tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rename SupplementalProcess to SdkSandbox

Browse source 
Ignore-AOSP-First: sepolicy is not in aosp, yet
Bug: 220320098
Test: presubmit
Change-Id: I9fb98e0caee75bdaaa35d11d174004505f236799
This commit is contained in:
Nikita Ioffe 2022-02-21 17:55:59 +00:00
parent e04261ab2e
commit e2da633ef7
16 changed files with 153 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
mac_permissions.mk
View file

@ -22,7 +22,7 @@ $(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4)
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
all_plat_keys := platform supplemental_process media networkstack shared testkey
all_plat_keys := platform sdk_sandbox media networkstack shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)

84
private/app.te
View file

@ -9,7 +9,7 @@ r_dir_file({
-platform_app
-priv_app
-shell
-supplemental_process
-sdk_sandbox
-system_app
-untrusted_app_all
}, proc_net_type)
@ -23,7 +23,7 @@ userdebug_or_eng(`
-priv_app
-shell
-su
-supplemental_process
-sdk_sandbox
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@ -72,7 +72,7 @@ dontaudit appdomain system_data_file:dir write;
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -supplemental_process } mnt_media_rw_file:dir search;
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
@ -119,67 +119,67 @@ allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -supplemental_process } shell_exec:file rx_file_perms;
allow { appdomain -ephemeral_app -supplemental_process } toolbox_exec:file rx_file_perms;
not_full_treble(`allow { appdomain -ephemeral_app -supplemental_process } vendor_file:file x_file_perms;')
allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
r_dir_file({ appdomain -ephemeral_app -supplemental_process }, vendor_app_file)
allow { appdomain -ephemeral_app -supplemental_process } vendor_app_file:file execute;
r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
# Perform binder IPC to supplemental process.
binder_call(appdomain, supplemental_process)
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:lnk_file r_file_perms;
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:lnk_file r_file_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:dir create_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:file create_file_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:dir create_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:file create_file_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usbaccessory_device:chr_file { read write getattr };
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
#logd access
control_logd({ appdomain -ephemeral_app -supplemental_process })
control_logd({ appdomain -ephemeral_app -sdk_sandbox })
# application inherit logd write socket (urge is to deprecate this long term)
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore_maintenance_service:service_manager find;
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2 get_state;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
use_credstore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
# For app fuse.
pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_client)
pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_manager)
pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_vsync)
pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, performance_client)
pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
pdx_use({ appdomain -isolated_app -ephemeral_app -supplemental_process }, bufferhub_client)
pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file ioctl TUNGETIFF;
allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@ -205,11 +205,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
allow { appdomain -isolated_app -supplemental_process } rootfs:lnk_file r_file_perms;
allow { appdomain -isolated_app -supplemental_process } tmpfs:lnk_file r_file_perms;
allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow { appdomain -supplemental_process } tmpfs:dir r_dir_perms;
allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@ -243,11 +243,11 @@ allow appdomain appdomain:fifo_file rw_file_perms;
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:file create_file_perms;
allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app -supplemental_process } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@ -384,7 +384,7 @@ allow appdomain system_data_file:lnk_file r_file_perms;
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app -supplemental_process } media_rw_data_file:file { read getattr };
allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
@ -476,7 +476,7 @@ neverallow {
nfc
radio
shared_relro
supplemental_process
sdk_sandbox
system_app
} {
data_file_type

2
private/compat/31.0/31.0.ignore.cil
View file

@ -42,7 +42,7 @@
proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
supplemental_process_service
sdk_sandbox_service
sysfs_fs_fuse_bpf
sysfs_vendor_sched
tv_iapp_service

2
private/compat/32.0/32.0.ignore.cil
View file

@ -55,8 +55,8 @@
remotelyprovisionedkeypool_service
resources_manager_service
selection_toolbar_service
sdk_sandbox_service
snapuserd_proxy_socket
supplemental_process_service
sysfs_fs_fuse_bpf
system_dlkm_file
tare_service

2
private/domain.te
View file

@ -626,6 +626,6 @@ neverallow {
isolated_app
ephemeral_app
priv_app
supplemental_process
sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };

4
private/file.te
View file

@ -19,8 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdk/<app-name>/* subdirectory for supplemental apps
type supplemental_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;

2
private/isolated_app.te
View file

@ -136,7 +136,7 @@ neverallow isolated_app {
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
neverallow isolated_app { self ephemeral_app priv_app supplemental_process untrusted_app_all }:{
neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket

4
private/keys.conf
View file

@ -11,8 +11,8 @@
[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
[@SUPPLEMENTAL_PROCESS]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/supplemental_process.x509.pem
[@SDK_SANDBOX]
ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem

6
private/mac_permissions.xml
View file

@ -51,9 +51,9 @@
<seinfo value="platform" />
</signer>
<!-- Supplemental process key -->
<signer signature="@SUPPLEMENTAL_PROCESS" >
<seinfo value="supplemental_process" />
<!-- Sdk Sandbox key -->
<signer signature="@SDK_SANDBOX" >
<seinfo value="sdk_sandbox" />
</signer>
<!-- Media key in AOSP -->

