Revert "Prebuilt updates for aosp/2827450" am: b460885e50

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2830890

Change-Id: Ief55d435dff2e58e463d4498fb3cf5740af8d21d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Thiébaud Weksteen 2023-11-15 03:02:23 +00:00 committed by Automerger Merge Worker
commit c541c1eb80
5 changed files with 84 additions and 136 deletions

View file

@ -13,5 +13,4 @@ expandattribute system_and_vendor_property_type false;
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;

View file

@ -3,7 +3,89 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_34 {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
cameraserver_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
ephemeral_app_api_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediadrmserver_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
radio_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;

View file

@ -1,34 +0,0 @@
###
### SDK Sandbox process.
###
### This file defines the audit sdk sandbox security policy for
### the set of restrictions proposed for the next SDK level.
###
### The sdk_sandbox_audit domain has the same rules as the
### sdk_sandbox_current domain and additional auditing rules
### for the accesses we are considering forbidding in the upcoming
### sdk_sandbox_next domain.
type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_audit)
app_domain(sdk_sandbox_audit)
# Auditallow rules for accesses that are currently allowed but we
# might remove in the future.
auditallow sdk_sandbox_audit {
cameraserver_service
ephemeral_app_api_service
mediadrmserver_service
radio_service
}:service_manager find;
auditallow sdk_sandbox_audit {
property_type
-system_property_type
}:file rw_file_perms;
auditallow sdk_sandbox_audit {
property_type
-system_property_type
}:dir rw_dir_perms;

View file

@ -1,87 +0,0 @@
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
### for the current SDK level.
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_current {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
cameraserver_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
ephemeral_app_api_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediadrmserver_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
radio_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;

View file

@ -13,7 +13,6 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@ -49,19 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
# as the current dessert release, with additional auditing rules for the accesses
# we are considering forbidding in the upcoming release.
#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
#
# isSdkSandboxAudit=true means sdk sandbox processes will get
# sdk_sandbox_audit sepolicy applied to them.
# An unspecified isSdkSandboxAudit defaults to false.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@ -182,7 +171,6 @@ user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user