Move parts of sdk_sandbox from private to apex policy

Bug: 236691128
Test: atest SeamendcHostTest

Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902

Android.bp

@@ -373,19 +373,44 @@ se_policy_cil {
     additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
 }
 
-
 se_policy_conf {
     name: "apex_sepolicy-33.conf",
-    srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+    srcs: plat_public_policy +
+        plat_private_policy +
+        system_ext_public_policy +
+        system_ext_private_policy +
+        product_public_policy +
+        product_private_policy +
+        ["com.android.sepolicy/33/*.te"],
     installable: false,
 }
 
 se_policy_cil {
     name: "apex_sepolicy-33.cil",
     src: ":apex_sepolicy-33.conf",
-    filter_out: [":plat_sepolicy.cil"],
+    filter_out: [
+        ":plat_sepolicy.cil",
+        ":system_ext_sepolicy.cil",
+        ":product_sepolicy.cil",
+    ],
     installable: false,
     stem: "apex_sepolicy.cil",
+    remove_line_marker: true,
+}
+
+se_policy_cil {
+    name: "decompiled_sepolicy-without_apex.cil",
+    src: ":precompiled_sepolicy-without_apex",
+    decompile_binary: true,
+}
+
+se_policy_cil {
+    name: "apex_sepolicy-decompiled.cil",
+    src: ":precompiled_sepolicy",
+    decompile_binary: true,
+    filter_out: [":decompiled_sepolicy-without_apex.cil"],
+    additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+    secilc_check: false,
 }
 
 // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
@@ -896,6 +921,50 @@ precompiled_se_policy_binary {
     },
 }
 
+precompiled_se_policy_binary {
+    name: "precompiled_sepolicy-without_apex",
+    srcs: [
+        ":plat_sepolicy.cil",
+        ":plat_pub_versioned.cil",
+        ":system_ext_sepolicy.cil",
+        ":product_sepolicy.cil",
+        ":vendor_sepolicy.cil",
+        ":odm_sepolicy.cil",
+    ],
+    soong_config_variables: {
+        BOARD_USES_ODMIMAGE: {
+            device_specific: true,
+            conditions_default: {
+                vendor: true,
+            },
+        },
+        IS_TARGET_MIXED_SEPOLICY: {
+            ignore_neverallow: true,
+        },
+        MIXED_SEPOLICY_VERSION: {
+            srcs: [
+                ":plat_%s.cil",
+                ":system_ext_%s.cil",
+                ":product_%s.cil",
+            ],
+            conditions_default: {
+                srcs: [
+                    ":plat_mapping_file",
+                    ":system_ext_mapping_file",
+                    ":product_mapping_file",
+                ],
+            },
+        },
+    },
+    required: [
+        "sepolicy_neverallows",
+        "sepolicy_neverallows_vendor",
+    ],
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
+
 // policy for recovery
 se_policy_conf {
     name: "recovery_sepolicy.conf",

build/soong/policy.go

@@ -287,6 +287,10 @@ type policyCilProperties struct {
 	// Policy file to be compiled to cil file.
 	Src *string `android:"path"`
 
+	// If true, the input policy file is a binary policy that will be decompiled to a cil file.
+	// Defaults to false.
+	Decompile_binary *bool
+
 	// Additional cil files to be added in the end of the output. This is to support workarounds
 	// which are not supported by the policy language.
 	Additional_cil_files []string `android:"path"`
@@ -338,17 +342,22 @@ func (c *policyCil) stem() string {
 func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
 	cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
 	rule := android.NewRuleBuilder(pctx, ctx)
-	rule.Command().BuiltTool("checkpolicy").
-		Flag("-C"). // Write CIL
-		Flag("-M"). // Enable MLS
-		FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
-		FlagWithOutput("-o ", cil).
-		Input(conf)
 
-	if len(c.properties.Additional_cil_files) > 0 {
-		rule.Command().Text("cat").
-			Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
-			Text(">> ").Output(cil)
+	if proptools.Bool(c.properties.Decompile_binary) {
+		rule.Command().BuiltTool("checkpolicy").
+			Flag("-b"). // Read binary
+			Flag("-C"). // Write CIL
+			Flag("-M"). // Enable MLS
+			FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+			FlagWithOutput("-o ", cil).
+			Input(conf)
+	} else {
+		rule.Command().BuiltTool("checkpolicy").
+			Flag("-C"). // Write CIL
+			Flag("-M"). // Enable MLS
+			FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+			FlagWithOutput("-o ", cil).
+			Input(conf)
 	}
 
 	if len(c.properties.Filter_out) > 0 {
@@ -359,6 +368,12 @@ func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Pat
 			FlagWithOutput("-t ", cil)
 	}
 
