From e6971f1330ae79fd2e2b7cdfd1c88d54fbc57aec Mon Sep 17 00:00:00 2001 From: sandrom Date: Tue, 31 May 2022 08:50:55 +0000 Subject: [PATCH] Move parts of sdk_sandbox from private to apex policy Bug: 236691128 Test: atest SeamendcHostTest Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902 --- Android.bp | 75 ++- build/soong/policy.go | 35 +- .../33/definitions/definitions.cil | 527 ++++++++++++++++++ com.android.sepolicy/33/sdk_sandbox.te | 112 ++++ private/sdk_sandbox.te | 109 +--- 5 files changed, 737 insertions(+), 121 deletions(-) create mode 100644 com.android.sepolicy/33/definitions/definitions.cil create mode 100644 com.android.sepolicy/33/sdk_sandbox.te diff --git a/Android.bp b/Android.bp index 467f80e19..0770a6498 100644 --- a/Android.bp +++ b/Android.bp @@ -373,19 +373,44 @@ se_policy_cil { additional_cil_files: [":sepolicy_technical_debt{.plat_private}"], } - se_policy_conf { name: "apex_sepolicy-33.conf", - srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"], + srcs: plat_public_policy + + plat_private_policy + + system_ext_public_policy + + system_ext_private_policy + + product_public_policy + + product_private_policy + + ["com.android.sepolicy/33/*.te"], installable: false, } se_policy_cil { name: "apex_sepolicy-33.cil", src: ":apex_sepolicy-33.conf", - filter_out: [":plat_sepolicy.cil"], + filter_out: [ + ":plat_sepolicy.cil", + ":system_ext_sepolicy.cil", + ":product_sepolicy.cil", + ], installable: false, stem: "apex_sepolicy.cil", + remove_line_marker: true, +} + +se_policy_cil { + name: "decompiled_sepolicy-without_apex.cil", + src: ":precompiled_sepolicy-without_apex", + decompile_binary: true, +} + +se_policy_cil { + name: "apex_sepolicy-decompiled.cil", + src: ":precompiled_sepolicy", + decompile_binary: true, + filter_out: [":decompiled_sepolicy-without_apex.cil"], + additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"], + secilc_check: false, } // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil @@ -896,6 +921,50 @@ precompiled_se_policy_binary { }, } +precompiled_se_policy_binary { + name: "precompiled_sepolicy-without_apex", + srcs: [ + ":plat_sepolicy.cil", + ":plat_pub_versioned.cil", + ":system_ext_sepolicy.cil", + ":product_sepolicy.cil", + ":vendor_sepolicy.cil", + ":odm_sepolicy.cil", + ], + soong_config_variables: { + BOARD_USES_ODMIMAGE: { + device_specific: true, + conditions_default: { + vendor: true, + }, + }, + IS_TARGET_MIXED_SEPOLICY: { + ignore_neverallow: true, + }, + MIXED_SEPOLICY_VERSION: { + srcs: [ + ":plat_%s.cil", + ":system_ext_%s.cil", + ":product_%s.cil", + ], + conditions_default: { + srcs: [ + ":plat_mapping_file", + ":system_ext_mapping_file", + ":product_mapping_file", + ], + }, + }, + }, + required: [ + "sepolicy_neverallows", + "sepolicy_neverallows_vendor", + ], + dist: { + targets: ["base-sepolicy-files-for-mapping"], + }, +} + // policy for recovery se_policy_conf { name: "recovery_sepolicy.conf", diff --git a/build/soong/policy.go b/build/soong/policy.go index 3946a0424..380faff28 100644 --- a/build/soong/policy.go +++ b/build/soong/policy.go @@ -287,6 +287,10 @@ type policyCilProperties struct { // Policy file to be compiled to cil file. Src *string `android:"path"` + // If true, the input policy file is a binary policy that will be decompiled to a cil file. + // Defaults to false. + Decompile_binary *bool + // Additional cil files to be added in the end of the output. This is to support workarounds // which are not supported by the policy language. Additional_cil_files []string `android:"path"` @@ -338,17 +342,22 @@ func (c *policyCil) stem() string { func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath { cil := android.PathForModuleOut(ctx, c.stem()).OutputPath rule := android.NewRuleBuilder(pctx, ctx) - rule.Command().BuiltTool("checkpolicy"). - Flag("-C"). // Write CIL - Flag("-M"). // Enable MLS - FlagWithArg("-c ", strconv.Itoa(PolicyVers)). - FlagWithOutput("-o ", cil). - Input(conf) - if