8
private/net.te
View file

@ -1,7 +1,7 @@
# Bind to ports.
allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@ -12,7 +12,7 @@ allow {
netdomain
-ephemeral_app
-mediaprovider
-supplemental_process
-sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };

87
private/sdk_sandbox.te Normal file
View file

@ -0,0 +1,87 @@
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.
type sdk_sandbox, domain;
typeattribute sdk_sandbox coredomain;
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox activity_service:service_manager find;
allow sdk_sandbox activity_task_service:service_manager find;
allow sdk_sandbox audio_service:service_manager find;
# Audit the access to signal that we are still investigating whether sdk_sandbox
# should have access to audio_service
# TODO(b/211632068): remove this line
auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
allow sdk_sandbox trust_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(sdk_sandbox)
can_profile_perf(sdk_sandbox)
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow access to sdksandbox data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
###
### neverallow rules
###
neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;
# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;

8
private/seapp_contexts
View file

@ -26,7 +26,7 @@
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
# user=_supplemental will match supplemental process for an app.
# user=_sdksandbox will match sdk sandbox process for an app.
# Other values of user are matched against the name associated with the process
# UID.
# seinfo= matches aginst the seinfo tag for the app, determined from
@ -138,8 +138,8 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server_startup
# supplemental_process must run in the supplemental_process domain
neverallow name=com.android.supplemental.process domain=((?!supplemental_process).)*
# sdksandbox must run in the sdksandbox domain
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
@ -153,7 +153,7 @@ user=shared_relro domain=shared_relro levelFrom=all
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_supplemental domain=supplemental_process type=supplemental_app_data_file levelFrom=all
user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user

2
private/service_contexts
View file

@ -324,7 +324,7 @@ statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
supplemental_process u:object_r:supplemental_process_service:s0
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0

87
private/supplemental_process.te
View file

@ -1,87 +0,0 @@
###
### Supplemental Process.
###
### This file defines the security policy for the supplemental process.
type supplemental_process, domain;
typeattribute supplemental_process coredomain;
net_domain(supplemental_process)
app_domain(supplemental_process)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow supplemental_process activity_service:service_manager find;
allow supplemental_process activity_task_service:service_manager find;
allow supplemental_process audio_service:service_manager find;
# Audit the access to signal that we are still investigating whether supplemental_process
# should have access to audio_service
# TODO(b/211632068): remove this line
auditallow supplemental_process audio_service:service_manager find;
allow supplemental_process hint_service:service_manager find;
allow supplemental_process surfaceflinger_service:service_manager find;
allow supplemental_process trust_service:service_manager find;
allow supplemental_process uimode_service:service_manager find;
allow supplemental_process webviewupdate_service:service_manager find;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(supplemental_process)
# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(supplemental_process)
can_profile_perf(supplemental_process)
# allow supplemental processes to use UDP sockets provided by the system server but not
# modify them other than to connect
allow supplemental_process system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow access to supplemental data directory
allow supplemental_process supplemental_app_data_file:dir create_dir_perms;
allow supplemental_process supplemental_app_data_file:file create_file_perms;
###
### neverallow rules
###
neverallow supplemental_process { app_data_file privapp_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow supplemental_process domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow supplemental_process domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow supplemental_process debugfs:file read;
# execute gpu_device
neverallow supplemental_process gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow supplemental_process sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow supplemental_process proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow supplemental_process { sdcard_type media_rw_data_file }:file {open create};
neverallow supplemental_process { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow supplemental_process proc_net:file no_rw_file_perms;
# Supplemental process doesn't have its own private app data directory
neverallow supplemental_process { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow supplemental_process { app_data_file privapp_data_file }:file no_rw_file_perms;
# Supplemental process doesn't have any access to external storage
neverallow supplemental_process { media_rw_data_file }:dir no_rw_file_perms;
neverallow supplemental_process { media_rw_data_file }:file no_rw_file_perms;
neverallow { supplemental_process } tmpfs:dir no_rw_file_perms;

4
private/vold_prepare_subdirs.te
View file

@ -26,7 +26,7 @@ allow vold_prepare_subdirs {
iris_vendor_data_file
rollback_data_file
storaged_data_file
supplemental_app_data_file
sdk_sandbox_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
@ -42,7 +42,7 @@ allow vold_prepare_subdirs {
iris_vendor_data_file
rollback_data_file
storaged_data_file
supplemental_app_data_file
sdk_sandbox_data_file
system_data_file
vold_data_file
}:file { getattr unlink };

2
public/service.te
View file

@ -211,7 +211,7 @@ type slice_service, app_api_service, system_server_service, service_manager_type
type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type supplemental_process_service, app_api_service, system_server_service, service_manager_type;
type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;