+	if len(c.properties.Additional_cil_files) > 0 {
+		rule.Command().Text("cat").
+			Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+			Text(">> ").Output(cil)
+	}
+
 	if proptools.Bool(c.properties.Remove_line_marker) {
 		rule.Command().Text("grep -v").
 			Text(proptools.ShellEscape(";;")).

com.android.sepolicy/33/definitions/definitions.cil

@@ -0,0 +1,527 @@
+(sid test)
+(sidorder (test))
+
+(classorder (file service_manager fd sock_file unix_stream_socket process dir udp_socket anon_inode fifo_file lnk_file unix_dgram_socket lockdown netlink_route_socket tcp_socket rawip_socket icmp_socket chr_file binder hwservice_manager))
+
+;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read write getattr lock map open watch watch_reads execute_no_trans append create setattr unlink rename execute relabelfrom relabelto link watch_mount watch_sb watch_with_perm entrypoint execmod audit_access mounton quotaon))
+
+;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
+(role r)
+(role object_r)
+
+(class service_manager (add find list ))
+(class sock_file (write))
+(class fd (use ))
+(class unix_stream_socket (ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown connectto))
+(class process (fork sigchld sigkill sigstop signull ptrace transition signal siginh rlimitinh getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit execmem dyntransition noatsecure))
+(class dir (ioctl read write create getattr setattr lock rename open watch watch_reads relabelfrom relabelto append map unlink link add_name remove_name reparent search rmdir execute quotaon watch_with_perm watch_sb watch_mount execmod audit_access mounton))
+(class udp_socket (ioctl read write getattr setattr connect getopt setopt recvfrom sendto node_bind name_bind create lock append map bind shutdown))
+(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class unix_dgram_socket (ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown sendto))
+(class fifo_file (ioctl read write getattr lock append map open watch watch_reads))
+(class lnk_file (ioctl read getattr lock map open watch watch_reads))
+(class lockdown (confidentiality))
+(class netlink_route_socket (read write create getattr setattr lock append connect getopt setopt shutdown nlmsg_read bind nlmsg_getneigh nlmsg_readpriv))
+(class tcp_socket (node_bind name_bind ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown))
+(class rawip_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
+(class icmp_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
+(class binder (call transfer))
+(class chr_file (ioctl read write getattr lock append map open watch watch_reads))
+(class hwservice_manager (find))
+
+(typeattribute domain)
+(typeattribute coredomain)
+(typeattribute netdomain)
+(typeattribute appdomain)
+
+(type activity_service)
+(type activity_task_service)
+(type adbd)
+(type adsprpcd)
+(type aidl_lazy_test_server)
+(type airbrush)
+(type apexd)
+(type apexd_derive_classpath)
+(type apex_test_prepostinstall)
+(type appdomain_tmpfs)
+(type appops_service)
+(type app_zygote)
+(type artd)
+(type atrace)
+(type audioserver)
+(type audioserver_service)
+(type audio_service)
+(type auditctl)
+(type automotive_display_service)
+(type batteryproperties_service)
+(type batterystats_service)
+(type binder_device)
+(type blank_screen)
+(type blkid)
+(type blkid_untrusted)
+(type bluetooth)
+(type bootanim)
+(type bootstat)
+(type boringssl_self_test)
+(type bpfloader)
+(type bt_logger)
+(type bufferhubd)
+(type cameraserver)
+(type canhalconfigurator)
+(type cbrs_setup_app)
+(type cdsprpcd)
+(type charger)
+(type charger_vendor)
+(type chre)
+(type citadeld)
+(type citadel_provision)
+(type clatd)
+(type cnd)
+(type codec2_config_prop)
+(type color_init)
+(type composd)
+(type compos_fd_server)
+(type compos_verify)