len(c.properties.Additional_cil_files) > 0 { - rule.Command().Text("cat"). - Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)). - Text(">> ").Output(cil) + if proptools.Bool(c.properties.Decompile_binary) { + rule.Command().BuiltTool("checkpolicy"). + Flag("-b"). // Read binary + Flag("-C"). // Write CIL + Flag("-M"). // Enable MLS + FlagWithArg("-c ", strconv.Itoa(PolicyVers)). + FlagWithOutput("-o ", cil). + Input(conf) + } else { + rule.Command().BuiltTool("checkpolicy"). + Flag("-C"). // Write CIL + Flag("-M"). // Enable MLS + FlagWithArg("-c ", strconv.Itoa(PolicyVers)). + FlagWithOutput("-o ", cil). + Input(conf) } if len(c.properties.Filter_out) > 0 { @@ -359,6 +368,12 @@ func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Pat FlagWithOutput("-t ", cil) } + if len(c.properties.Additional_cil_files) > 0 { + rule.Command().Text("cat"). + Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)). + Text(">> ").Output(cil) + } + if proptools.Bool(c.properties.Remove_line_marker) { rule.Command().Text("grep -v"). Text(proptools.ShellEscape(";;")). diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil new file mode 100644 index 000000000..06f732615 --- /dev/null +++ b/com.android.sepolicy/33/definitions/definitions.cil @@ -0,0 +1,527 @@ +(sid test) +(sidorder (test)) + +(classorder (file service_manager fd sock_file unix_stream_socket process dir udp_socket anon_inode fifo_file lnk_file unix_dgram_socket lockdown netlink_route_socket tcp_socket rawip_socket icmp_socket chr_file binder hwservice_manager)) + +;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;; +(type shell) +(type sepolicy_test_file) +(class file (ioctl read write getattr lock map open watch watch_reads execute_no_trans append create setattr unlink rename execute relabelfrom relabelto link watch_mount watch_sb watch_with_perm entrypoint execmod audit_access mounton quotaon)) + +;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;; +(role r) +(role object_r) + +(class service_manager (add find list )) +(class sock_file (write)) +(class fd (use )) +(class unix_stream_socket (ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown connectto)) +(class process (fork sigchld sigkill sigstop signull ptrace transition signal siginh rlimitinh getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit execmem dyntransition noatsecure)) +(class dir (ioctl read write create getattr setattr lock rename open watch watch_reads relabelfrom relabelto append map unlink link add_name remove_name reparent search rmdir execute quotaon watch_with_perm watch_sb watch_mount execmod audit_access mounton)) +(class udp_socket (ioctl read write getattr setattr connect getopt setopt recvfrom sendto node_bind name_bind create lock append map bind shutdown)) +(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads)) +(class unix_dgram_socket (ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown sendto)) +(class fifo_file (ioctl read write getattr lock append map open watch watch_reads)) +(class lnk_file (ioctl read getattr lock map open watch watch_reads)) +(class lockdown (confidentiality)) +(class netlink_route_socket (read write create getattr setattr lock append connect getopt setopt shutdown nlmsg_read bind nlmsg_getneigh nlmsg_readpriv)) +(class tcp_socket (node_bind name_bind ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown)) +(class rawip_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown)) +(class icmp_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown)) +(class binder (call transfer)) +(class chr_file (ioctl read write getattr lock append map open watch watch_reads)) +(class hwservice_manager (find)) + +(typeattribute domain) +(typeattribute coredomain) +(typeattribute netdomain) +(typeattribute appdomain) + +(type activity_service) +(type activity_task_service) +(type adbd) +(type adsprpcd) +(type aidl_lazy_test_server) +(type airbrush) +(type apexd) +(type apexd_derive_classpath) +(type