Merge "Introduce a new sdk_sandbox domain" am: 9ee52f56bb

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2527286

Change-Id: I21fe274a202af32dec9defc33241bef7da510b51
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Mugdha Lakhani 2023-04-25 09:44:07 +00:00 committed by Automerger Merge Worker
commit ff1c4e035c
13 changed files with 335 additions and 355 deletions

View file

@ -9,7 +9,7 @@ r_dir_file({
-platform_app
-priv_app
-shell
-sdk_sandbox
-sdk_sandbox_all
-system_app
-untrusted_app_all
}, proc_net_type)
@ -23,7 +23,7 @@ userdebug_or_eng(`
-priv_app
-shell
-su
-sdk_sandbox
-sdk_sandbox_all
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@ -81,7 +81,7 @@ dontaudit appdomain system_data_file:dir write;
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@ -137,67 +137,67 @@ allow appdomain tombstone_data_file:file { getattr read };
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox)
binder_call(appdomain, sdk_sandbox_all)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# For app fuse.
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@ -223,11 +223,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@ -261,11 +261,11 @@ allow appdomain appdomain:fifo_file rw_file_perms;
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@ -411,7 +411,7 @@ allow appdomain system_data_file:lnk_file r_file_perms;
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
@ -503,7 +503,7 @@ neverallow {
nfc
radio
shared_relro
sdk_sandbox
sdk_sandbox_all
system_app
} {
data_file_type

View file

@ -10,3 +10,6 @@ attribute mlsvendorcompat;
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
# All SDK sandbox domains
attribute sdk_sandbox_all;

View file

@ -749,7 +749,7 @@ neverallow {
isolated_app_all
ephemeral_app
priv_app
sdk_sandbox
sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };

View file

@ -104,7 +104,7 @@ neverallow { isolated_app_all -isolated_compute_app } {
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket

View file

@ -1,7 +1,7 @@
# Bind to ports.
allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@ -13,7 +13,7 @@ allow {
-ephemeral_app
-mediaprovider
-priv_app
-sdk_sandbox
-sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };

