
|
||||
|
||||
# Execute the shell or other system executables.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
|
||||
|
||||
# Allow apps access to /vendor/app except for privileged
|
||||
# apps which cannot be in /vendor.
|
||||
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
|
||||
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
|
||||
|
||||
# Perform binder IPC to sdk sandbox.
|
||||
binder_call(appdomain, sdk_sandbox)
|
||||
binder_call(appdomain, sdk_sandbox_all)
|
||||
|
||||
# Allow access to external storage; we have several visible mount points under /storage
|
||||
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
|
||||
|
||||
# Read/write visible storage
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
|
||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||
# accesses to the underlying FS.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Allow apps to use the USB Accessory interface.
|
||||
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
|
||||
#
|
||||
# USB devices are first opened by the system server (USBDeviceManagerService)
|
||||
# and the file descriptor is passed to the right Activity via binder.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
|
||||
|
||||
#logd access
|
||||
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
# application inherit logd write socket (urge is to deprecate this long term)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
|
||||
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
|
||||
|
||||
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
# For app fuse.
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
|
||||
# Apps do not directly open the IPC socket for bufferhubd.
|
||||
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
|
||||
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
|
||||
|
||||
# Apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
|
||||
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
|
||||
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
|
||||
|
||||
|
||||
# WebView and other application-specific JIT compilers
|
||||
|
@ -218,11 +218,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr };
|
|||
allow appdomain dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Read the /sdcard and /mnt/sdcard symlinks
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
|
||||
|
||||
# Search /storage/emulated tmpfs mount.
|
||||
allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
|
||||
allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
|
||||
|
||||
# Notify zygote of the wrapped process PID when using --invoke-with.
|
||||
allow appdomain zygote:fifo_file write;
|
||||
|
@ -256,11 +256,14 @@ allow appdomain appdomain:fifo_file rw_file_perms;
|
|||
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
|
||||
|
||||
# Access via already open fds is ok even for mlstrustedsubject.
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
|
||||
|
||||
# Access open fds from SDK sandbox
|
||||
allow appdomain sdk_sandbox_data_file:file { getattr read };
|
||||
|
||||
# Traverse into expanded storage
|
||||
allow appdomain mnt_expand_file:dir r_dir_perms;
|
||||
|
@ -406,7 +409,7 @@ allow appdomain system_data_file:lnk_file r_file_perms;
|
|||
allow appdomain system_data_file:file { getattr read map };
|
||||
|
||||
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
|
||||
|
||||
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
|
||||
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
|
||||
|
@ -498,7 +501,7 @@ neverallow {
|
|||
nfc
|
||||
radio
|
||||
shared_relro
|
||||
sdk_sandbox
|
||||
sdk_sandbox_all
|
||||
system_app
|
||||
} {
|
||||
data_file_type
|
||||
|
|
|
@ -10,3 +10,7 @@ attribute mlsvendorcompat;
|
|||
# property owner attributes must be exclusive.
|
||||
attribute system_and_vendor_property_type;
|
||||
expandattribute system_and_vendor_property_type false;
|
||||
|
||||
# All SDK sandbox domains
|
||||
attribute sdk_sandbox_all;
|
||||
|
||||
|
|
|
@ -758,7 +758,7 @@ neverallow {
|
|||
isolated_app_all
|
||||
ephemeral_app
|
||||
priv_app
|
||||
sdk_sandbox
|
||||
sdk_sandbox_all
|
||||
untrusted_app_all
|
||||
} system_app_data_file:dir_file_class_set { create unlink open };
|
||||
|
||||
|
|
|
@ -104,7 +104,7 @@ neverallow { isolated_app_all -isolated_compute_app } {
|
|||
# excluding unix_stream_socket and unix_dgram_socket.
|
||||
# Many of these are socket families which have never and will never
|
||||
# be compiled into the Android kernel.
|
||||
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
|
||||
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
|
||||
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
|
||||
key_socket appletalk_socket netlink_route_socket
|
||||
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
|
||||
|
|
|
@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find;
|
|||
# Talk to regular app services
|
||||
allow mediaprovider_app app_api_service:service_manager find;
|
||||
|
||||
# Read SDK sandbox data files
|
||||
allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
|
||||
|
||||
# Talk to the GPU service
|
||||
binder_call(mediaprovider_app, gpuservice)
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Bind to ports.