apex_test_prepostinstall) +(type appdomain_tmpfs) +(type appops_service) +(type app_zygote) +(type artd) +(type atrace) +(type audioserver) +(type audioserver_service) +(type audio_service) +(type auditctl) +(type automotive_display_service) +(type batteryproperties_service) +(type batterystats_service) +(type binder_device) +(type blank_screen) +(type blkid) +(type blkid_untrusted) +(type bluetooth) +(type bootanim) +(type bootstat) +(type boringssl_self_test) +(type bpfloader) +(type bt_logger) +(type bufferhubd) +(type cameraserver) +(type canhalconfigurator) +(type cbrs_setup_app) +(type cdsprpcd) +(type charger) +(type charger_vendor) +(type chre) +(type citadeld) +(type citadel_provision) +(type clatd) +(type cnd) +(type codec2_config_prop) +(type color_init) +(type composd) +(type compos_fd_server) +(type compos_verify) +(type con_monitor_app) +(type connectivity_service) +(type connmetrics_service) +(type cppreopts) +(type crash_dump) +(type crash_dump_exec) +(type credstore) +(type crosvm) +(type dataservice_app) +(type derive_classpath) +(type derive_sdk) +(type device_config_nnapi_native_prop) +(type device_drop_monitor) +(type deviceidle_service) +(type dex2oat) +(type dexoptanalyzer) +(type dhcp) +(type diag) +(type diced) +(type display_service) +(type dmabuf_system_heap_device) +(type dmabuf_system_secure_heap_device) +(type dmesgd) +(type dnsmasq) +(type drmserver) +(type dropbox_service) +(type dumpstate) +(type e2fs) +(type ephemeral_app) +(type evsmanagerd) +(type extra_free_kbytes) +(type face_debug) +(type fastbootd) +(type fingerprintd) +(type flags_health_check) +(type font_service) +(type fsck) +(type fsck_untrusted) +(type fstman) +(type fsverity_init) +(type fwk_bufferhub) +(type game_service) +(type gatekeeperd) +(type gki_apex_prepostinstall) +(type gmscore_app) +(type google_camera_app) +(type google_touch_app) +(type gpu_device) +(type gpu_service) +(type gpuservice) +(type graphicsstats_service) +(type grilservice_app) +(type gsid) +(type hal_allocator_default) +(type hal_allocator_server) +(type hal_atrace_default) +(type hal_audiocontrol_default) +(type hal_audio_default) +(type hal_authsecret_default) +(type hal_bluetooth_btlinux) +(type hal_bluetooth_default) +(type hal_bluetooth_qti) +(type hal_bootctl_default) +(type hal_broadcastradio_default) +(type hal_camera_default) +(type hal_can_socketcan) +(type hal_cas_default) +(type hal_cas_hwservice) +(type hal_cas_server) +(type hal_codec2_hwservice) +(type hal_codec2_server) +(type hal_configstore_default) +(type hal_configstore_ISurfaceFlingerConfigs) +(type hal_configstore_server) +(type hal_confirmationui_default) +(type hal_contexthub_default) +(type hal_dice_default) +(type hal_display_color_default) +(type hal_drm_clearkey) +(type hal_drm_clearkey_aidl) +(type hal_drm_default) +(type hal_drm_server) +(type hal_drm_widevine) +(type hal_dumpstate_default) +(type hal_dumpstate_impl) +(type hal_evs_default) +(type hal_face_default) +(type hal_fingerprint_default) +(type hal_gatekeeper_default) +(type hal_gatekeeper_qti) +(type hal_gnss_default) +(type hal_gnss_qti) +(type hal_graphics_allocator_default) +(type hal_graphics_allocator_hwservice) +(type hal_graphics_allocator_server) +(type hal_graphics_allocator_service) +(type hal_graphics_composer_default) +(type hal_graphics_mapper_hwservice) +(type hal_health_default) +(type hal_health_storage_default) +(type hal_identity_citadel) +(type hal_identity_default) +(type hal_imsrtp) +(type hal_input_classifier_default) +(type hal_input_processor_default) +(type hal_ir_default) +(type hal_keymaster_citadel) +(type hal_keymaster_default) +(type hal_keymaster_qti) +(type hal_keymint_citadel) +(type hal_keymint_default) +(type hal_light_default) +(type hal_lowpan_default) +(type hal_memtrack_default) +(type hal_neuralnetworks_darwinn) +(type hal_neuralnetworks_default) +(type hal_neuralnetworks_hwservice) +(type hal_neuralnetworks_server) +(type