Merge "Introduce a new sdk_sandbox domain" am: 9ee52f56bb
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2527286 Change-Id: I21fe274a202af32dec9defc33241bef7da510b51 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
ff1c4e035c
13 changed files with 335 additions and 355 deletions
|
@ -9,7 +9,7 @@ r_dir_file({
|
|||
-platform_app
|
||||
-priv_app
|
||||
-shell
|
||||
-sdk_sandbox
|
||||
-sdk_sandbox_all
|
||||
-system_app
|
||||
-untrusted_app_all
|
||||
}, proc_net_type)
|
||||
|
@ -23,7 +23,7 @@ userdebug_or_eng(`
|
|||
-priv_app
|
||||
-shell
|
||||
-su
|
||||
-sdk_sandbox
|
||||
-sdk_sandbox_all
|
||||
-system_app
|
||||
-untrusted_app_all
|
||||
} proc_net_type:{ dir file lnk_file } { getattr open read };
|
||||
|
@ -81,7 +81,7 @@ dontaudit appdomain system_data_file:dir write;
|
|||
dontaudit appdomain vendor_default_prop:file read;
|
||||
|
||||
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
|
||||
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
|
||||
allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
|
||||
|
||||
# allow apps to use UDP sockets provided by the system server but not
|
||||
# modify them other than to connect
|
||||
|
@ -137,67 +137,67 @@ allow appdomain tombstone_data_file:file { getattr read };
|
|||
neverallow appdomain tombstone_data_file:file ~{ getattr read };
|
||||
|
||||
# Execute the shell or other system executables.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
|
||||
|
||||
# Allow apps access to /vendor/app except for privileged
|
||||
# apps which cannot be in /vendor.
|
||||
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
|
||||
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
|
||||
|
||||
# Perform binder IPC to sdk sandbox.
|
||||
binder_call(appdomain, sdk_sandbox)
|
||||
binder_call(appdomain, sdk_sandbox_all)
|
||||
|
||||
# Allow access to external storage; we have several visible mount points under /storage
|
||||
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
|
||||
|
||||
# Read/write visible storage
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
|
||||
# This should be removed if sdcardfs is modified to alter the secontext for its
|
||||
# accesses to the underlying FS.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Allow apps to use the USB Accessory interface.
|
||||
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
|
||||
#
|
||||
# USB devices are first opened by the system server (USBDeviceManagerService)
|
||||
# and the file descriptor is passed to the right Activity via binder.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
|
||||
|
||||
#logd access
|
||||
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
# application inherit logd write socket (urge is to deprecate this long term)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
|
||||
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
|
||||
|
||||
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
# For app fuse.
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
|
||||
pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
|
||||
# Apps do not directly open the IPC socket for bufferhubd.
|
||||
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
|
||||
pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
|
||||
|
||||
# Apps receive an open tun fd from the framework for
|
||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
|
||||
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
|
||||
allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
|
||||
|
||||
|
||||
# WebView and other application-specific JIT compilers
|
||||
|
@ -223,11 +223,11 @@ allow appdomain dalvikcache_data_file:dir { search getattr };
|
|||
allow appdomain dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Read the /sdcard and /mnt/sdcard symlinks
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
|
||||
|
||||
# Search /storage/emulated tmpfs mount.
|
||||
allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
|
||||
allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
|
||||
|
||||
# Notify zygote of the wrapped process PID when using --invoke-with.
|
||||
allow appdomain zygote:fifo_file write;
|
||||
|
@ -261,11 +261,11 @@ allow appdomain appdomain:fifo_file rw_file_perms;
|
|||
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
|
||||
# App sandbox file accesses.
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
|
||||
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
|
||||
|
||||
# Access via already open fds is ok even for mlstrustedsubject.
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
|
||||
|
||||
# Traverse into expanded storage
|
||||
allow appdomain mnt_expand_file:dir r_dir_perms;
|
||||
|
@ -411,7 +411,7 @@ allow appdomain system_data_file:lnk_file r_file_perms;
|
|||
allow appdomain system_data_file:file { getattr read map };
|
||||
|
||||
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
|
||||
allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
|
||||
|
||||
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
|
||||
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
|
||||
|
@ -503,7 +503,7 @@ neverallow {
|
|||
nfc
|
||||
radio
|
||||
shared_relro
|
||||
sdk_sandbox
|
||||
sdk_sandbox_all
|
||||
system_app
|
||||
} {
|
||||
data_file_type
|
||||
|
|
|
@ -10,3 +10,6 @@ attribute mlsvendorcompat;