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
|
||||
|
||||
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
|
||||
# untrusted_apps.
|
||||
|
@ -13,7 +13,7 @@ allow {
|
|||
-ephemeral_app
|
||||
-mediaprovider
|
||||
-priv_app
|
||||
-sdk_sandbox
|
||||
-sdk_sandbox_all
|
||||
-untrusted_app_all
|
||||
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
|
||||
|
||||
|
|
|
@ -953,6 +953,8 @@ ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
|
|||
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
|
||||
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
|
||||
|
||||
ro.product.cpu.pagesize.max u:object_r:build_prop:s0 exact enum 4096 16384 65536
|
||||
|
||||
ro.product.system.brand u:object_r:build_prop:s0 exact string
|
||||
ro.product.system.device u:object_r:build_prop:s0 exact string
|
||||
ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
|
||||
|
|
91
prebuilts/api/34.0/private/sdk_sandbox_34.te
Normal file
91
prebuilts/api/34.0/private/sdk_sandbox_34.te
Normal file
|
@ -0,0 +1,91 @@
|
|||
###
|
||||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the security policy for the sdk sandbox processes
|
||||
### for targetSdkVersion=34.
|
||||
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
|
||||
|
||||
net_domain(sdk_sandbox_34)
|
||||
app_domain(sdk_sandbox_34)
|
||||
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
allow sdk_sandbox_34 {
|
||||
activity_service
|
||||
activity_task_service
|
||||
appops_service
|
||||
audio_service
|
||||
audioserver_service
|
||||
batteryproperties_service
|
||||
batterystats_service
|
||||
cameraserver_service
|
||||
connectivity_service
|
||||
connmetrics_service
|
||||
deviceidle_service
|
||||
display_service
|
||||
dropbox_service
|
||||
ephemeral_app_api_service
|
||||
font_service
|
||||
game_service
|
||||
gpu_service
|
||||
graphicsstats_service
|
||||
hardware_properties_service
|
||||
hint_service
|
||||
imms_service
|
||||
input_method_service
|
||||
input_service
|
||||
IProxyService_service
|
||||
ipsec_service
|
||||
launcherapps_service
|
||||
legacy_permission_service
|
||||
light_service
|
||||
locale_service
|
||||
media_communication_service
|
||||
mediadrmserver_service
|
||||
mediaextractor_service
|
||||
mediametrics_service
|
||||
media_projection_service
|
||||
media_router_service
|
||||
mediaserver_service
|
||||
media_session_service
|
||||
memtrackproxy_service
|
||||
midi_service
|
||||
netpolicy_service
|
||||
netstats_service
|
||||
network_management_service
|
||||
notification_service
|
||||
package_service
|
||||
permission_checker_service
|
||||
permission_service
|
||||
permissionmgr_service
|
||||
platform_compat_service
|
||||
power_service
|
||||
procstats_service
|
||||
radio_service
|
||||
registry_service
|
||||
restrictions_service
|
||||
rttmanager_service
|
||||
search_service
|
||||
selection_toolbar_service
|
||||
sensor_privacy_service
|
||||
sensorservice_service
|
||||
servicediscovery_service
|
||||
settings_service
|
||||
speech_recognition_service
|
||||
statusbar_service
|
||||
storagestats_service
|
||||
surfaceflinger_service
|
||||
telecom_service
|
||||
tethering_service
|
||||
textclassification_service
|
||||
textservices_service
|
||||
texttospeech_service
|
||||
thermal_service
|
||||
translation_service
|
||||
tv_iapp_service
|
||||
tv_input_service
|
||||
uimode_service
|
||||
vcn_management_service
|
||||
webviewupdate_service
|
||||
}:service_manager find;