hal_neuralnetworks_service) +(type hal_nfc_default) +(type hal_oemlock_default) +(type hal_omx_hwservice) +(type hal_omx_server) +(type hal_power_default) +(type hal_power_stats_default) +(type hal_qseecom_default) +(type hal_qteeconnector_qti) +(type hal_radio_config_default) +(type hal_radio_default) +(type hal_radioext_default) +(type hal_rcsservice) +(type hal_rebootescrow_citadel) +(type hal_rebootescrow_default) +(type hal_renderscript_hwservice) +(type hal_secure_element_default) +(type hal_sensors_default) +(type hal_tetheroffload_default) +(type hal_thermal_default) +(type hal_tui_comm_qti) +(type hal_tv_cec_default) +(type hal_tv_input_default) +(type hal_tv_tuner_default) +(type hal_tv_tuner_server) +(type hal_usb_default) +(type hal_usb_gadget_default) +(type hal_usb_gadget_impl) +(type hal_usb_impl) +(type hal_uwb_default) +(type hal_vehicle_default) +(type hal_vibrator_default) +(type hal_vr_default) +(type hal_weaver_citadel) +(type hal_weaver_default) +(type hal_wifi_default) +(type hal_wifi_ext) +(type hal_wifi_hostapd_default) +(type hal_wifi_supplicant_default) +(type hal_wlc) +(type hardware_info_app) +(type hardware_properties_service) +(type hbmsvmanager_app) +(type healthd) +(type heapprofd) +(type heapprofd_socket) +(type heapprofd_tmpfs) +(type hidl_allocator_hwservice) +(type hidl_lazy_test_server) +(type hidl_manager_hwservice) +(type hidl_memory_hwservice) +(type hidl_token_hwservice) +(type hint_service) +(type hwbinder_device) +(type hwservicemanager) +(type hwservicemanager_prop) +(type idmap) +(type imms_service) +(type ims) +(type incident) +(type incidentd) +(type incident_helper) +(type init) +(type init_citadel) +(type init_dp) +(type init-insmod-sh) +(type init-mm-logging-sh) +(type init-qti-keymaster-sh) +(type init_radio) +(type init-thermal-logging-sh) +(type init-thermal-symlinks-sh) +(type inputflinger) +(type input_method_service) +(type input_service) +(type installd) +(type ion_device) +(type IProxyService_service) +(type ipsec_service) +(type irsc_util) +(type isolated_app) +(type iw) +(type kernel) +(type keystore) +(type launcherapps_service) +(type legacy_permission_service) +(type light_service) +(type linkerconfig) +(type llkd) +(type lmkd) +(type locale_service) +(type location) +(type logd) +(type logger_app) +(type logpersist) +(type lpdumpd) +(type mdm_helper) +(type mdnsd) +(type mediacodec) +(type media_communication_service) +(type mediadrmserver) +(type mediaextractor) +(type mediaextractor_service) +(type mediametrics) +(type mediametrics_service) +(type media_projection_service) +(type mediaprovider) +(type mediaprovider_app) +(type media_router_service) +(type mediaserver) +(type mediaserver_service) +(type media_session_service) +(type mediaswcodec) +(type mediatranscoding) +(type mediatuner) +(type media_variant_prop) +(type memtrackproxy_service) +(type midi_service) +(type migrate_legacy_obb_data) +(type mm_events) +(type modem_diagnostic_app) +(type modem_svc) +(type modprobe) +(type msm_irqbalanced) +(type mtectrl) +(type mtp) +(type netd) +(type netmgrd) +(type netpolicy_service) +(type netstats_service) +(type netutils_wrapper) +(type network_management_service) +(type network_stack) +(type nfc) +(type nnapi_ext_deny_product_prop) +(type notification_service) +(type obdm_app) +(type odrefresh) +(type odsign) +(type omadm_app) +(type oslo_app) +(type otapreopt_chroot) +(type otapreopt_slot) +(type package_service) +(type perfetto) +(type performanced) +(type permission_checker_service) +(type permissioncontroller_app) +(type permissionmgr_service) +(type permission_service) +(type pixelstats_system) +(type pixelstats_vendor) +(type pixel-thermal-control-sh) +(type platform_app) +(type platform_compat_service) +(type port-bridge) +(type postinstall) +(type postinstall_dexopt) +(type power_service) +(type ppp) +(type preloads_copy) +(type preopt2cachename) +(type priv_app) +(type procstats_service) +(type profcollectd) +(type