|
|||
# property owner attributes must be exclusive.
|
||||
attribute system_and_vendor_property_type;
|
||||
expandattribute system_and_vendor_property_type false;
|
||||
|
||||
# All SDK sandbox domains
|
||||
attribute sdk_sandbox_all;
|
||||
|
|
|
@ -749,7 +749,7 @@ neverallow {
|
|||
isolated_app_all
|
||||
ephemeral_app
|
||||
priv_app
|
||||
sdk_sandbox
|
||||
sdk_sandbox_all
|
||||
untrusted_app_all
|
||||
} system_app_data_file:dir_file_class_set { create unlink open };
|
||||
|
||||
|
|
|
@ -104,7 +104,7 @@ neverallow { isolated_app_all -isolated_compute_app } {
|
|||
# excluding unix_stream_socket and unix_dgram_socket.
|
||||
# Many of these are socket families which have never and will never
|
||||
# be compiled into the Android kernel.
|
||||
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
|
||||
neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
|
||||
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
|
||||
key_socket appletalk_socket netlink_route_socket
|
||||
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Bind to ports.
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
|
||||
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
|
||||
|
||||
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
|
||||
# untrusted_apps.
|
||||
|
@ -13,7 +13,7 @@ allow {
|
|||
-ephemeral_app
|
||||
-mediaprovider
|
||||
-priv_app
|
||||
-sdk_sandbox
|
||||
-sdk_sandbox_all
|
||||
-untrusted_app_all
|
||||
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
|
||||
|
||||
|
|
|
@ -1,304 +0,0 @@
|
|||
###
|
||||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the security policy for the sdk sandbox processes.
|
||||
|
||||
type sdk_sandbox, domain;
|
||||
|
||||
typeattribute sdk_sandbox coredomain;
|
||||
|
||||
net_domain(sdk_sandbox)
|
||||
app_domain(sdk_sandbox)
|
||||
|
||||
# TODO(b/252967582): remove this rule if it generates too much logs traffic.
|
||||
auditallow sdk_sandbox {
|
||||
property_type
|
||||
# remove expected properties to reduce noise.
|
||||
-servicemanager_prop
|
||||
-hwservicemanager_prop
|
||||
-use_memfd_prop
|
||||
-binder_cache_system_server_prop
|
||||
-graphics_config_prop
|
||||
-persist_wm_debug_prop
|
||||
-aaudio_config_prop
|
||||
-adbd_config_prop
|
||||
-apex_ready_prop
|
||||
-apexd_select_prop
|
||||
-arm64_memtag_prop
|
||||
-audio_prop
|
||||
-binder_cache_bluetooth_server_prop
|
||||
-binder_cache_telephony_server_prop
|
||||
-bluetooth_config_prop
|
||||
-boot_status_prop
|
||||
-bootloader_prop
|
||||
-bq_config_prop
|
||||
-build_odm_prop
|
||||
-build_prop
|
||||
-build_vendor_prop
|
||||
-camera2_extensions_prop
|
||||
-camera_calibration_prop
|
||||
-camera_config_prop
|
||||
-camerax_extensions_prop
|
||||
-codec2_config_prop
|
||||
-config_prop
|
||||
-cppreopt_prop
|
||||
-dalvik_config_prop_type
|
||||
-dalvik_prop
|
||||
-dalvik_runtime_prop
|
||||
-dck_prop
|
||||
-debug_prop
|
||||
-debuggerd_prop
|
||||
-default_prop
|
||||
-device_config_memory_safety_native_boot_prop
|
||||
-device_config_memory_safety_native_prop
|
||||
-device_config_nnapi_native_prop
|
||||
-device_config_runtime_native_boot_prop
|
||||
-device_config_runtime_native_prop
|
||||
-dhcp_prop
|
||||
-dumpstate_prop
|
||||
-exported3_system_prop
|
||||
-exported_config_prop
|
||||
-exported_default_prop
|
||||
-exported_dumpstate_prop
|
||||
-exported_pm_prop
|
||||
-exported_system_prop
|
||||
-ffs_config_prop
|
||||
-fingerprint_prop
|
||||
-framework_status_prop
|
||||
-gwp_asan_prop
|
||||
-hal_instrumentation_prop
|
||||
-hdmi_config_prop
|
||||
-heapprofd_prop
|
||||
-hw_timeout_multiplier_prop
|
||||
-init_service_status_private_prop
|
||||
-init_service_status_prop
|
||||
-libc_debug_prop
|
||||
-lmkd_config_prop
|
||||
-locale_prop
|
||||
-localization_prop
|
||||
-log_file_logger_prop
|
||||
-log_prop
|
||||
-log_tag_prop
|
||||
-logd_prop
|
||||
-media_config_prop
