platform_system_sepolicy/private/sdk_sandbox.te
Shiwangi Shah 48b2b33844 Add ephemeral service access to sdk sandbox
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.

Test: Manual
Bug: b/227745962
Bug: b/227581095

Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
2022-04-27 09:21:02 +00:00

153 lines
7.1 KiB
Text

###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.
type sdk_sandbox, domain;
typeattribute sdk_sandbox coredomain;
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
# Audit the access to signal that we are still investigating whether sdk_sandbox
# should have access to audio_service
# TODO(b/211632068): remove this line
auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox activity_service:service_manager find;
allow sdk_sandbox activity_task_service:service_manager find;
allow sdk_sandbox appops_service:service_manager find;
allow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox audioserver_service:service_manager find;
allow sdk_sandbox batteryproperties_service:service_manager find;
allow sdk_sandbox batterystats_service:service_manager find;
allow sdk_sandbox connectivity_service:service_manager find;
allow sdk_sandbox connmetrics_service:service_manager find;
allow sdk_sandbox deviceidle_service:service_manager find;
allow sdk_sandbox display_service:service_manager find;
allow sdk_sandbox dropbox_service:service_manager find;
allow sdk_sandbox font_service:service_manager find;
allow sdk_sandbox game_service:service_manager find;
allow sdk_sandbox gpu_service:service_manager find;
allow sdk_sandbox graphicsstats_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox imms_service:service_manager find;
allow sdk_sandbox input_method_service:service_manager find;
allow sdk_sandbox input_service:service_manager find;
allow sdk_sandbox IProxyService_service:service_manager find;
allow sdk_sandbox ipsec_service:service_manager find;
allow sdk_sandbox launcherapps_service:service_manager find;
allow sdk_sandbox legacy_permission_service:service_manager find;
allow sdk_sandbox light_service:service_manager find;
allow sdk_sandbox locale_service:service_manager find;
allow sdk_sandbox media_communication_service:service_manager find;
allow sdk_sandbox mediaextractor_service:service_manager find;
allow sdk_sandbox mediametrics_service:service_manager find;
allow sdk_sandbox media_projection_service:service_manager find;
allow sdk_sandbox media_router_service:service_manager find;
allow sdk_sandbox mediaserver_service:service_manager find;
allow sdk_sandbox media_session_service:service_manager find;
allow sdk_sandbox memtrackproxy_service:service_manager find;
allow sdk_sandbox midi_service:service_manager find;
allow sdk_sandbox netpolicy_service:service_manager find;
allow sdk_sandbox netstats_service:service_manager find;
allow sdk_sandbox network_management_service:service_manager find;
allow sdk_sandbox notification_service:service_manager find;
allow sdk_sandbox package_service:service_manager find;
allow sdk_sandbox permission_checker_service:service_manager find;
allow sdk_sandbox permission_service:service_manager find;
allow sdk_sandbox permissionmgr_service:service_manager find;
allow sdk_sandbox platform_compat_service:service_manager find;
allow sdk_sandbox power_service:service_manager find;
allow sdk_sandbox procstats_service:service_manager find;
allow sdk_sandbox registry_service:service_manager find;
allow sdk_sandbox restrictions_service:service_manager find;
allow sdk_sandbox rttmanager_service:service_manager find;
allow sdk_sandbox search_service:service_manager find;
allow sdk_sandbox selection_toolbar_service:service_manager find;
allow sdk_sandbox sensor_privacy_service:service_manager find;
allow sdk_sandbox sensorservice_service:service_manager find;
allow sdk_sandbox servicediscovery_service:service_manager find;
allow sdk_sandbox settings_service:service_manager find;
allow sdk_sandbox speech_recognition_service:service_manager find;
allow sdk_sandbox statusbar_service:service_manager find;
allow sdk_sandbox storagestats_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
allow sdk_sandbox telecom_service:service_manager find;
allow sdk_sandbox tethering_service:service_manager find;
allow sdk_sandbox textclassification_service:service_manager find;
allow sdk_sandbox textservices_service:service_manager find;
allow sdk_sandbox texttospeech_service:service_manager find;
allow sdk_sandbox thermal_service:service_manager find;
allow sdk_sandbox translation_service:service_manager find;
allow sdk_sandbox tv_iapp_service:service_manager find;
allow sdk_sandbox tv_input_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox vcn_management_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(sdk_sandbox)
can_profile_perf(sdk_sandbox)
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow access to sdksandbox data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
###
### neverallow rules
###
neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;
# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;