+(type con_monitor_app)
+(type connectivity_service)
+(type connmetrics_service)
+(type cppreopts)
+(type crash_dump)
+(type crash_dump_exec)
+(type credstore)
+(type crosvm)
+(type dataservice_app)
+(type derive_classpath)
+(type derive_sdk)
+(type device_config_nnapi_native_prop)
+(type device_drop_monitor)
+(type deviceidle_service)
+(type dex2oat)
+(type dexoptanalyzer)
+(type dhcp)
+(type diag)
+(type diced)
+(type display_service)
+(type dmabuf_system_heap_device)
+(type dmabuf_system_secure_heap_device)
+(type dmesgd)
+(type dnsmasq)
+(type drmserver)
+(type dropbox_service)
+(type dumpstate)
+(type e2fs)
+(type ephemeral_app)
+(type evsmanagerd)
+(type extra_free_kbytes)
+(type face_debug)
+(type fastbootd)
+(type fingerprintd)
+(type flags_health_check)
+(type font_service)
+(type fsck)
+(type fsck_untrusted)
+(type fstman)
+(type fsverity_init)
+(type fwk_bufferhub)
+(type game_service)
+(type gatekeeperd)
+(type gki_apex_prepostinstall)
+(type gmscore_app)
+(type google_camera_app)
+(type google_touch_app)
+(type gpu_device)
+(type gpu_service)
+(type gpuservice)
+(type graphicsstats_service)
+(type grilservice_app)
+(type gsid)
+(type hal_allocator_default)
+(type hal_allocator_server)
+(type hal_atrace_default)
+(type hal_audiocontrol_default)
+(type hal_audio_default)
+(type hal_authsecret_default)
+(type hal_bluetooth_btlinux)
+(type hal_bluetooth_default)
+(type hal_bluetooth_qti)
+(type hal_bootctl_default)
+(type hal_broadcastradio_default)
+(type hal_camera_default)
+(type hal_can_socketcan)
+(type hal_cas_default)
+(type hal_cas_hwservice)
+(type hal_cas_server)
+(type hal_codec2_hwservice)
+(type hal_codec2_server)
+(type hal_configstore_default)
+(type hal_configstore_ISurfaceFlingerConfigs)
+(type hal_configstore_server)
+(type hal_confirmationui_default)
+(type hal_contexthub_default)
+(type hal_dice_default)
+(type hal_display_color_default)
+(type hal_drm_clearkey)
+(type hal_drm_clearkey_aidl)
+(type hal_drm_default)
+(type hal_drm_server)
+(type hal_drm_widevine)
+(type hal_dumpstate_default)
+(type hal_dumpstate_impl)
+(type hal_evs_default)
+(type hal_face_default)
+(type hal_fingerprint_default)
+(type hal_gatekeeper_default)
+(type hal_gatekeeper_qti)
+(type hal_gnss_default)
+(type hal_gnss_qti)
+(type hal_graphics_allocator_default)
+(type hal_graphics_allocator_hwservice)
+(type hal_graphics_allocator_server)
+(type hal_graphics_allocator_service)
+(type hal_graphics_composer_default)
+(type hal_graphics_mapper_hwservice)
+(type hal_health_default)
+(type hal_health_storage_default)
+(type hal_identity_citadel)
+(type hal_identity_default)
+(type hal_imsrtp)
+(type hal_input_classifier_default)
+(type hal_input_processor_default)
+(type hal_ir_default)
+(type hal_keymaster_citadel)
+(type hal_keymaster_default)
+(type hal_keymaster_qti)
+(type hal_keymint_citadel)
+(type hal_keymint_default)
+(type hal_light_default)
+(type hal_lowpan_default)
+(type hal_memtrack_default)
+(type hal_neuralnetworks_darwinn)
+(type hal_neuralnetworks_default)
+(type hal_neuralnetworks_hwservice)
+(type hal_neuralnetworks_server)
+(type hal_neuralnetworks_service)
+(type hal_nfc_default)
+(type hal_oemlock_default)
+(type hal_omx_hwservice)
+(type hal_omx_server)
+(type hal_power_default)
+(type hal_power_stats_default)
+(type hal_qseecom_default)
+(type hal_qteeconnector_qti)
+(type hal_radio_config_default)
+(type hal_radio_default)
+(type hal_radioext_default)
+(type hal_rcsservice)
+(type hal_rebootescrow_citadel)
+(type hal_rebootescrow_default)
+(type hal_renderscript_hwservice)
+(type hal_secure_element_default)
+(type hal_sensors_default)
+(type hal_tetheroffload_default)
+(type hal_thermal_default)
+(type hal_tui_comm_qti)
+(type hal_tv_cec_default)
+(type hal_tv_input_default)
+(type hal_tv_tuner_default)
+(type hal_tv_tuner_server)