|
||||
-media_variant_prop
|
||||
-mediadrm_config_prop
|
||||
-module_sdkextensions_prop
|
||||
-net_radio_prop
|
||||
-nfc_prop
|
||||
-nnapi_ext_deny_product_prop
|
||||
-ota_prop
|
||||
-packagemanager_config_prop
|
||||
-pan_result_prop
|
||||
-permissive_mte_prop
|
||||
-persist_debug_prop
|
||||
-persist_sysui_builder_extras_prop
|
||||
-pm_prop
|
||||
-powerctl_prop
|
||||
-property_service_version_prop
|
||||
-radio_control_prop
|
||||
-radio_prop
|
||||
-restorecon_prop
|
||||
-rollback_test_prop
|
||||
-sendbug_config_prop
|
||||
-setupwizard_prop
|
||||
-shell_prop
|
||||
-soc_prop
|
||||
-socket_hook_prop
|
||||
-sqlite_log_prop
|
||||
-storagemanager_config_prop
|
||||
-surfaceflinger_color_prop
|
||||
-surfaceflinger_prop
|
||||
-system_prop
|
||||
-system_user_mode_emulation_prop
|
||||
-systemsound_config_prop
|
||||
-telephony_config_prop
|
||||
-telephony_status_prop
|
||||
-test_harness_prop
|
||||
-timezone_prop
|
||||
-usb_config_prop
|
||||
-usb_control_prop
|
||||
-usb_prop
|
||||
-userdebug_or_eng_prop
|
||||
-userspace_reboot_config_prop
|
||||
-userspace_reboot_exported_prop
|
||||
-userspace_reboot_log_prop
|
||||
-userspace_reboot_test_prop
|
||||
-vendor_socket_hook_prop
|
||||
-vndk_prop
|
||||
-vold_config_prop
|
||||
-vold_prop
|
||||
-vold_status_prop
|
||||
-vts_config_prop
|
||||
-vts_status_prop
|
||||
-wifi_log_prop
|
||||
-zygote_config_prop
|
||||
-zygote_wrap_prop
|
||||
-init_service_status_prop
|
||||
}:file { getattr open read map };
|
||||
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
|
||||
allow sdk_sandbox activity_service:service_manager find;
|
||||
allow sdk_sandbox activity_task_service:service_manager find;
|
||||
allow sdk_sandbox appops_service:service_manager find;
|
||||
allow sdk_sandbox audio_service:service_manager find;
|
||||
allow sdk_sandbox audioserver_service:service_manager find;
|
||||
allow sdk_sandbox batteryproperties_service:service_manager find;
|
||||
allow sdk_sandbox batterystats_service:service_manager find;
|
||||
allow sdk_sandbox connectivity_service:service_manager find;
|
||||
allow sdk_sandbox connmetrics_service:service_manager find;
|
||||
allow sdk_sandbox deviceidle_service:service_manager find;
|
||||
allow sdk_sandbox display_service:service_manager find;
|
||||
allow sdk_sandbox dropbox_service:service_manager find;
|
||||
allow sdk_sandbox font_service:service_manager find;
|
||||
allow sdk_sandbox game_service:service_manager find;
|
||||
allow sdk_sandbox gpu_service:service_manager find;
|
||||
allow sdk_sandbox graphicsstats_service:service_manager find;
|
||||
allow sdk_sandbox hardware_properties_service:service_manager find;
|
||||
allow sdk_sandbox hint_service:service_manager find;
|
||||
allow sdk_sandbox imms_service:service_manager find;
|
||||
allow sdk_sandbox input_method_service:service_manager find;
|
||||
allow sdk_sandbox input_service:service_manager find;
|
||||
allow sdk_sandbox IProxyService_service:service_manager find;
|
||||
allow sdk_sandbox ipsec_service:service_manager find;
|
||||
allow sdk_sandbox launcherapps_service:service_manager find;
|
||||
allow sdk_sandbox legacy_permission_service:service_manager find;
|
||||
allow sdk_sandbox light_service:service_manager find;
|
||||
allow sdk_sandbox locale_service:service_manager find;
|
||||
allow sdk_sandbox media_communication_service:service_manager find;
|
||||
allow sdk_sandbox mediaextractor_service:service_manager find;
|
||||
allow sdk_sandbox mediametrics_service:service_manager find;
|
||||
allow sdk_sandbox media_projection_service:service_manager find;
|
||||
allow sdk_sandbox media_router_service:service_manager find;
|
||||
allow sdk_sandbox mediaserver_service:service_manager find;
|
||||
allow sdk_sandbox media_session_service:service_manager find;
|
||||
allow sdk_sandbox memtrackproxy_service:service_manager find;
|
||||