profman) +(type qlogd) +(type qrtr) +(type qtelephony) +(type qtidataservices_app) +(type qti_init_shell) +(type racoon) +(type radio) +(type radio_data_file) +(type ramdump_app) +(type ramoops) +(type recovery) +(type recovery_persist) +(type recovery_refresh) +(type registry_service) +(type remote_prov_app) +(type remount) +(type restrictions_service) +(type rfs_access) +(type ril_config_service_app) +(type rild) +(type rlsservice) +(type rmt_storage) +(type rs) +(type rss_hwm_reset) +(type rttmanager_service) +(type runas) +(type runas_app) +(type same_process_hal_file) +(type sdcardd) +(type sdk_sandbox) +(type sdk_sandbox_data_file) +(type sdk_sandbox_system_data_file) +(type search_service) +(type sec_nvm) +(type secure_element) +(type secure_ui_service_app) +(type selection_toolbar_service) +(type sensor_privacy_service) +(type sensors) +(type sensorservice_service) +(type servicediscovery_service) +(type servicemanager) +(type settings_service) +(type sgdisk) +(type shared_relro) +; (type shell) +(type simpleperf) +(type simpleperf_app_runner) +(type simpleperf_boot) +(type slideshow) +(type smcinvoke_daemon) +(type snapshotctl) +(type snapuserd) +(type spdaemon) +(type speech_recognition_service) +(type sprint_hidden_menu) +(type ssr_detector_app) +(type stats) +(type statsd) +(type statusbar_service) +(type storaged) +(type storagestats_service) +(type su) +(type surfaceflinger) +(type surfaceflinger_service) +(type sysfs_gpu) +(type system_app) +(type system_linker_exec) +(type system_server) +(type system_server_startup) +(type system_suspend) +(type tcpdump_logger) +(type tee) +(type telecom_service) +(type tethering_service) +(type textclassification_service) +(type textclassifier_data_file) +(type textservices_service) +(type texttospeech_service) +(type thermal-engine) +(type thermal_service) +(type time_daemon) +(type timeservice_app) +(type tmpfs) +(type tombstoned) +(type toolbox) +(type traced) +(type traced_perf) +(type traced_perf_socket) +(type traced_probes) +(type traced_producer_socket) +(type traced_tmpfs) +(type traceur_app) +(type translation_service) +(type tv_iapp_service) +(type tv_input_service) +(type twoshay) +(type ueventd) +(type uimode_service) +(type uncrypt) +(type untrusted_app) +(type untrusted_app_25) +(type untrusted_app_27) +(type untrusted_app_29) +(type untrusted_app_30) +(type update_engine) +(type update_verifier) +(type usbd) +(type uscc_omadm) +(type uv_exposure_reporter) +(type vcn_management_service) +(type vdc) +(type vehicle_binding_util) +(type vendor_boringssl_self_test) +(type vendor_file) +(type vendor_ia_crash_dump) +(type vendor_init) +(type vendor_install_recovery) +(type vendor_misc_writer) +(type vendor_modprobe) +(type vendor_pd_mapper) +(type vendor_per_mgr) +(type vendor_shell) +(type vendor_ssr_diag) +(type vendor_ssr_setup) +(type vendor_subsystem_ramdump) +(type viewcompiler) +(type virtualizationservice) +(type virtual_touchpad) +(type vndservicemanager) +(type vold) +(type vold_prepare_subdirs) +(type vzw_omadm_connmo) +(type vzw_omadm_dcmo) +(type vzw_omadm_diagmon) +(type vzw_omadm_trigger) +(type vzwomatrigger_app) +(type wait_for_keymaster) +(type wait_for_strongbox) +(type watchdogd) +(type wcnss_service) +(type webviewupdate_service) +(type webview_zygote) +(type wfc_activation_app) +(type wificond) +(type wifidisplayhalservice_qti) +(type wifi_sniffer) +(type wigighalsvc) +(type wigignpt) +(type wpantund) +(type zygote) + +(type boot_status_prop) +(allow dumpstate domain (dir (ioctl read getattr lock open watch watch_reads search))) +(allow coredomain boot_status_prop (file (read getattr map open))) +(allow netdomain netd (unix_stream_socket (connectto))) +(allow appdomain traced (fd (use))) diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te new file mode 100644 index 000000000..f3f9a6792 --- /dev/null +++ b/com.android.sepolicy/33/sdk_sandbox.te @@ -0,0 +1,112 @@ +### +### SDK Sandbox