304962477a
Define the selinux domain to apply to SDK runtime for targetSdkVersion=34. The existing sdk_sandbox domain has been renamed to sdk_sandbox_next. Future CLs will add logic to apply one of these to the SDK runtime processes on the device, based on a flag. auditallow block from sdk_sandbox has been removed as we haven't yet measured the system health impact of adding this. It'll be added to an audit domain later after we've ruled out negative system health impact. Bug: 270148964 Test: make and boot the test device, load SDK using test app Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d
81 lines
4.3 KiB
Text
81 lines
4.3 KiB
Text
###
|
|
### SDK Sandbox process.
|
|
###
|
|
### This file defines the security policy for the sdk sandbox processes
|
|
### for targetSdkVersion=34.
|
|
type sdk_sandbox_34, domain;
|
|
|
|
typeattribute sdk_sandbox_34 coredomain;
|
|
|
|
sdk_sandbox_domain(sdk_sandbox_34)
|
|
app_domain(sdk_sandbox_34)
|
|
|
|
# services
|
|
allow sdk_sandbox_34 audioserver_service:service_manager find;
|
|
allow sdk_sandbox_34 cameraserver_service:service_manager find;
|
|
allow sdk_sandbox_34 mediaserver_service:service_manager find;
|
|
allow sdk_sandbox_34 mediaextractor_service:service_manager find;
|
|
allow sdk_sandbox_34 mediametrics_service:service_manager find;
|
|
allow sdk_sandbox_34 mediadrmserver_service:service_manager find;
|
|
allow sdk_sandbox_34 drmserver_service:service_manager find;
|
|
allow sdk_sandbox_34 radio_service:service_manager find;
|
|
allow sdk_sandbox_34 ephemeral_app_api_service:service_manager find;
|
|
|
|
allow sdk_sandbox_34 activity_service:service_manager find;
|
|
allow sdk_sandbox_34 activity_task_service:service_manager find;
|
|
allow sdk_sandbox_34 appops_service:service_manager find;
|
|
allow sdk_sandbox_34 audio_service:service_manager find;
|
|
allow sdk_sandbox_34 batteryproperties_service:service_manager find;
|
|
allow sdk_sandbox_34 batterystats_service:service_manager find;
|
|
allow sdk_sandbox_34 connectivity_service:service_manager find;
|
|
allow sdk_sandbox_34 connmetrics_service:service_manager find;
|
|
allow sdk_sandbox_34 deviceidle_service:service_manager find;
|
|
allow sdk_sandbox_34 display_service:service_manager find;
|
|
allow sdk_sandbox_34 dropbox_service:service_manager find;
|
|
allow sdk_sandbox_34 font_service:service_manager find;
|
|
allow sdk_sandbox_34 gpu_service:service_manager find;
|
|
allow sdk_sandbox_34 graphicsstats_service:service_manager find;
|
|
allow sdk_sandbox_34 hardware_properties_service:service_manager find;
|
|
allow sdk_sandbox_34 imms_service:service_manager find;
|
|
allow sdk_sandbox_34 IProxyService_service:service_manager find;
|
|
allow sdk_sandbox_34 ipsec_service:service_manager find;
|
|
allow sdk_sandbox_34 launcherapps_service:service_manager find;
|
|
allow sdk_sandbox_34 legacy_permission_service:service_manager find;
|
|
allow sdk_sandbox_34 light_service:service_manager find;
|
|
allow sdk_sandbox_34 locale_service:service_manager find;
|
|
allow sdk_sandbox_34 media_communication_service:service_manager find;
|
|
allow sdk_sandbox_34 media_session_service:service_manager find;
|
|
allow sdk_sandbox_34 memtrackproxy_service:service_manager find;
|
|
allow sdk_sandbox_34 midi_service:service_manager find;
|
|
allow sdk_sandbox_34 notification_service:service_manager find;
|
|
allow sdk_sandbox_34 package_service:service_manager find;
|
|
allow sdk_sandbox_34 permission_checker_service:service_manager find;
|
|
allow sdk_sandbox_34 permissionmgr_service:service_manager find;
|
|
allow sdk_sandbox_34 permission_service:service_manager find;
|
|
allow sdk_sandbox_34 platform_compat_service:service_manager find;
|
|
allow sdk_sandbox_34 procstats_service:service_manager find;
|
|
allow sdk_sandbox_34 registry_service:service_manager find;
|
|
allow sdk_sandbox_34 restrictions_service:service_manager find;
|
|
allow sdk_sandbox_34 search_service:service_manager find;
|
|
allow sdk_sandbox_34 selection_toolbar_service:service_manager find;
|
|
allow sdk_sandbox_34 sensor_privacy_service:service_manager find;
|
|
allow sdk_sandbox_34 sensorservice_service:service_manager find;
|
|
allow sdk_sandbox_34 servicediscovery_service:service_manager find;
|
|
allow sdk_sandbox_34 settings_service:service_manager find;
|
|
allow sdk_sandbox_34 speech_recognition_service:service_manager find;
|
|
allow sdk_sandbox_34 statusbar_service:service_manager find;
|
|
allow sdk_sandbox_34 surfaceflinger_service:service_manager find;
|
|
allow sdk_sandbox_34 telecom_service:service_manager find;
|
|
allow sdk_sandbox_34 textservices_service:service_manager find;
|
|
allow sdk_sandbox_34 texttospeech_service:service_manager find;
|
|
allow sdk_sandbox_34 thermal_service:service_manager find;
|
|
allow sdk_sandbox_34 translation_service:service_manager find;
|
|
allow sdk_sandbox_34 tv_iapp_service:service_manager find;
|
|
allow sdk_sandbox_34 tv_input_service:service_manager find;
|
|
allow sdk_sandbox_34 uimode_service:service_manager find;
|
|
allow sdk_sandbox_34 vcn_management_service:service_manager find;
|
|
allow sdk_sandbox_34 webviewupdate_service:service_manager find;
|
|
|
|
# Allow sdk_sandbox_34 to read/write files in visible storage if provided fds
|
|
allow sdk_sandbox_34 { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
|
|
|