allow sdk_sandbox midi_service:service_manager find;
|
||||
allow sdk_sandbox netpolicy_service:service_manager find;
|
||||
allow sdk_sandbox netstats_service:service_manager find;
|
||||
allow sdk_sandbox network_management_service:service_manager find;
|
||||
allow sdk_sandbox notification_service:service_manager find;
|
||||
allow sdk_sandbox package_service:service_manager find;
|
||||
allow sdk_sandbox permission_checker_service:service_manager find;
|
||||
allow sdk_sandbox permission_service:service_manager find;
|
||||
allow sdk_sandbox permissionmgr_service:service_manager find;
|
||||
allow sdk_sandbox platform_compat_service:service_manager find;
|
||||
allow sdk_sandbox power_service:service_manager find;
|
||||
allow sdk_sandbox procstats_service:service_manager find;
|
||||
allow sdk_sandbox registry_service:service_manager find;
|
||||
allow sdk_sandbox restrictions_service:service_manager find;
|
||||
allow sdk_sandbox rttmanager_service:service_manager find;
|
||||
allow sdk_sandbox search_service:service_manager find;
|
||||
allow sdk_sandbox selection_toolbar_service:service_manager find;
|
||||
allow sdk_sandbox sensor_privacy_service:service_manager find;
|
||||
allow sdk_sandbox sensorservice_service:service_manager find;
|
||||
allow sdk_sandbox servicediscovery_service:service_manager find;
|
||||
allow sdk_sandbox settings_service:service_manager find;
|
||||
allow sdk_sandbox speech_recognition_service:service_manager find;
|
||||
allow sdk_sandbox statusbar_service:service_manager find;
|
||||
allow sdk_sandbox storagestats_service:service_manager find;
|
||||
allow sdk_sandbox surfaceflinger_service:service_manager find;
|
||||
allow sdk_sandbox telecom_service:service_manager find;
|
||||
allow sdk_sandbox tethering_service:service_manager find;
|
||||
allow sdk_sandbox textclassification_service:service_manager find;
|
||||
allow sdk_sandbox textservices_service:service_manager find;
|
||||
allow sdk_sandbox texttospeech_service:service_manager find;
|
||||
allow sdk_sandbox thermal_service:service_manager find;
|
||||
allow sdk_sandbox translation_service:service_manager find;
|
||||
allow sdk_sandbox tv_iapp_service:service_manager find;
|
||||
allow sdk_sandbox tv_input_service:service_manager find;
|
||||
allow sdk_sandbox uimode_service:service_manager find;
|
||||
allow sdk_sandbox vcn_management_service:service_manager find;
|
||||
allow sdk_sandbox webviewupdate_service:service_manager find;
|
||||
|
||||
allow sdk_sandbox system_linker_exec:file execute_no_trans;
|
||||
|
||||
# Required to read CTS tests data from the shell_data_file location.
|
||||
allow sdk_sandbox shell_data_file:file r_file_perms;
|
||||
allow sdk_sandbox shell_data_file:dir r_dir_perms;
|
||||
|
||||
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
||||
# modify them other than to connect
|
||||
allow sdk_sandbox system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# allow sandbox to search in sdk system server directory
|
||||
# additionally, for webview to work, getattr has been permitted
|
||||
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
|
||||
# allow sandbox to create files and dirs in sdk data directory
|
||||
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
|
||||
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Receive or send generic netlink messages
|
||||
neverallow sdk_sandbox domain:netlink_socket *;
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow sdk_sandbox debugfs:file read;
|
||||
|
||||
# execute gpu_device
|
||||
neverallow sdk_sandbox gpu_device:chr_file execute;
|
||||
|
||||
# access files in /sys with the default sysfs label
|
||||
neverallow sdk_sandbox sysfs:file *;
|
||||
|
||||
# Avoid reads from generically labeled /proc files
|
||||
# Create a more specific label if needed
|
||||
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Directly access external storage