process. +### +### This file extends the sdk sandbox policy at system/sepolicy/private/sdk_sandbox.te + +typeattribute sdk_sandbox domain; +typeattribute sdk_sandbox coredomain; + +net_domain(sdk_sandbox) +app_domain(sdk_sandbox) + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +# Audit the access to signal that we are still investigating whether sdk_sandbox +# should have access to audio_service +# TODO(b/211632068): remove this line +auditallow sdk_sandbox audio_service:service_manager find; + +allow sdk_sandbox activity_service:service_manager find; +allow sdk_sandbox activity_task_service:service_manager find; +allow sdk_sandbox appops_service:service_manager find; +allow sdk_sandbox audio_service:service_manager find; +allow sdk_sandbox audioserver_service:service_manager find; +allow sdk_sandbox batteryproperties_service:service_manager find; +allow sdk_sandbox batterystats_service:service_manager find; +allow sdk_sandbox connectivity_service:service_manager find; +allow sdk_sandbox connmetrics_service:service_manager find; +allow sdk_sandbox deviceidle_service:service_manager find; +allow sdk_sandbox display_service:service_manager find; +allow sdk_sandbox dropbox_service:service_manager find; +allow sdk_sandbox font_service:service_manager find; +allow sdk_sandbox game_service:service_manager find; +allow sdk_sandbox gpu_service:service_manager find; +allow sdk_sandbox graphicsstats_service:service_manager find; +allow sdk_sandbox hardware_properties_service:service_manager find; +allow sdk_sandbox hint_service:service_manager find; +allow sdk_sandbox imms_service:service_manager find; +allow sdk_sandbox input_method_service:service_manager find; +allow sdk_sandbox input_service:service_manager find; +allow sdk_sandbox IProxyService_service:service_manager find; +allow sdk_sandbox ipsec_service:service_manager find; +allow sdk_sandbox launcherapps_service:service_manager find; +allow sdk_sandbox legacy_permission_service:service_manager find; +allow sdk_sandbox light_service:service_manager find; +allow sdk_sandbox locale_service:service_manager find; +allow sdk_sandbox media_communication_service:service_manager find; +allow sdk_sandbox mediaextractor_service:service_manager find; +allow sdk_sandbox mediametrics_service:service_manager find; +allow sdk_sandbox media_projection_service:service_manager find; +allow sdk_sandbox media_router_service:service_manager find; +allow sdk_sandbox mediaserver_service:service_manager find; +allow sdk_sandbox media_session_service:service_manager find; +allow sdk_sandbox memtrackproxy_service:service_manager find; +allow sdk_sandbox midi_service:service_manager find; +allow sdk_sandbox netpolicy_service:service_manager find; +allow sdk_sandbox netstats_service:service_manager find; +allow sdk_sandbox network_management_service:service_manager find; +allow sdk_sandbox notification_service:service_manager find; +allow sdk_sandbox package_service:service_manager find; +allow sdk_sandbox permission_checker_service:service_manager find; +allow sdk_sandbox permission_service:service_manager find; +allow sdk_sandbox permissionmgr_service:service_manager find; +allow sdk_sandbox platform_compat_service:service_manager find; +allow sdk_sandbox power_service:service_manager find; +allow sdk_sandbox procstats_service:service_manager find; +allow sdk_sandbox registry_service:service_manager find; +allow sdk_sandbox restrictions_service:service_manager find; +allow sdk_sandbox rttmanager_service:service_manager find; +allow sdk_sandbox search_service:service_manager find; +allow sdk_sandbox selection_toolbar_service:service_manager find; +allow sdk_sandbox sensor_privacy_service:service_manager find; +allow sdk_sandbox sensorservice_service:service_manager find; +allow sdk_sandbox servicediscovery_service:service_manager find; +allow sdk_sandbox settings_service:service_manager find; +allow sdk_sandbox speech_recognition_service:service_manager