View file

@ -1,304 +0,0 @@
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.
type sdk_sandbox, domain;
typeattribute sdk_sandbox coredomain;
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
# TODO(b/252967582): remove this rule if it generates too much logs traffic.
auditallow sdk_sandbox {
property_type
# remove expected properties to reduce noise.
-servicemanager_prop
-hwservicemanager_prop
-use_memfd_prop
-binder_cache_system_server_prop
-graphics_config_prop
-persist_wm_debug_prop
-aaudio_config_prop
-adbd_config_prop
-apex_ready_prop
-apexd_select_prop
-arm64_memtag_prop
-audio_prop
-binder_cache_bluetooth_server_prop
-binder_cache_telephony_server_prop
-bluetooth_config_prop
-boot_status_prop
-bootloader_prop
-bq_config_prop
-build_odm_prop
-build_prop
-build_vendor_prop
-camera2_extensions_prop
-camera_calibration_prop
-camera_config_prop
-camerax_extensions_prop
-codec2_config_prop
-config_prop
-cppreopt_prop
-dalvik_config_prop_type
-dalvik_prop
-dalvik_runtime_prop
-dck_prop
-debug_prop
-debuggerd_prop
-default_prop
-device_config_memory_safety_native_boot_prop
-device_config_memory_safety_native_prop
-device_config_nnapi_native_prop
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-dhcp_prop
-dumpstate_prop
-exported3_system_prop
-exported_config_prop
-exported_default_prop
-exported_dumpstate_prop
-exported_pm_prop
-exported_system_prop
-ffs_config_prop
-fingerprint_prop
-framework_status_prop
-gwp_asan_prop
-hal_instrumentation_prop
-hdmi_config_prop
-heapprofd_prop
-hw_timeout_multiplier_prop
-init_service_status_private_prop
-init_service_status_prop
-libc_debug_prop
-lmkd_config_prop
-locale_prop
-localization_prop
-log_file_logger_prop
-log_prop
-log_tag_prop
-logd_prop
-media_config_prop
-media_variant_prop
-mediadrm_config_prop
-module_sdkextensions_prop
-net_radio_prop
-nfc_prop
-nnapi_ext_deny_product_prop
-ota_prop
-packagemanager_config_prop
-pan_result_prop
-permissive_mte_prop
-persist_debug_prop
-persist_sysui_builder_extras_prop
-pm_prop
-powerctl_prop
-property_service_version_prop
-radio_control_prop
-radio_prop
-restorecon_prop
-rollback_test_prop
-sendbug_config_prop
-setupwizard_prop
-shell_prop
-soc_prop
-socket_hook_prop
-sqlite_log_prop
-storagemanager_config_prop
-surfaceflinger_color_prop
-surfaceflinger_prop
-system_prop
-system_user_mode_emulation_prop
-systemsound_config_prop
-telephony_config_prop
-telephony_status_prop
-test_harness_prop
-timezone_prop
-usb_config_prop
-usb_control_prop
-usb_prop
-userdebug_or_eng_prop
-userspace_reboot_config_prop
-userspace_reboot_exported_prop
-userspace_reboot_log_prop
-userspace_reboot_test_prop
-vendor_socket_hook_prop
-vndk_prop
-vold_config_prop
-vold_prop
-vold_status_prop
-vts_config_prop
-vts_status_prop
-wifi_log_prop
-zygote_config_prop
-zygote_wrap_prop
-init_service_status_prop
}:file { getattr open read map };
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox activity_service:service_manager find;
allow sdk_sandbox activity_task_service:service_manager find;
allow sdk_sandbox appops_service:service_manager find;
allow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox audioserver_service:service_manager find;
allow sdk_sandbox batteryproperties_service:service_manager find;
allow sdk_sandbox batterystats_service:service_manager find;
allow sdk_sandbox connectivity_service:service_manager find;
allow sdk_sandbox connmetrics_service:service_manager find;
allow sdk_sandbox deviceidle_service:service_manager find;
allow sdk_sandbox display_service:service_manager find;
allow sdk_sandbox dropbox_service:service_manager find;
allow sdk_sandbox font_service:service_manager find;
allow sdk_sandbox game_service:service_manager find;
allow sdk_sandbox gpu_service:service_manager find;