|
||||
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
|
||||
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
|
||||
|
||||
# Avoid reads to proc_net, it contains too much device wide information about
|
||||
# ongoing connections.
|
||||
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
|
||||
|
||||
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
||||
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
|
||||
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
|
||||
|
||||
# SDK sandbox processes don't have any access to external storage
|
||||
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
|
||||
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
||||
|
||||
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
||||
|
||||
neverallow sdk_sandbox hal_drm_service:service_manager find;
|
||||
|
||||
# Only certain system components should have access to sdk_sandbox_system_data_file
|
||||
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-sdk_sandbox
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
-zygote
|
||||
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
|
||||
|
||||
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
|
||||
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
|
||||
|
||||
# Only dirs should be created at sdk_sandbox_system_data_file level
|
||||
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|
81
private/sdk_sandbox_34.te
Normal file
81
private/sdk_sandbox_34.te
Normal file
|
@ -0,0 +1,81 @@
|
|||
###
|
||||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the security policy for the sdk sandbox processes
|
||||
### for targetSdkVersion=34.
|
||||
type sdk_sandbox_34, domain;
|
||||
|
||||
typeattribute sdk_sandbox_34 coredomain;
|
||||
|
||||
sdk_sandbox_domain(sdk_sandbox_34)
|
||||
app_domain(sdk_sandbox_34)
|
||||
|
||||
# services
|
||||
allow sdk_sandbox_34 audioserver_service:service_manager find;
|
||||
allow sdk_sandbox_34 cameraserver_service:service_manager find;
|
||||
allow sdk_sandbox_34 mediaserver_service:service_manager find;
|
||||
allow sdk_sandbox_34 mediaextractor_service:service_manager find;
|
||||
allow sdk_sandbox_34 mediametrics_service:service_manager find;
|
||||
allow sdk_sandbox_34 mediadrmserver_service:service_manager find;
|
||||
allow sdk_sandbox_34 drmserver_service:service_manager find;
|
||||
allow sdk_sandbox_34 radio_service:service_manager find;
|
||||
allow sdk_sandbox_34 ephemeral_app_api_service:service_manager find;
|
||||
|
||||
allow sdk_sandbox_34 activity_service:service_manager find;
|
||||
allow sdk_sandbox_34 activity_task_service:service_manager find;
|
||||
allow sdk_sandbox_34 appops_service:service_manager find;
|
||||
allow sdk_sandbox_34 audio_service:service_manager find;
|
||||
allow sdk_sandbox_34 batteryproperties_service:service_manager find;
|
||||
allow sdk_sandbox_34 batterystats_service:service_manager find;
|
||||
allow sdk_sandbox_34 connectivity_service:service_manager find;
|
||||
allow sdk_sandbox_34 connmetrics_service:service_manager find;
|
||||
allow sdk_sandbox_34 deviceidle_service:service_manager find;
|
||||
allow sdk_sandbox_34 display_service:service_manager find;
|
||||
allow sdk_sandbox_34 dropbox_service:service_manager find;
|
||||
allow sdk_sandbox_34 font_service:service_manager find;
|
||||
allow sdk_sandbox_34 gpu_service:service_manager find;
|
||||
allow sdk_sandbox_34 graphicsstats_service:service_manager find;
|
||||
allow sdk_sandbox_34 hardware_properties_service:service_manager find;
|
||||
allow sdk_sandbox_34 imms_service:service_manager find;
|
||||
allow sdk_sandbox_34 IProxyService_service:service_manager find;
|
||||
allow sdk_sandbox_34 ipsec_service:service_manager find;
|
||||
allow sdk_sandbox_34 launcherapps_service:service_manager find;
|
||||
allow sdk_sandbox_34 legacy_permission_service:service_manager find;
|
||||
allow sdk_sandbox_34 light_service:service_manager find;
|
||||
allow sdk_sandbox_34 locale_service:service_manager find;
|
||||
allow sdk_sandbox_34 media_communication_service:service_manager find;
|
||||
allow sdk_sandbox_34 media_session_service:service_manager find;
|
||||
allow sdk_sandbox_34 memtrackproxy_service:service_manager find;
|
||||
allow sdk_sandbox_34 midi_service:service_manager find;
|
||||
allow sdk_sandbox_34 notification_service:service_manager find;
|
||||
allow sdk_sandbox_34 package_service:service_manager find;
|
||||
allow sdk_sandbox_34 permission_checker_service:service_manager find;
|
||||
allow sdk_sandbox_34 permissionmgr_service:service_manager find;
|
||||