|
||||
|
125
prebuilts/api/34.0/private/sdk_sandbox_all.te
Normal file
125
prebuilts/api/34.0/private/sdk_sandbox_all.te
Normal file
|
@ -0,0 +1,125 @@
|
|||
###
|
||||
### sdk_sandbox_all
|
||||
###
|
||||
### This file defines the rules shared by all sdk_sandbox_all domains.
|
||||
### Apps are labeled based on mac_permissions.xml (maps signer and
|
||||
### optionally package name to seinfo value) and seapp_contexts (maps UID
|
||||
### and optionally seinfo value to domain for process and type for data
|
||||
### directory). The sdk_sandbox_all_all attribute is assigned to all default
|
||||
### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
|
||||
### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
|
||||
### value as determined from mac_permissions.xml.
|
||||
|
||||
allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
|
||||
|
||||
# Required to read CTS tests data from the shell_data_file location.
|
||||
allow sdk_sandbox_all shell_data_file:file r_file_perms;
|
||||
allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
|
||||
|
||||
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
||||
# modify them other than to connect
|
||||
allow sdk_sandbox_all system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# allow sandbox to search in sdk system server directory
|
||||
# additionally, for webview to work, getattr has been permitted
|
||||
allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
|
||||
# allow sandbox to create files and dirs in sdk data directory
|
||||
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
|
||||
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
|
||||
|
||||
# allow apps to pass open fds to the sdk sandbox
|
||||
allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Receive or send generic netlink messages
|
||||
neverallow sdk_sandbox_all domain:netlink_socket *;
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow sdk_sandbox_all debugfs:file read;
|
||||
|
||||
# execute gpu_device
|
||||
neverallow sdk_sandbox_all gpu_device:chr_file execute;
|
||||
|
||||
# access files in /sys with the default sysfs label
|
||||
neverallow sdk_sandbox_all sysfs:file *;
|
||||
|
||||
# Avoid reads from generically labeled /proc files
|
||||
# Create a more specific label if needed
|
||||
neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Directly access external storage
|
||||
neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
|
||||
neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
|
||||
|
||||
# Avoid reads to proc_net, it contains too much device wide information about
|
||||
# ongoing connections.
|
||||
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
|
||||
|
||||
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
||||
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
|
||||
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
|
||||
|
||||
# SDK sandbox processes don't have any access to external storage
|
||||
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
|
||||
neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
|
||||
|
||||
neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
|
||||
|
||||
neverallow sdk_sandbox_all hal_drm_service:service_manager find;
|
||||
|
||||
# Only certain system components should have access to sdk_sandbox_system_data_file
|
||||
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-sdk_sandbox_all
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
-zygote
|
||||
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
|
||||
|
||||
# Only certain system components should have access to sdk_sandbox_all_system_data_file
|
||||
# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-sdk_sandbox_all
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
-zygote
|
||||
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
|
||||
|
||||
# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
|
||||
neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
|
||||
|
||||
# Only dirs should be created at sdk_sandbox_all_system_data_file level
|
||||
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|
||||
|
|
@ -2,9 +2,7 @@
|
|||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the security policy for the sdk sandbox processes
|
||||
### for a test set of restrictions. These restrictions will be adapted
|
||||
### with modifications, into the set of restrictions for the next SDK
|
||||
### level.
|
||||
### for targetSdkVersion=34.
|
||||
type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
|
||||
|
||||
net_domain(sdk_sandbox_next)
|
||||
|
|
|
@ -153,8 +153,8 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
|||
|
||||
isSystemServer=true domain=system_server_startup
|
||||
|
||||
# sdksandbox must run in the sdksandbox domain
|
||||
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
|
||||
# sdksandbox must run in an sdksandbox domain
|
||||
neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
|
||||
|
||||
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
||||
user=system seinfo=platform domain=system_app type=system_app_data_file
|
||||
|
|
|
@ -382,6 +382,7 @@ statusbar u:object_r:statusbar_service:s0
|
|||
storaged u:object_r:storaged_service:s0
|
||||
storaged_pri u:object_r:storaged_service:s0
|
||||
storagestats u:object_r:storagestats_service:s0
|
||||
# sdk_sandbox here refers to the service name, not the domain name.
|
||||
sdk_sandbox u:object_r:sdk_sandbox_service:s0
|
||||
SurfaceFlinger u:object_r:surfaceflinger_service:s0
|
||||
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
|
||||
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
|
||||
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
|
||||
|
||||
; Apps, except isolated apps, are clients of Configstore HAL
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
|
|
|
@ -4,6 +4,9 @@ allow modprobe proc_modules:file r_file_perms;
|
|||
allow modprobe proc_cmdline:file r_file_perms;
|
||||
allow modprobe self:global_capability_class_set sys_module;
|
||||
allow modprobe kernel:key search;
|
||||
allow modprobe system_dlkm_file:dir search;
|
||||
allow modprobe system_dlkm_file:file r_file_perms;
|
||||
allow modprobe system_dlkm_file:system module_load;
|
||||
recovery_only(`
|
||||
allow modprobe rootfs:system module_load;
|
||||
allow modprobe rootfs:file r_file_perms;
|
||||
|
|
|
@ -65,6 +65,10 @@ use_bootstrap_libs(ueventd)
|
|||
# Allow ueventd to run shell scripts from vendor
|
||||
allow ueventd vendor_shell_exec:file execute;
|
||||
|
||||
# Query device-mapper to extract name/uuid in response to uevents.
|
||||
allow ueventd dm_device:chr_file rw_file_perms;
|
||||
allow ueventd self:capability sys_admin;
|
||||
|
||||
#####
|
||||
##### neverallow rules
|
||||
#####
|
||||
|
|
Loading…
Reference in a new issue