find; +allow sdk_sandbox statusbar_service:service_manager find; +allow sdk_sandbox storagestats_service:service_manager find; +allow sdk_sandbox surfaceflinger_service:service_manager find; +allow sdk_sandbox telecom_service:service_manager find; +allow sdk_sandbox tethering_service:service_manager find; +allow sdk_sandbox textclassification_service:service_manager find; +allow sdk_sandbox textservices_service:service_manager find; +allow sdk_sandbox texttospeech_service:service_manager find; +allow sdk_sandbox thermal_service:service_manager find; +allow sdk_sandbox translation_service:service_manager find; +allow sdk_sandbox tv_iapp_service:service_manager find; +allow sdk_sandbox tv_input_service:service_manager find; +allow sdk_sandbox uimode_service:service_manager find; +allow sdk_sandbox vcn_management_service:service_manager find; +allow sdk_sandbox webviewupdate_service:service_manager find; + +allow sdk_sandbox system_linker_exec:file execute_no_trans; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(sdk_sandbox) + +# Allow profiling if the app opts in by being marked profileable/debuggable. +can_profile_heap(sdk_sandbox) +can_profile_perf(sdk_sandbox) + +# allow sdk sandbox to use UDP sockets provided by the system server but not +# modify them other than to connect +allow sdk_sandbox system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# allow sandbox to search in sdk system server directory +# additionally, for webview to work, getattr has been permitted +allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search }; +# allow sandbox to create files and dirs in sdk data directory +allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms; +allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms; diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te index 20d3adf33..1bb2c2108 100644 --- a/private/sdk_sandbox.te +++ b/private/sdk_sandbox.te @@ -3,114 +3,7 @@ ### ### This file defines the security policy for the sdk sandbox processes. -type sdk_sandbox, domain; - -typeattribute sdk_sandbox coredomain; - -net_domain(sdk_sandbox) -app_domain(sdk_sandbox) - -# Allow finding services. This is different from ephemeral_app policy. -# Adding services manually to the allowlist is preferred hence app_api_service is not used. -# Audit the access to signal that we are still investigating whether sdk_sandbox -# should have access to audio_service -# TODO(b/211632068): remove this line -auditallow sdk_sandbox audio_service:service_manager find; - -allow sdk_sandbox activity_service:service_manager find; -allow sdk_sandbox activity_task_service:service_manager find; -allow sdk_sandbox appops_service:service_manager find; -allow sdk_sandbox audio_service:service_manager find; -allow sdk_sandbox audioserver_service:service_manager find; -allow sdk_sandbox batteryproperties_service:service_manager find; -allow sdk_sandbox batterystats_service:service_manager find; -allow sdk_sandbox connectivity_service:service_manager find; -allow sdk_sandbox connmetrics_service:service_manager find; -allow sdk_sandbox deviceidle_service:service_manager find; -allow sdk_sandbox display_service:service_manager find; -allow sdk_sandbox dropbox_service:service_manager find; -allow sdk_sandbox font_service:service_manager find; -allow sdk_sandbox game_service:service_manager find; -allow sdk_sandbox gpu_service:service_manager find; -allow sdk_sandbox graphicsstats_service:service_manager find; -allow sdk_sandbox hardware_properties_service:service_manager find; -allow sdk_sandbox hint_service:service_manager find; -allow sdk_sandbox imms_service:service_manager find; -allow sdk_sandbox input_method_service:service_manager find; -allow sdk_sandbox input_service:service_manager find; -allow sdk_sandbox IProxyService_service:service_manager find; -allow sdk_sandbox ipsec_service:service_manager find; -allow sdk_sandbox launcherapps_service:service_manager find; -allow sdk_sandbox