allow sdk_sandbox_34 permission_service:service_manager find;
|
||||
allow sdk_sandbox_34 platform_compat_service:service_manager find;
|
||||
allow sdk_sandbox_34 procstats_service:service_manager find;
|
||||
allow sdk_sandbox_34 registry_service:service_manager find;
|
||||
allow sdk_sandbox_34 restrictions_service:service_manager find;
|
||||
allow sdk_sandbox_34 search_service:service_manager find;
|
||||
allow sdk_sandbox_34 selection_toolbar_service:service_manager find;
|
||||
allow sdk_sandbox_34 sensor_privacy_service:service_manager find;
|
||||
allow sdk_sandbox_34 sensorservice_service:service_manager find;
|
||||
allow sdk_sandbox_34 servicediscovery_service:service_manager find;
|
||||
allow sdk_sandbox_34 settings_service:service_manager find;
|
||||
allow sdk_sandbox_34 speech_recognition_service:service_manager find;
|
||||
allow sdk_sandbox_34 statusbar_service:service_manager find;
|
||||
allow sdk_sandbox_34 surfaceflinger_service:service_manager find;
|
||||
allow sdk_sandbox_34 telecom_service:service_manager find;
|
||||
allow sdk_sandbox_34 textservices_service:service_manager find;
|
||||
allow sdk_sandbox_34 texttospeech_service:service_manager find;
|
||||
allow sdk_sandbox_34 thermal_service:service_manager find;
|
||||
allow sdk_sandbox_34 translation_service:service_manager find;
|
||||
allow sdk_sandbox_34 tv_iapp_service:service_manager find;
|
||||
allow sdk_sandbox_34 tv_input_service:service_manager find;
|
||||
allow sdk_sandbox_34 uimode_service:service_manager find;
|
||||
allow sdk_sandbox_34 vcn_management_service:service_manager find;
|
||||
allow sdk_sandbox_34 webviewupdate_service:service_manager find;
|
||||
|
||||
# Allow sdk_sandbox_34 to read/write files in visible storage if provided fds
|
||||
allow sdk_sandbox_34 { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
|
||||
|
91
private/sdk_sandbox_all.te
Normal file
91
private/sdk_sandbox_all.te
Normal file
|
@ -0,0 +1,91 @@
|
|||
###
|
||||
### sdk_sandbox_all
|
||||
###
|
||||
### This file defines the rules shared by all sdk_sandbox* domains.
|
||||
### Apps are labeled based on mac_permissions.xml (maps signer and
|
||||
### optionally package name to seinfo value) and seapp_contexts (maps UID
|
||||
### and optionally seinfo value to domain for process and type for data
|
||||
### directory). The sdk_sandbox_all attribute is assigned to all default
|
||||
### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
|
||||
### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
|
||||
### value as determined from mac_permissions.xml.
|
||||
|
||||
# allow sandbox to search in sdk system server directory
|
||||
# additionally, for webview to work, getattr has been permitted
|
||||
allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
|
||||
|
||||
# allow sandbox to create files and dirs in sdk data directory
|
||||
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
|
||||
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
|
||||
|
||||
allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
|
||||
|
||||
# Required to read CTS tests data from the shell_data_file location.
|
||||
allow sdk_sandbox_all shell_data_file:file r_file_perms;
|
||||
allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
|
||||
|
||||
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
||||
# modify them other than to connect
|
||||
allow sdk_sandbox_all system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# Receive or send uevent messages.
|
||||
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
|
||||
|
||||
# Receive or send generic netlink messages
|
||||
neverallow sdk_sandbox_all domain:netlink_socket *;
|
||||
|
||||
# Too much leaky information in debugfs. It's a security
|
||||
# best practice to ensure these files aren't readable.
|
||||
neverallow sdk_sandbox_all debugfs:file read;
|
||||
|
||||
# execute gpu_device
|
||||
neverallow sdk_sandbox_all gpu_device:chr_file execute;
|
||||
|
||||
# access files in /sys with the default sysfs label
|
||||
neverallow sdk_sandbox_all sysfs:file *;
|
||||
|
||||
# Avoid reads from generically labeled /proc files
|
||||
# Create a more specific label if needed
|
||||
neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
|
||||
|
||||
# Directly access external storage
|
||||
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:file {open create};
|
||||
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:dir search;
|
||||
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:dir no_rw_file_perms;
|
||||
neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:file no_rw_file_perms;