+(type hal_usb_default)
+(type hal_usb_gadget_default)
+(type hal_usb_gadget_impl)
+(type hal_usb_impl)
+(type hal_uwb_default)
+(type hal_vehicle_default)
+(type hal_vibrator_default)
+(type hal_vr_default)
+(type hal_weaver_citadel)
+(type hal_weaver_default)
+(type hal_wifi_default)
+(type hal_wifi_ext)
+(type hal_wifi_hostapd_default)
+(type hal_wifi_supplicant_default)
+(type hal_wlc)
+(type hardware_info_app)
+(type hardware_properties_service)
+(type hbmsvmanager_app)
+(type healthd)
+(type heapprofd)
+(type heapprofd_socket)
+(type heapprofd_tmpfs)
+(type hidl_allocator_hwservice)
+(type hidl_lazy_test_server)
+(type hidl_manager_hwservice)
+(type hidl_memory_hwservice)
+(type hidl_token_hwservice)
+(type hint_service)
+(type hwbinder_device)
+(type hwservicemanager)
+(type hwservicemanager_prop)
+(type idmap)
+(type imms_service)
+(type ims)
+(type incident)
+(type incidentd)
+(type incident_helper)
+(type init)
+(type init_citadel)
+(type init_dp)
+(type init-insmod-sh)
+(type init-mm-logging-sh)
+(type init-qti-keymaster-sh)
+(type init_radio)
+(type init-thermal-logging-sh)
+(type init-thermal-symlinks-sh)
+(type inputflinger)
+(type input_method_service)
+(type input_service)
+(type installd)
+(type ion_device)
+(type IProxyService_service)
+(type ipsec_service)
+(type irsc_util)
+(type isolated_app)
+(type iw)
+(type kernel)
+(type keystore)
+(type launcherapps_service)
+(type legacy_permission_service)
+(type light_service)
+(type linkerconfig)
+(type llkd)
+(type lmkd)
+(type locale_service)
+(type location)
+(type logd)
+(type logger_app)
+(type logpersist)
+(type lpdumpd)
+(type mdm_helper)
+(type mdnsd)
+(type mediacodec)
+(type media_communication_service)
+(type mediadrmserver)
+(type mediaextractor)
+(type mediaextractor_service)
+(type mediametrics)
+(type mediametrics_service)
+(type media_projection_service)
+(type mediaprovider)
+(type mediaprovider_app)
+(type media_router_service)
+(type mediaserver)
+(type mediaserver_service)
+(type media_session_service)
+(type mediaswcodec)
+(type mediatranscoding)
+(type mediatuner)
+(type media_variant_prop)
+(type memtrackproxy_service)
+(type midi_service)
+(type migrate_legacy_obb_data)
+(type mm_events)
+(type modem_diagnostic_app)
+(type modem_svc)
+(type modprobe)
+(type msm_irqbalanced)
+(type mtectrl)
+(type mtp)
+(type netd)
+(type netmgrd)
+(type netpolicy_service)
+(type netstats_service)
+(type netutils_wrapper)
+(type network_management_service)
+(type network_stack)
+(type nfc)
+(type nnapi_ext_deny_product_prop)
+(type notification_service)
+(type obdm_app)
+(type odrefresh)
+(type odsign)
+(type omadm_app)
+(type oslo_app)
+(type otapreopt_chroot)
+(type otapreopt_slot)
+(type package_service)
+(type perfetto)
+(type performanced)
+(type permission_checker_service)
+(type permissioncontroller_app)
+(type permissionmgr_service)
+(type permission_service)
+(type pixelstats_system)
+(type pixelstats_vendor)
+(type pixel-thermal-control-sh)
+(type platform_app)
+(type platform_compat_service)
+(type port-bridge)
+(type postinstall)
+(type postinstall_dexopt)
+(type power_service)
+(type ppp)
+(type preloads_copy)
+(type preopt2cachename)
+(type priv_app)
+(type procstats_service)
+(type profcollectd)
+(type profman)
+(type qlogd)
+(type qrtr)
+(type qtelephony)
+(type qtidataservices_app)
+(type qti_init_shell)
+(type racoon)
+(type radio)
+(type radio_data_file)
+(type ramdump_app)
+(type ramoops)
+(type recovery)
+(type recovery_persist)
+(type recovery_refresh)
+(type registry_service)
+(type remote_prov_app)
+(type remount)
+(type restrictions_service)
+(type rfs_access)
+(type ril_config_service_app)
+(type rild)
+(type rlsservice)
+(type rmt_storage)
+(type rs)
+(type rss_hwm_reset)
+(type rttmanager_service)
+(type runas)
+(type runas_app)