allow sdk_sandbox graphicsstats_service:service_manager find;
allow sdk_sandbox hardware_properties_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox imms_service:service_manager find;
allow sdk_sandbox input_method_service:service_manager find;
allow sdk_sandbox input_service:service_manager find;
allow sdk_sandbox IProxyService_service:service_manager find;
allow sdk_sandbox ipsec_service:service_manager find;
allow sdk_sandbox launcherapps_service:service_manager find;
allow sdk_sandbox legacy_permission_service:service_manager find;
allow sdk_sandbox light_service:service_manager find;
allow sdk_sandbox locale_service:service_manager find;
allow sdk_sandbox media_communication_service:service_manager find;
allow sdk_sandbox mediaextractor_service:service_manager find;
allow sdk_sandbox mediametrics_service:service_manager find;
allow sdk_sandbox media_projection_service:service_manager find;
allow sdk_sandbox media_router_service:service_manager find;
allow sdk_sandbox mediaserver_service:service_manager find;
allow sdk_sandbox media_session_service:service_manager find;
allow sdk_sandbox memtrackproxy_service:service_manager find;
allow sdk_sandbox midi_service:service_manager find;
allow sdk_sandbox netpolicy_service:service_manager find;
allow sdk_sandbox netstats_service:service_manager find;
allow sdk_sandbox network_management_service:service_manager find;
allow sdk_sandbox notification_service:service_manager find;
allow sdk_sandbox package_service:service_manager find;
allow sdk_sandbox permission_checker_service:service_manager find;
allow sdk_sandbox permission_service:service_manager find;
allow sdk_sandbox permissionmgr_service:service_manager find;
allow sdk_sandbox platform_compat_service:service_manager find;
allow sdk_sandbox power_service:service_manager find;
allow sdk_sandbox procstats_service:service_manager find;
allow sdk_sandbox registry_service:service_manager find;
allow sdk_sandbox restrictions_service:service_manager find;
allow sdk_sandbox rttmanager_service:service_manager find;
allow sdk_sandbox search_service:service_manager find;
allow sdk_sandbox selection_toolbar_service:service_manager find;
allow sdk_sandbox sensor_privacy_service:service_manager find;
allow sdk_sandbox sensorservice_service:service_manager find;
allow sdk_sandbox servicediscovery_service:service_manager find;
allow sdk_sandbox settings_service:service_manager find;
allow sdk_sandbox speech_recognition_service:service_manager find;
allow sdk_sandbox statusbar_service:service_manager find;
allow sdk_sandbox storagestats_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
allow sdk_sandbox telecom_service:service_manager find;
allow sdk_sandbox tethering_service:service_manager find;
allow sdk_sandbox textclassification_service:service_manager find;
allow sdk_sandbox textservices_service:service_manager find;
allow sdk_sandbox texttospeech_service:service_manager find;
allow sdk_sandbox thermal_service:service_manager find;
allow sdk_sandbox translation_service:service_manager find;
allow sdk_sandbox tv_iapp_service:service_manager find;
allow sdk_sandbox tv_input_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox vcn_management_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
allow sdk_sandbox system_linker_exec:file execute_no_trans;
# Required to read CTS tests data from the shell_data_file location.
allow sdk_sandbox shell_data_file:file r_file_perms;
allow sdk_sandbox shell_data_file:dir r_dir_perms;
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
###
### neverallow rules
###
neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;
# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };
neverallow {
domain
-init
-installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;