|
||||
|
||||
# Avoid reads to proc_net, it contains too much device wide information about
|
||||
# ongoing connections.
|
||||
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
|
||||
|
||||
neverallow { sdk_sandbox_all } { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
|
||||
|
||||
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
||||
neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:dir no_rw_file_perms;
|
||||
neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:file no_rw_file_perms;
|
||||
|
||||
neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
|
||||
|
||||
neverallow { sdk_sandbox_all -sdk_sandbox_34 } hal_drm_service:service_manager find;
|
||||
|
||||
# Only certain system components should have access to sdk_sandbox_system_data_file
|
||||
# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
-vold_prepare_subdirs
|
||||
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
||||
|
||||
# sdk_sandbox_all only needs to traverse through the sdk_sandbox_system_data_file
|
||||
neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
|
||||
|
||||
# Only dirs should be created at sdk_sandbox_system_data_file level
|
||||
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|
||||
|
100
private/sdk_sandbox_next.te
Normal file
100
private/sdk_sandbox_next.te
Normal file
|
@ -0,0 +1,100 @@
|
|||
###
|
||||
### SDK Sandbox process.
|
||||
###
|
||||
### This file defines the security policy for the sdk sandbox processes.
|
||||
|
||||
type sdk_sandbox_next, domain;
|
||||
|
||||
typeattribute sdk_sandbox_next coredomain;
|
||||
sdk_sandbox_domain(sdk_sandbox_next)
|
||||
|
||||
net_domain(sdk_sandbox_next)
|
||||
app_domain(sdk_sandbox_next)
|
||||
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
|
||||
allow sdk_sandbox_next activity_service:service_manager find;
|
||||
allow sdk_sandbox_next activity_task_service:service_manager find;
|
||||
allow sdk_sandbox_next appops_service:service_manager find;
|
||||
allow sdk_sandbox_next audio_service:service_manager find;
|
||||
allow sdk_sandbox_next audioserver_service:service_manager find;
|
||||
allow sdk_sandbox_next batteryproperties_service:service_manager find;
|
||||
allow sdk_sandbox_next batterystats_service:service_manager find;
|
||||
allow sdk_sandbox_next connectivity_service:service_manager find;
|
||||
allow sdk_sandbox_next connmetrics_service:service_manager find;
|
||||
allow sdk_sandbox_next deviceidle_service:service_manager find;
|
||||
allow sdk_sandbox_next display_service:service_manager find;
|
||||
allow sdk_sandbox_next dropbox_service:service_manager find;
|
||||
allow sdk_sandbox_next font_service:service_manager find;
|
||||
allow sdk_sandbox_next game_service:service_manager find;
|
||||
allow sdk_sandbox_next gpu_service:service_manager find;
|
||||
allow sdk_sandbox_next graphicsstats_service:service_manager find;
|
||||
allow sdk_sandbox_next hardware_properties_service:service_manager find;
|
||||
allow sdk_sandbox_next hint_service:service_manager find;
|
||||
allow sdk_sandbox_next imms_service:service_manager find;
|
||||
allow sdk_sandbox_next input_method_service:service_manager find;
|
||||
allow sdk_sandbox_next input_service:service_manager find;
|
||||
allow sdk_sandbox_next IProxyService_service:service_manager find;
|
||||
allow sdk_sandbox_next ipsec_service:service_manager find;
|
||||
allow sdk_sandbox_next launcherapps_service:service_manager find;
|
||||
allow sdk_sandbox_next legacy_permission_service:service_manager find;
|
||||
allow sdk_sandbox_next light_service:service_manager find;
|
||||
allow sdk_sandbox_next locale_service:service_manager find;
|
||||
allow sdk_sandbox_next media_communication_service:service_manager find;
|
||||
allow sdk_sandbox_next mediaextractor_service:service_manager find;
|
||||
allow sdk_sandbox_next mediametrics_service:service_manager find;
|
||||
allow sdk_sandbox_next media_projection_service:service_manager find;
|
||||
allow sdk_sandbox_next media_router_service:service_manager find;
|
||||
allow sdk_sandbox_next mediaserver_service:service_manager find;
|
||||
allow sdk_sandbox_next media_session_service:service_manager find;
|
||||
allow sdk_sandbox_next memtrackproxy_service:service_manager find;
|
||||
allow sdk_sandbox_next midi_service:service_manager find;
|
||||
allow sdk_sandbox_next netpolicy_service:service_manager find;
|
||||
allow sdk_sandbox_next netstats_service:service_manager find;
|
||||
allow sdk_sandbox_next network_management_service:service_manager find;
|
||||
allow sdk_sandbox_next notification_service:service_manager find;
|
||||
allow sdk_sandbox_next package_service:service_manager find;
|
||||
allow sdk_sandbox_next permission_checker_service:service_manager find;
|
||||
allow sdk_sandbox_next permission_service:service_manager find;
|
||||
allow sdk_sandbox_next permissionmgr_service:service_manager find;
|
||||
