diff --git a/mac_permissions.mk b/mac_permissions.mk index 2d3b9aef5..dbdf14430 100644 --- a/mac_permissions.mk +++ b/mac_permissions.mk @@ -22,7 +22,7 @@ $(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4) $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@ # Should be synced with keys.conf. -all_plat_keys := platform supplemental_process media networkstack shared testkey +all_plat_keys := platform sdk_sandbox media networkstack shared testkey all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem) $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files) diff --git a/private/app.te b/private/app.te index d020c3893..4d51767e6 100644 --- a/private/app.te +++ b/private/app.te @@ -9,7 +9,7 @@ r_dir_file({ -platform_app -priv_app -shell - -supplemental_process + -sdk_sandbox -system_app -untrusted_app_all }, proc_net_type) @@ -23,7 +23,7 @@ userdebug_or_eng(` -priv_app -shell -su - -supplemental_process + -sdk_sandbox -system_app -untrusted_app_all } proc_net_type:{ dir file lnk_file } { getattr open read }; @@ -72,7 +72,7 @@ dontaudit appdomain system_data_file:dir write; dontaudit appdomain vendor_default_prop:file read; # Access to /mnt/media_rw/ (limited by DAC to apps with external_storage gid) -allow { appdomain -supplemental_process } mnt_media_rw_file:dir search; +allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search; neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind @@ -119,67 +119,67 @@ allow appdomain tombstone_data_file:file { getattr read }; neverallow appdomain tombstone_data_file:file ~{ getattr read }; # Execute the shell or other system executables. -allow { appdomain -ephemeral_app -supplemental_process } shell_exec:file rx_file_perms; -allow { appdomain -ephemeral_app -supplemental_process } toolbox_exec:file rx_file_perms; -not_full_treble(`allow { appdomain -ephemeral_app -supplemental_process } vendor_file:file x_file_perms;') +allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms; +allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms; +not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;') # Allow apps access to /vendor/app except for privileged # apps which cannot be in /vendor. -r_dir_file({ appdomain -ephemeral_app -supplemental_process }, vendor_app_file) -allow { appdomain -ephemeral_app -supplemental_process } vendor_app_file:file execute; +r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file) +allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute; -# Perform binder IPC to supplemental process. -binder_call(appdomain, supplemental_process) +# Perform binder IPC to sdk sandbox. +binder_call(appdomain, sdk_sandbox) # Allow access to external storage; we have several visible mount points under /storage # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:dir r_dir_perms; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:lnk_file r_file_perms; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:dir r_dir_perms; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:lnk_file r_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms; # Read/write visible storage -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:dir create_dir_perms; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:file create_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms; # This should be removed if sdcardfs is modified to alter the secontext for its # accesses to the underlying FS. -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:dir create_dir_perms; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:file create_file_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html # # USB devices are first opened by the system server (USBDeviceManagerService) # and the file descriptor is passed to the right Activity via binder. -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usb_device:chr_file { read write getattr ioctl }; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usbaccessory_device:chr_file { read write getattr }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr }; #logd access -control_logd({ appdomain -ephemeral_app -supplemental_process }) +control_logd({ appdomain -ephemeral_app -sdk_sandbox }) # application inherit logd write socket (urge is to deprecate this long term) -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore_key { get_state get insert delete exist list sign verify }; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2_key { delete use get_info rebind update }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify }; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update }; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore_maintenance_service:service_manager find; -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2 get_state; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state; -use_keystore({ appdomain -isolated_app -ephemeral_app -supplemental_process }) +use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }) -use_credstore({ appdomain -isolated_app -ephemeral_app -supplemental_process }) +use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }) # For app fuse. -pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_client) -pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_manager) -pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_vsync) -pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, performance_client) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync) +pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client) # Apps do not directly open the IPC socket for bufferhubd. -pdx_use({ appdomain -isolated_app -ephemeral_app -supplemental_process }, bufferhub_client) +pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client) # Apps receive an open tun fd from the framework for # device traffic. Do not allow untrusted app to directly open tun_device -allow { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file { read write getattr append ioctl }; -allowxperm { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file ioctl TUNGETIFF; +allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl }; +allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF; # WebView and other application-specific JIT compilers @@ -205,11 +205,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr }; allow appdomain dalvikcache_data_file:file r_file_perms; # Read the /sdcard and /mnt/sdcard symlinks -allow { appdomain -isolated_app -supplemental_process } rootfs:lnk_file r_file_perms; -allow { appdomain -isolated_app -supplemental_process } tmpfs:lnk_file r_file_perms; +allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms; +allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms; # Search /storage/emulated tmpfs mount. -allow { appdomain -supplemental_process } tmpfs:dir r_dir_perms; +allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms; # Notify zygote of the wrapped process PID when using --invoke-with. allow appdomain zygote:fifo_file write; @@ -243,11 +243,11 @@ allow appdomain appdomain:fifo_file rw_file_perms; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; # App sandbox file accesses. -allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:dir create_dir_perms; -allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:file create_file_perms; +allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms; +allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms; # Access via already open fds is ok even for mlstrustedsubject. -allow { appdomain -isolated_app -supplemental_process } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; +allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; # Traverse into expanded storage allow appdomain mnt_expand_file:dir r_dir_perms; @@ -384,7 +384,7 @@ allow appdomain system_data_file:lnk_file r_file_perms; allow appdomain system_data_file:file { getattr read map }; # Allow read/stat of /data/media files passed by Binder or local socket IPC. -allow { appdomain -isolated_app -supplemental_process } media_rw_data_file:file { read getattr }; +allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; @@ -476,7 +476,7 @@ neverallow { nfc radio shared_relro - supplemental_process + sdk_sandbox system_app } { data_file_type diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil index 286f408d1..496832edf 100644 --- a/private/compat/31.0/31.0.ignore.cil +++ b/private/compat/31.0/31.0.ignore.cil @@ -42,7 +42,7 @@ proc_watermark_scale_factor untrusted_app_30 proc_vendor_sched - supplemental_process_service + sdk_sandbox_service sysfs_fs_fuse_bpf sysfs_vendor_sched tv_iapp_service diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index ee7d51ef6..c83557980 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -55,8 +55,8 @@ remotelyprovisionedkeypool_service resources_manager_service selection_toolbar_service + sdk_sandbox_service snapuserd_proxy_socket - supplemental_process_service sysfs_fs_fuse_bpf system_dlkm_file tare_service diff --git a/private/domain.te b/private/domain.te index 501995253..12d649cf1 100644 --- a/private/domain.te +++ b/private/domain.te @@ -626,6 +626,6 @@ neverallow { isolated_app ephemeral_app priv_app - supplemental_process + sdk_sandbox untrusted_app_all } system_app_data_file:dir_file_class_set { create unlink open }; diff --git a/private/file.te b/private/file.te index 82db1f728..54d6df632 100644 --- a/private/file.te +++ b/private/file.te @@ -19,8 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f # /data/misc/perfetto-configs for perfetto configs type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; -# /data/misc_{ce/de}//sdk//* subdirectory for supplemental apps -type supplemental_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; +# /data/misc_{ce/de}//sdksandbox//* subdirectory for sdk sandbox processes +type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; # /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. type debugfs_kcov, fs_type, debugfs_type; diff --git a/private/isolated_app.te b/private/isolated_app.te index 1fc9f006e..0d9075623 100644 --- a/private/isolated_app.te +++ b/private/isolated_app.te @@ -136,7 +136,7 @@ neverallow isolated_app { # excluding unix_stream_socket and unix_dgram_socket. # Many of these are socket families which have never and will never # be compiled into the Android kernel. -neverallow isolated_app { self ephemeral_app priv_app supplemental_process untrusted_app_all }:{ +neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket diff --git a/private/keys.conf b/private/keys.conf index cc4e1f3ba..30739f9d3 100644 --- a/private/keys.conf +++ b/private/keys.conf @@ -11,8 +11,8 @@ [@PLATFORM] ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem -[@SUPPLEMENTAL_PROCESS] -ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/supplemental_process.x509.pem +[@SDK_SANDBOX] +ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem [@MEDIA] ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml index 0e7763708..ec3df0f74 100644 --- a/private/mac_permissions.xml +++ b/private/mac_permissions.xml @@ -51,9 +51,9 @@ - - - + + + diff --git a/private/net.te b/private/net.te index 3e2027463..9e15f41dd 100644 --- a/private/net.te +++ b/private/net.te @@ -1,7 +1,7 @@ # Bind to ports. -allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; -allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind; -allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind; +allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; +allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind; +allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind; # b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from # untrusted_apps. @@ -12,7 +12,7 @@ allow { netdomain -ephemeral_app -mediaprovider - -supplemental_process + -sdk_sandbox -untrusted_app_all } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te new file mode 100644 index 000000000..782bb468d --- /dev/null +++ b/private/sdk_sandbox.te @@ -0,0 +1,87 @@ +### +### SDK Sandbox process. +### +### This file defines the security policy for the sdk sandbox processes. + +type sdk_sandbox, domain; + +typeattribute sdk_sandbox coredomain; + +net_domain(sdk_sandbox) +app_domain(sdk_sandbox) + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +allow sdk_sandbox activity_service:service_manager find; +allow sdk_sandbox activity_task_service:service_manager find; +allow sdk_sandbox audio_service:service_manager find; +# Audit the access to signal that we are still investigating whether sdk_sandbox +# should have access to audio_service +# TODO(b/211632068): remove this line +auditallow sdk_sandbox audio_service:service_manager find; +allow sdk_sandbox hint_service:service_manager find; +allow sdk_sandbox surfaceflinger_service:service_manager find; +allow sdk_sandbox trust_service:service_manager find; +allow sdk_sandbox uimode_service:service_manager find; +allow sdk_sandbox webviewupdate_service:service_manager find; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(sdk_sandbox) + +# Allow profiling if the app opts in by being marked profileable/debuggable. +can_profile_heap(sdk_sandbox) +can_profile_perf(sdk_sandbox) + +# allow sdk sandbox to use UDP sockets provided by the system server but not +# modify them other than to connect +allow sdk_sandbox system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# allow access to sdksandbox data directory +allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms; +allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms; + +### +### neverallow rules +### + +neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans }; + +# Receive or send uevent messages. +neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow sdk_sandbox domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow sdk_sandbox debugfs:file read; + +# execute gpu_device +neverallow sdk_sandbox gpu_device:chr_file execute; + +# access files in /sys with the default sysfs label +neverallow sdk_sandbox sysfs:file *; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms }; + +# Directly access external storage +neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create}; +neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search; + +# Avoid reads to proc_net, it contains too much device wide information about +# ongoing connections. +neverallow sdk_sandbox proc_net:file no_rw_file_perms; + +# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file +neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms; +neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms; + +# SDK sandbox processes don't have any access to external storage +neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms; +neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms; + +neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms; diff --git a/private/seapp_contexts b/private/seapp_contexts index 0f1195cdb..0e3d8169f 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -26,7 +26,7 @@ # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral # user=_app will match any regular app process. # user=_isolated will match any isolated service process. -# user=_supplemental will match supplemental process for an app. +# user=_sdksandbox will match sdk sandbox process for an app. # Other values of user are matched against the name associated with the process # UID. # seinfo= matches aginst the seinfo tag for the app, determined from @@ -138,8 +138,8 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* isSystemServer=true domain=system_server_startup -# supplemental_process must run in the supplemental_process domain -neverallow name=com.android.supplemental.process domain=((?!supplemental_process).)* +# sdksandbox must run in the sdksandbox domain +neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)* user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all @@ -153,7 +153,7 @@ user=shared_relro domain=shared_relro levelFrom=all user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file user=webview_zygote seinfo=webview_zygote domain=webview_zygote user=_isolated domain=isolated_app levelFrom=user -user=_supplemental domain=supplemental_process type=supplemental_app_data_file levelFrom=all +user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user diff --git a/private/service_contexts b/private/service_contexts index 9424355c4..c6fb3d56d 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -324,7 +324,7 @@ statusbar u:object_r:statusbar_service:s0 storaged u:object_r:storaged_service:s0 storaged_pri u:object_r:storaged_service:s0 storagestats u:object_r:storagestats_service:s0 -supplemental_process u:object_r:supplemental_process_service:s0 +sdk_sandbox u:object_r:sdk_sandbox_service:s0 SurfaceFlinger u:object_r:surfaceflinger_service:s0 SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0 suspend_control u:object_r:system_suspend_control_service:s0 diff --git a/private/supplemental_process.te b/private/supplemental_process.te deleted file mode 100644 index 720f71b4c..000000000 --- a/private/supplemental_process.te +++ /dev/null @@ -1,87 +0,0 @@ -### -### Supplemental Process. -### -### This file defines the security policy for the supplemental process. - -type supplemental_process, domain; - -typeattribute supplemental_process coredomain; - -net_domain(supplemental_process) -app_domain(supplemental_process) - -# Allow finding services. This is different from ephemeral_app policy. -# Adding services manually to the allowlist is preferred hence app_api_service is not used. -allow supplemental_process activity_service:service_manager find; -allow supplemental_process activity_task_service:service_manager find; -allow supplemental_process audio_service:service_manager find; -# Audit the access to signal that we are still investigating whether supplemental_process -# should have access to audio_service -# TODO(b/211632068): remove this line -auditallow supplemental_process audio_service:service_manager find; -allow supplemental_process hint_service:service_manager find; -allow supplemental_process surfaceflinger_service:service_manager find; -allow supplemental_process trust_service:service_manager find; -allow supplemental_process uimode_service:service_manager find; -allow supplemental_process webviewupdate_service:service_manager find; - -# Write app-specific trace data to the Perfetto traced damon. This requires -# connecting to its producer socket and obtaining a (per-process) tmpfs fd. -perfetto_producer(supplemental_process) - -# Allow profiling if the app opts in by being marked profileable/debuggable. -can_profile_heap(supplemental_process) -can_profile_perf(supplemental_process) - -# allow supplemental processes to use UDP sockets provided by the system server but not -# modify them other than to connect -allow supplemental_process system_server:udp_socket { - connect getattr read recvfrom sendto write getopt setopt }; - -# allow access to supplemental data directory -allow supplemental_process supplemental_app_data_file:dir create_dir_perms; -allow supplemental_process supplemental_app_data_file:file create_file_perms; - -### -### neverallow rules -### - -neverallow supplemental_process { app_data_file privapp_data_file }:file { execute execute_no_trans }; - -# Receive or send uevent messages. -neverallow supplemental_process domain:netlink_kobject_uevent_socket *; - -# Receive or send generic netlink messages -neverallow supplemental_process domain:netlink_socket *; - -# Too much leaky information in debugfs. It's a security -# best practice to ensure these files aren't readable. -neverallow supplemental_process debugfs:file read; - -# execute gpu_device -neverallow supplemental_process gpu_device:chr_file execute; - -# access files in /sys with the default sysfs label -neverallow supplemental_process sysfs:file *; - -# Avoid reads from generically labeled /proc files -# Create a more specific label if needed -neverallow supplemental_process proc:file { no_rw_file_perms no_x_file_perms }; - -# Directly access external storage -neverallow supplemental_process { sdcard_type media_rw_data_file }:file {open create}; -neverallow supplemental_process { sdcard_type media_rw_data_file }:dir search; - -# Avoid reads to proc_net, it contains too much device wide information about -# ongoing connections. -neverallow supplemental_process proc_net:file no_rw_file_perms; - -# Supplemental process doesn't have its own private app data directory -neverallow supplemental_process { app_data_file privapp_data_file }:dir no_rw_file_perms; -neverallow supplemental_process { app_data_file privapp_data_file }:file no_rw_file_perms; - -# Supplemental process doesn't have any access to external storage -neverallow supplemental_process { media_rw_data_file }:dir no_rw_file_perms; -neverallow supplemental_process { media_rw_data_file }:file no_rw_file_perms; - -neverallow { supplemental_process } tmpfs:dir no_rw_file_perms; diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te index e6a23705d..e1c8044ff 100644 --- a/private/vold_prepare_subdirs.te +++ b/private/vold_prepare_subdirs.te @@ -26,7 +26,7 @@ allow vold_prepare_subdirs { iris_vendor_data_file rollback_data_file storaged_data_file - supplemental_app_data_file + sdk_sandbox_data_file system_data_file vold_data_file }:dir { create_dir_perms relabelto }; @@ -42,7 +42,7 @@ allow vold_prepare_subdirs { iris_vendor_data_file rollback_data_file storaged_data_file - supplemental_app_data_file + sdk_sandbox_data_file system_data_file vold_data_file }:file { getattr unlink }; diff --git a/public/service.te b/public/service.te index 3a2afa91a..1b17973b9 100644 --- a/public/service.te +++ b/public/service.te @@ -211,7 +211,7 @@ type slice_service, app_api_service, system_server_service, service_manager_type type smartspace_service, app_api_service, system_server_service, service_manager_type; type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; -type supplemental_process_service, app_api_service, system_server_service, service_manager_type; +type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type; type system_config_service, system_api_service, system_server_service, service_manager_type; type system_server_dumper_service, system_api_service, system_server_service, service_manager_type; type system_update_service, system_server_service, service_manager_type;