81
private/sdk_sandbox_34.te Normal file
View file

@ -0,0 +1,81 @@
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
type sdk_sandbox_34, domain;
typeattribute sdk_sandbox_34 coredomain;
sdk_sandbox_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
# services
allow sdk_sandbox_34 audioserver_service:service_manager find;
allow sdk_sandbox_34 cameraserver_service:service_manager find;
allow sdk_sandbox_34 mediaserver_service:service_manager find;
allow sdk_sandbox_34 mediaextractor_service:service_manager find;
allow sdk_sandbox_34 mediametrics_service:service_manager find;
allow sdk_sandbox_34 mediadrmserver_service:service_manager find;
allow sdk_sandbox_34 drmserver_service:service_manager find;
allow sdk_sandbox_34 radio_service:service_manager find;
allow sdk_sandbox_34 ephemeral_app_api_service:service_manager find;
allow sdk_sandbox_34 activity_service:service_manager find;
allow sdk_sandbox_34 activity_task_service:service_manager find;
allow sdk_sandbox_34 appops_service:service_manager find;
allow sdk_sandbox_34 audio_service:service_manager find;
allow sdk_sandbox_34 batteryproperties_service:service_manager find;
allow sdk_sandbox_34 batterystats_service:service_manager find;
allow sdk_sandbox_34 connectivity_service:service_manager find;
allow sdk_sandbox_34 connmetrics_service:service_manager find;
allow sdk_sandbox_34 deviceidle_service:service_manager find;
allow sdk_sandbox_34 display_service:service_manager find;
allow sdk_sandbox_34 dropbox_service:service_manager find;
allow sdk_sandbox_34 font_service:service_manager find;
allow sdk_sandbox_34 gpu_service:service_manager find;
allow sdk_sandbox_34 graphicsstats_service:service_manager find;
allow sdk_sandbox_34 hardware_properties_service:service_manager find;
allow sdk_sandbox_34 imms_service:service_manager find;
allow sdk_sandbox_34 IProxyService_service:service_manager find;
allow sdk_sandbox_34 ipsec_service:service_manager find;
allow sdk_sandbox_34 launcherapps_service:service_manager find;
allow sdk_sandbox_34 legacy_permission_service:service_manager find;
allow sdk_sandbox_34 light_service:service_manager find;
allow sdk_sandbox_34 locale_service:service_manager find;
allow sdk_sandbox_34 media_communication_service:service_manager find;
allow sdk_sandbox_34 media_session_service:service_manager find;
allow sdk_sandbox_34 memtrackproxy_service:service_manager find;
allow sdk_sandbox_34 midi_service:service_manager find;
allow sdk_sandbox_34 notification_service:service_manager find;
allow sdk_sandbox_34 package_service:service_manager find;
allow sdk_sandbox_34 permission_checker_service:service_manager find;
allow sdk_sandbox_34 permissionmgr_service:service_manager find;
allow sdk_sandbox_34 permission_service:service_manager find;
allow sdk_sandbox_34 platform_compat_service:service_manager find;
allow sdk_sandbox_34 procstats_service:service_manager find;
allow sdk_sandbox_34 registry_service:service_manager find;
allow sdk_sandbox_34 restrictions_service:service_manager find;
allow sdk_sandbox_34 search_service:service_manager find;
allow sdk_sandbox_34 selection_toolbar_service:service_manager find;
allow sdk_sandbox_34 sensor_privacy_service:service_manager find;
allow sdk_sandbox_34 sensorservice_service:service_manager find;
allow sdk_sandbox_34 servicediscovery_service:service_manager find;
allow sdk_sandbox_34 settings_service:service_manager find;
allow sdk_sandbox_34 speech_recognition_service:service_manager find;
allow sdk_sandbox_34 statusbar_service:service_manager find;
allow sdk_sandbox_34 surfaceflinger_service:service_manager find;
allow sdk_sandbox_34 telecom_service:service_manager find;
allow sdk_sandbox_34 textservices_service:service_manager find;
allow sdk_sandbox_34 texttospeech_service:service_manager find;
allow sdk_sandbox_34 thermal_service:service_manager find;
allow sdk_sandbox_34 translation_service:service_manager find;
allow sdk_sandbox_34 tv_iapp_service:service_manager find;
allow sdk_sandbox_34 tv_input_service:service_manager find;
allow sdk_sandbox_34 uimode_service:service_manager find;
allow sdk_sandbox_34 vcn_management_service:service_manager find;
allow sdk_sandbox_34 webviewupdate_service:service_manager find;
# Allow sdk_sandbox_34 to read/write files in visible storage if provided fds
allow sdk_sandbox_34 { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};