allow sdk_sandbox_next platform_compat_service:service_manager find;
|
||||
allow sdk_sandbox_next power_service:service_manager find;
|
||||
allow sdk_sandbox_next procstats_service:service_manager find;
|
||||
allow sdk_sandbox_next registry_service:service_manager find;
|
||||
allow sdk_sandbox_next restrictions_service:service_manager find;
|
||||
allow sdk_sandbox_next rttmanager_service:service_manager find;
|
||||
allow sdk_sandbox_next search_service:service_manager find;
|
||||
allow sdk_sandbox_next selection_toolbar_service:service_manager find;
|
||||
allow sdk_sandbox_next sensor_privacy_service:service_manager find;
|
||||
allow sdk_sandbox_next sensorservice_service:service_manager find;
|
||||
allow sdk_sandbox_next servicediscovery_service:service_manager find;
|
||||
allow sdk_sandbox_next settings_service:service_manager find;
|
||||
allow sdk_sandbox_next speech_recognition_service:service_manager find;
|
||||
allow sdk_sandbox_next statusbar_service:service_manager find;
|
||||
allow sdk_sandbox_next storagestats_service:service_manager find;
|
||||
allow sdk_sandbox_next surfaceflinger_service:service_manager find;
|
||||
allow sdk_sandbox_next telecom_service:service_manager find;
|
||||
allow sdk_sandbox_next tethering_service:service_manager find;
|
||||
allow sdk_sandbox_next textclassification_service:service_manager find;
|
||||
allow sdk_sandbox_next textservices_service:service_manager find;
|
||||
allow sdk_sandbox_next texttospeech_service:service_manager find;
|
||||
allow sdk_sandbox_next thermal_service:service_manager find;
|
||||
allow sdk_sandbox_next translation_service:service_manager find;
|
||||
allow sdk_sandbox_next tv_iapp_service:service_manager find;
|
||||
allow sdk_sandbox_next tv_input_service:service_manager find;
|
||||
allow sdk_sandbox_next uimode_service:service_manager find;
|
||||
allow sdk_sandbox_next vcn_management_service:service_manager find;
|
||||
allow sdk_sandbox_next webviewupdate_service:service_manager find;
|
||||
|
||||
allow sdk_sandbox_next system_linker_exec:file execute_no_trans;
|
||||
|
||||
# Required to read CTS tests data from the shell_data_file location.
|
||||
allow sdk_sandbox_next shell_data_file:file r_file_perms;
|
||||
allow sdk_sandbox_next shell_data_file:dir r_dir_perms;
|
||||
|
||||
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
||||
# modify them other than to connect
|
||||
allow sdk_sandbox_next system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
|
@ -148,8 +148,8 @@ neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
|
|||
|
||||
isSystemServer=true domain=system_server_startup
|
||||
|
||||
# sdksandbox must run in the sdksandbox domain
|
||||
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
|
||||
# sdksandbox must run in the sdk_sandbox domain
|
||||
neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
|
||||
|
||||
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
||||
user=system seinfo=platform domain=system_app type=system_app_data_file
|
||||
|
@ -164,7 +164,8 @@ user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_f
|
|||
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
||||
user=_isolated domain=isolated_app levelFrom=user
|
||||
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
|
||||
user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_sdksandbox minTargetSdkVersion=34 domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_sdksandbox minTargetSdkVersion=35 domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
||||
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||
|
|
|
@ -382,6 +382,7 @@ statusbar u:object_r:statusbar_service:s0
|
|||
storaged u:object_r:storaged_service:s0
|
||||
storaged_pri u:object_r:storaged_service:s0
|
||||
storagestats u:object_r:storagestats_service:s0
|
||||
# sdk_sandbox here refers to the service name, not the domain name.
|
||||
sdk_sandbox u:object_r:sdk_sandbox_service:s0
|
||||
SurfaceFlinger u:object_r:surfaceflinger_service:s0
|
||||
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
|
||||
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
|
||||
(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
|
||||
|
||||
; Apps, except isolated apps, are clients of Configstore HAL
|
||||
; Unfortunately, we can't currently express this in module policy language:
|
||||
|
|
|
@ -203,6 +203,13 @@ get_prop($1, hypervisor_prop)
|
|||
allow $1 virtualizationservice_data_file:file { getattr read };
|
||||
')
|
||||
|
||||
#####################################
|
||||
# sdk_sandbox_domain(domain)
|
||||
# Allow a base set of permissions required for all sdk sandboxes
|
||||
define(`sdk_sandbox_domain', `
|
||||
typeattribute $1 sdk_sandbox_all;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# app_domain(domain)
|
||||
# Allow a base set of permissions required for all apps.
|
||||
|
|
Loading…
Reference in a new issue