304962477a
Define the selinux domain to apply to SDK runtime for targetSdkVersion=34. The existing sdk_sandbox domain has been renamed to sdk_sandbox_next. Future CLs will add logic to apply one of these to the SDK runtime processes on the device, based on a flag. auditallow block from sdk_sandbox has been removed as we haven't yet measured the system health impact of adding this. It'll be added to an audit domain later after we've ruled out negative system health impact. Bug: 270148964 Test: make and boot the test device, load SDK using test app Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d
19 lines
809 B
Text
19 lines
809 B
Text
# Bind to ports.
|
|
allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
|
|
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
|
|
allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
|
|
|
|
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
|
|
# untrusted_apps.
|
|
# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
|
|
# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
|
|
# to avoid app-compat breakage.
|
|
allow {
|
|
netdomain
|
|
-ephemeral_app
|
|
-mediaprovider
|
|
-priv_app
|
|
-sdk_sandbox_all
|
|
-untrusted_app_all
|
|
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
|
|
|