+(type same_process_hal_file)
+(type sdcardd)
+(type sdk_sandbox)
+(type sdk_sandbox_data_file)
+(type sdk_sandbox_system_data_file)
+(type search_service)
+(type sec_nvm)
+(type secure_element)
+(type secure_ui_service_app)
+(type selection_toolbar_service)
+(type sensor_privacy_service)
+(type sensors)
+(type sensorservice_service)
+(type servicediscovery_service)
+(type servicemanager)
+(type settings_service)
+(type sgdisk)
+(type shared_relro)
+; (type shell)
+(type simpleperf)
+(type simpleperf_app_runner)
+(type simpleperf_boot)
+(type slideshow)
+(type smcinvoke_daemon)
+(type snapshotctl)
+(type snapuserd)
+(type spdaemon)
+(type speech_recognition_service)
+(type sprint_hidden_menu)
+(type ssr_detector_app)
+(type stats)
+(type statsd)
+(type statusbar_service)
+(type storaged)
+(type storagestats_service)
+(type su)
+(type surfaceflinger)
+(type surfaceflinger_service)
+(type sysfs_gpu)
+(type system_app)
+(type system_linker_exec)
+(type system_server)
+(type system_server_startup)
+(type system_suspend)
+(type tcpdump_logger)
+(type tee)
+(type telecom_service)
+(type tethering_service)
+(type textclassification_service)
+(type textclassifier_data_file)
+(type textservices_service)
+(type texttospeech_service)
+(type thermal-engine)
+(type thermal_service)
+(type time_daemon)
+(type timeservice_app)
+(type tmpfs)
+(type tombstoned)
+(type toolbox)
+(type traced)
+(type traced_perf)
+(type traced_perf_socket)
+(type traced_probes)
+(type traced_producer_socket)
+(type traced_tmpfs)
+(type traceur_app)
+(type translation_service)
+(type tv_iapp_service)
+(type tv_input_service)
+(type twoshay)
+(type ueventd)
+(type uimode_service)
+(type uncrypt)
+(type untrusted_app)
+(type untrusted_app_25)
+(type untrusted_app_27)
+(type untrusted_app_29)
+(type untrusted_app_30)
+(type update_engine)
+(type update_verifier)
+(type usbd)
+(type uscc_omadm)
+(type uv_exposure_reporter)
+(type vcn_management_service)
+(type vdc)
+(type vehicle_binding_util)
+(type vendor_boringssl_self_test)
+(type vendor_file)
+(type vendor_ia_crash_dump)
+(type vendor_init)
+(type vendor_install_recovery)
+(type vendor_misc_writer)
+(type vendor_modprobe)
+(type vendor_pd_mapper)
+(type vendor_per_mgr)
+(type vendor_shell)
+(type vendor_ssr_diag)
+(type vendor_ssr_setup)
+(type vendor_subsystem_ramdump)
+(type viewcompiler)
+(type virtualizationservice)
+(type virtual_touchpad)
+(type vndservicemanager)
+(type vold)
+(type vold_prepare_subdirs)
+(type vzw_omadm_connmo)
+(type vzw_omadm_dcmo)
+(type vzw_omadm_diagmon)
+(type vzw_omadm_trigger)
+(type vzwomatrigger_app)
+(type wait_for_keymaster)
+(type wait_for_strongbox)
+(type watchdogd)
+(type wcnss_service)
+(type webviewupdate_service)
+(type webview_zygote)
+(type wfc_activation_app)
+(type wificond)
+(type wifidisplayhalservice_qti)
+(type wifi_sniffer)
+(type wigighalsvc)
+(type wigignpt)
+(type wpantund)
+(type zygote)
+
+(type boot_status_prop)
+(allow dumpstate domain (dir (ioctl read getattr lock open watch watch_reads search)))
+(allow coredomain boot_status_prop (file (read getattr map open)))
+(allow netdomain netd (unix_stream_socket (connectto)))
+(allow appdomain traced (fd (use)))

com.android.sepolicy/33/sdk_sandbox.te

@@ -0,0 +1,112 @@
+###
+### SDK Sandbox process.
+###
+### This file extends the sdk sandbox policy at system/sepolicy/private/sdk_sandbox.te
+
+typeattribute sdk_sandbox domain;
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+        connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;

private/sdk_sandbox.te

@@ -3,114 +3,7 @@
 ###
 ### This file defines the security policy for the sdk sandbox processes.
 
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
-        connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+type sdk_sandbox;
 
 ###
 ### neverallow rules