3bb7bb2e70
This is a roll-forward of a small chunk of aosp/2170746. The previous CL was causing test breakages (b/240731742, b/240462388, b/240463116). This CL is smaller than the previous one, it only moves allow rules from the platform policy to the apex policy (I believe the error was caused by typeattribute rules). I also ran the closest approximation I could find to the breaking environment, and it appears the tests are passing https://android-build.googleplex.com/builds/abtd/run/L44100000955891118 https://android-build.googleplex.com/builds/abtd/run/L68000000955937148 Bug: 236691128 Test: atest SeamendcHostTest Change-Id: I4c480041838c8c14011f099ba8295097fe9212db
103 lines
3.6 KiB
Text
103 lines
3.6 KiB
Text
###
|
|
### SDK Sandbox process.
|
|
###
|
|
### This file defines the security policy for the sdk sandbox processes.
|
|
|
|
type sdk_sandbox, domain;
|
|
|
|
typeattribute sdk_sandbox coredomain;
|
|
|
|
net_domain(sdk_sandbox)
|
|
app_domain(sdk_sandbox)
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(sdk_sandbox)
|
|
|
|
# Allow profiling if the app opts in by being marked profileable/debuggable.
|
|
can_profile_heap(sdk_sandbox)
|
|
can_profile_perf(sdk_sandbox)
|
|
|
|
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
|
# modify them other than to connect
|
|
allow sdk_sandbox system_server:udp_socket {
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
# allow sandbox to search in sdk system server directory
|
|
# additionally, for webview to work, getattr has been permitted
|
|
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
|
|
# allow sandbox to create files and dirs in sdk data directory
|
|
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
|
|
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
|
|
|
|
# Receive or send uevent messages.
|
|
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
|
|
|
|
# Receive or send generic netlink messages
|
|
neverallow sdk_sandbox domain:netlink_socket *;
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
# best practice to ensure these files aren't readable.
|
|
neverallow sdk_sandbox debugfs:file read;
|
|
|
|
# execute gpu_device
|
|
neverallow sdk_sandbox gpu_device:chr_file execute;
|
|
|
|
# access files in /sys with the default sysfs label
|
|
neverallow sdk_sandbox sysfs:file *;
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
# Create a more specific label if needed
|
|
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
|
|
|
|
# Directly access external storage
|
|
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
|
|
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
# ongoing connections.
|
|
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
|
|
|
|
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
|
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
|
|
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
|
|
|
|
# SDK sandbox processes don't have any access to external storage
|
|
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
|
|
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
|
|
|
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
|
|
|
neverallow sdk_sandbox hal_drm_service:service_manager find;
|
|
|
|
# Only certain system components should have access to sdk_sandbox_system_data_file
|
|
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-installd
|
|
-system_server
|
|
-vold_prepare_subdirs
|
|
} sdk_sandbox_system_data_file:dir { relabelfrom };
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-installd
|
|
-sdk_sandbox
|
|
-system_server
|
|
-vold_prepare_subdirs
|
|
-zygote
|
|
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
|
|
|
|
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
|
|
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
|
|
|
|
# Only dirs should be created at sdk_sandbox_system_data_file level
|
|
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|