Prebuilt updates am: 448968a6d1 am: 084b293596

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2848878

Change-Id: If8cc1dbc910cb2fec2d4996c1a2f8fef602472cc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Thiébaud Weksteen 2023-11-29 06:56:58 +00:00 committed by Automerger Merge Worker
commit efa4cf8469
8 changed files with 138 additions and 87 deletions

View file

@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false;
# All SDK sandbox domains
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;

View file

@ -82,4 +82,5 @@
hal_can_controller_service
zoned_block_device
future_pm_prop
vfio_device
))

View file

@ -1426,9 +1426,6 @@ remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
# Indicates the system should use rkpd instead of RemoteProvisioner
remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int

View file

@ -3,89 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_34 {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
cameraserver_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
ephemeral_app_api_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediadrmserver_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
radio_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;

View file

@ -0,0 +1,34 @@
###
### SDK Sandbox process.
###
### This file defines the audit sdk sandbox security policy for
### the set of restrictions proposed for the next SDK level.
###
### The sdk_sandbox_audit domain has the same rules as the
### sdk_sandbox_current domain and additional auditing rules
### for the accesses we are considering forbidding in the upcoming
### sdk_sandbox_next domain.
type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_audit)
app_domain(sdk_sandbox_audit)
# Auditallow rules for accesses that are currently allowed but we
# might remove in the future.
auditallow sdk_sandbox_audit {
cameraserver_service
ephemeral_app_api_service
mediadrmserver_service
radio_service
}:service_manager find;
auditallow sdk_sandbox_audit {
property_type
-system_property_type
}:file rw_file_perms;
auditallow sdk_sandbox_audit {
property_type
-system_property_type
}:dir rw_dir_perms;

View file

@ -0,0 +1,87 @@
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
### for the current SDK level.
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_current {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
cameraserver_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
ephemeral_app_api_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediadrmserver_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
radio_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;

View file

@ -13,6 +13,7 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@ -48,9 +49,19 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
# as the current dessert release, with additional auditing rules for the accesses
# we are considering forbidding in the upcoming release.
#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
#
# isSdkSandboxAudit=true means sdk sandbox processes will get
# sdk_sandbox_audit sepolicy applied to them.
# An unspecified isSdkSandboxAudit defaults to false.
#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@ -171,6 +182,7 @@ user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user

View file

@ -88,4 +88,5 @@
hal_can_controller_service
zoned_block_device
future_pm_prop
vfio_device
))