View file

@ -0,0 +1,91 @@
###
### sdk_sandbox_all
###
### This file defines the rules shared by all sdk_sandbox* domains.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
### directory). The sdk_sandbox_all attribute is assigned to all default
### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
### value as determined from mac_permissions.xml.
# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
# Required to read CTS tests data from the shell_data_file location.
allow sdk_sandbox_all shell_data_file:file r_file_perms;
allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox_all system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
###
# Receive or send uevent messages.
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox_all domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox_all debugfs:file read;
# execute gpu_device
neverallow sdk_sandbox_all gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox_all sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:file {open create};
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:dir search;
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:dir no_rw_file_perms;
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:file no_rw_file_perms;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
neverallow { sdk_sandbox_all } { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
neverallow { sdk_sandbox_all -sdk_sandbox_34 } hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };
# sdk_sandbox_all only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;

100
private/sdk_sandbox_next.te Normal file
View file

@ -0,0 +1,100 @@
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.
type sdk_sandbox_next, domain;
typeattribute sdk_sandbox_next coredomain;
sdk_sandbox_domain(sdk_sandbox_next)
net_domain(sdk_sandbox_next)
app_domain(sdk_sandbox_next)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox_next activity_service:service_manager find;
allow sdk_sandbox_next activity_task_service:service_manager find;
allow sdk_sandbox_next appops_service:service_manager find;
allow sdk_sandbox_next audio_service:service_manager find;
allow sdk_sandbox_next audioserver_service:service_manager find;
allow sdk_sandbox_next batteryproperties_service:service_manager find;
allow sdk_sandbox_next batterystats_service:service_manager find;
allow sdk_sandbox_next connectivity_service:service_manager find;
allow sdk_sandbox_next connmetrics_service:service_manager find;
allow sdk_sandbox_next deviceidle_service:service_manager find;
allow sdk_sandbox_next display_service:service_manager find;
allow sdk_sandbox_next dropbox_service:service_manager find;
allow sdk_sandbox_next font_service:service_manager find;
allow sdk_sandbox_next game_service:service_manager find;
allow sdk_sandbox_next gpu_service:service_manager find;
allow sdk_sandbox_next graphicsstats_service:service_manager find;
allow sdk_sandbox_next hardware_properties_service:service_manager find;
allow sdk_sandbox_next hint_service:service_manager find;
allow sdk_sandbox_next imms_service:service_manager find;
allow sdk_sandbox_next input_method_service:service_manager find;
allow sdk_sandbox_next input_service:service_manager find;
allow sdk_sandbox_next IProxyService_service:service_manager find;
allow sdk_sandbox_next ipsec_service:service_manager find;
allow sdk_sandbox_next launcherapps_service:service_manager find;
allow sdk_sandbox_next legacy_permission_service:service_manager find;
allow sdk_sandbox_next light_service:service_manager find;
allow sdk_sandbox_next locale_service:service_manager find;
allow sdk_sandbox_next media_communication_service:service_manager find;
allow sdk_sandbox_next mediaextractor_service:service_manager find;
allow sdk_sandbox_next mediametrics_service:service_manager find;
allow sdk_sandbox_next media_projection_service:service_manager find;
allow sdk_sandbox_next media_router_service:service_manager find;
allow sdk_sandbox_next mediaserver_service:service_manager find;
allow sdk_sandbox_next media_session_service:service_manager find;
allow sdk_sandbox_next memtrackproxy_service:service_manager find;
allow sdk_sandbox_next midi_service:service_manager find;
allow sdk_sandbox_next netpolicy_service:service_manager find;
allow sdk_sandbox_next netstats_service:service_manager find;
allow sdk_sandbox_next network_management_service:service_manager find;
allow sdk_sandbox_next notification_service:service_manager find;
allow sdk_sandbox_next package_service:service_manager find;
allow sdk_sandbox_next permission_checker_service:service_manager find;
allow sdk_sandbox_next permission_service:service_manager find;
allow sdk_sandbox_next permissionmgr_service:service_manager find;
allow sdk_sandbox_next platform_compat_service:service_manager find;
allow sdk_sandbox_next power_service:service_manager find;
allow sdk_sandbox_next procstats_service:service_manager find;
allow sdk_sandbox_next registry_service:service_manager find;
allow sdk_sandbox_next restrictions_service:service_manager find;
allow sdk_sandbox_next rttmanager_service:service_manager find;
allow sdk_sandbox_next search_service:service_manager find;
allow sdk_sandbox_next selection_toolbar_service:service_manager find;
allow sdk_sandbox_next sensor_privacy_service:service_manager find;
allow sdk_sandbox_next sensorservice_service:service_manager find;
allow sdk_sandbox_next servicediscovery_service:service_manager find;
allow sdk_sandbox_next settings_service:service_manager find;
allow sdk_sandbox_next speech_recognition_service:service_manager find;
allow sdk_sandbox_next statusbar_service:service_manager find;
allow sdk_sandbox_next storagestats_service:service_manager find;
allow sdk_sandbox_next surfaceflinger_service:service_manager find;
allow sdk_sandbox_next telecom_service:service_manager find;
allow sdk_sandbox_next tethering_service:service_manager find;
allow sdk_sandbox_next textclassification_service:service_manager find;
allow sdk_sandbox_next textservices_service:service_manager find;
allow sdk_sandbox_next texttospeech_service:service_manager find;
allow sdk_sandbox_next thermal_service:service_manager find;
allow sdk_sandbox_next translation_service:service_manager find;
allow sdk_sandbox_next tv_iapp_service:service_manager find;
allow sdk_sandbox_next tv_input_service:service_manager find;
allow sdk_sandbox_next uimode_service:service_manager find;
allow sdk_sandbox_next vcn_management_service:service_manager find;
allow sdk_sandbox_next webviewupdate_service:service_manager find;
allow sdk_sandbox_next system_linker_exec:file execute_no_trans;
# Required to read CTS tests data from the shell_data_file location.
allow sdk_sandbox_next shell_data_file:file r_file_perms;
allow sdk_sandbox_next shell_data_file:dir r_dir_perms;
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox_next system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };

View file

@ -148,8 +148,8 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server_startup
# sdksandbox must run in the sdksandbox domain
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
# sdksandbox must run in the sdk_sandbox domain
neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@ -164,7 +164,8 @@ user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_f
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox minTargetSdkVersion=34 domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox minTargetSdkVersion=35 domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user

View file

@ -382,6 +382,7 @@ statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0

View file

@ -22,7 +22,7 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:

View file

@ -203,6 +203,13 @@ get_prop($1, hypervisor_prop)
allow $1 virtualizationservice_data_file:file { getattr read };
')
#####################################
# sdk_sandbox_domain(domain)
# Allow a base set of permissions required for all sdk sandboxes
define(`sdk_sandbox_domain', `
typeattribute $1 sdk_sandbox_all;
')
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.