legacy_permission_service:service_manager find; -allow sdk_sandbox light_service:service_manager find; -allow sdk_sandbox locale_service:service_manager find; -allow sdk_sandbox media_communication_service:service_manager find; -allow sdk_sandbox mediaextractor_service:service_manager find; -allow sdk_sandbox mediametrics_service:service_manager find; -allow sdk_sandbox media_projection_service:service_manager find; -allow sdk_sandbox media_router_service:service_manager find; -allow sdk_sandbox mediaserver_service:service_manager find; -allow sdk_sandbox media_session_service:service_manager find; -allow sdk_sandbox memtrackproxy_service:service_manager find; -allow sdk_sandbox midi_service:service_manager find; -allow sdk_sandbox netpolicy_service:service_manager find; -allow sdk_sandbox netstats_service:service_manager find; -allow sdk_sandbox network_management_service:service_manager find; -allow sdk_sandbox notification_service:service_manager find; -allow sdk_sandbox package_service:service_manager find; -allow sdk_sandbox permission_checker_service:service_manager find; -allow sdk_sandbox permission_service:service_manager find; -allow sdk_sandbox permissionmgr_service:service_manager find; -allow sdk_sandbox platform_compat_service:service_manager find; -allow sdk_sandbox power_service:service_manager find; -allow sdk_sandbox procstats_service:service_manager find; -allow sdk_sandbox registry_service:service_manager find; -allow sdk_sandbox restrictions_service:service_manager find; -allow sdk_sandbox rttmanager_service:service_manager find; -allow sdk_sandbox search_service:service_manager find; -allow sdk_sandbox selection_toolbar_service:service_manager find; -allow sdk_sandbox sensor_privacy_service:service_manager find; -allow sdk_sandbox sensorservice_service:service_manager find; -allow sdk_sandbox servicediscovery_service:service_manager find; -allow sdk_sandbox settings_service:service_manager find; -allow sdk_sandbox speech_recognition_service:service_manager find; -allow sdk_sandbox statusbar_service:service_manager find; -allow sdk_sandbox storagestats_service:service_manager find; -allow sdk_sandbox surfaceflinger_service:service_manager find; -allow sdk_sandbox telecom_service:service_manager find; -allow sdk_sandbox tethering_service:service_manager find; -allow sdk_sandbox textclassification_service:service_manager find; -allow sdk_sandbox textservices_service:service_manager find; -allow sdk_sandbox texttospeech_service:service_manager find; -allow sdk_sandbox thermal_service:service_manager find; -allow sdk_sandbox translation_service:service_manager find; -allow sdk_sandbox tv_iapp_service:service_manager find; -allow sdk_sandbox tv_input_service:service_manager find; -allow sdk_sandbox uimode_service:service_manager find; -allow sdk_sandbox vcn_management_service:service_manager find; -allow sdk_sandbox webviewupdate_service:service_manager find; - -allow sdk_sandbox system_linker_exec:file execute_no_trans; - -# Write app-specific trace data to the Perfetto traced damon. This requires -# connecting to its producer socket and obtaining a (per-process) tmpfs fd. -perfetto_producer(sdk_sandbox) - -# Allow profiling if the app opts in by being marked profileable/debuggable. -can_profile_heap(sdk_sandbox) -can_profile_perf(sdk_sandbox) - -# allow sdk sandbox to use UDP sockets provided by the system server but not -# modify them other than to connect -allow sdk_sandbox system_server:udp_socket { - connect getattr read recvfrom sendto write getopt setopt }; - -# allow sandbox to search in sdk system server directory -# additionally, for webview to work, getattr has been permitted -allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search }; -# allow sandbox to create files and dirs in sdk data directory -allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms; -allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms; +type sdk_sandbox; ### ### neverallow rules