d2ffd35cc0
Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
176 lines
8.1 KiB
Text
176 lines
8.1 KiB
Text
###
|
|
### SDK Sandbox process.
|
|
###
|
|
### This file defines the security policy for the sdk sandbox processes.
|
|
|
|
type sdk_sandbox, domain;
|
|
|
|
typeattribute sdk_sandbox coredomain;
|
|
|
|
net_domain(sdk_sandbox)
|
|
app_domain(sdk_sandbox)
|
|
|
|
# Allow finding services. This is different from ephemeral_app policy.
|
|
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
|
# Audit the access to signal that we are still investigating whether sdk_sandbox
|
|
# should have access to audio_service
|
|
# TODO(b/211632068): remove this line
|
|
auditallow sdk_sandbox audio_service:service_manager find;
|
|
|
|
allow sdk_sandbox activity_service:service_manager find;
|
|
allow sdk_sandbox activity_task_service:service_manager find;
|
|
allow sdk_sandbox appops_service:service_manager find;
|
|
allow sdk_sandbox audio_service:service_manager find;
|
|
allow sdk_sandbox audioserver_service:service_manager find;
|
|
allow sdk_sandbox batteryproperties_service:service_manager find;
|
|
allow sdk_sandbox batterystats_service:service_manager find;
|
|
allow sdk_sandbox connectivity_service:service_manager find;
|
|
allow sdk_sandbox connmetrics_service:service_manager find;
|
|
allow sdk_sandbox deviceidle_service:service_manager find;
|
|
allow sdk_sandbox display_service:service_manager find;
|
|
allow sdk_sandbox dropbox_service:service_manager find;
|
|
allow sdk_sandbox font_service:service_manager find;
|
|
allow sdk_sandbox game_service:service_manager find;
|
|
allow sdk_sandbox gpu_service:service_manager find;
|
|
allow sdk_sandbox graphicsstats_service:service_manager find;
|
|
allow sdk_sandbox hardware_properties_service:service_manager find;
|
|
allow sdk_sandbox hint_service:service_manager find;
|
|
allow sdk_sandbox imms_service:service_manager find;
|
|
allow sdk_sandbox input_method_service:service_manager find;
|
|
allow sdk_sandbox input_service:service_manager find;
|
|
allow sdk_sandbox IProxyService_service:service_manager find;
|
|
allow sdk_sandbox ipsec_service:service_manager find;
|
|
allow sdk_sandbox launcherapps_service:service_manager find;
|
|
allow sdk_sandbox legacy_permission_service:service_manager find;
|
|
allow sdk_sandbox light_service:service_manager find;
|
|
allow sdk_sandbox locale_service:service_manager find;
|
|
allow sdk_sandbox media_communication_service:service_manager find;
|
|
allow sdk_sandbox mediaextractor_service:service_manager find;
|
|
allow sdk_sandbox mediametrics_service:service_manager find;
|
|
allow sdk_sandbox media_projection_service:service_manager find;
|
|
allow sdk_sandbox media_router_service:service_manager find;
|
|
allow sdk_sandbox mediaserver_service:service_manager find;
|
|
allow sdk_sandbox media_session_service:service_manager find;
|
|
allow sdk_sandbox memtrackproxy_service:service_manager find;
|
|
allow sdk_sandbox midi_service:service_manager find;
|
|
allow sdk_sandbox netpolicy_service:service_manager find;
|
|
allow sdk_sandbox netstats_service:service_manager find;
|
|
allow sdk_sandbox network_management_service:service_manager find;
|
|
allow sdk_sandbox notification_service:service_manager find;
|
|
allow sdk_sandbox package_service:service_manager find;
|
|
allow sdk_sandbox permission_checker_service:service_manager find;
|
|
allow sdk_sandbox permission_service:service_manager find;
|
|
allow sdk_sandbox permissionmgr_service:service_manager find;
|
|
allow sdk_sandbox platform_compat_service:service_manager find;
|
|
allow sdk_sandbox power_service:service_manager find;
|
|
allow sdk_sandbox procstats_service:service_manager find;
|
|
allow sdk_sandbox registry_service:service_manager find;
|
|
allow sdk_sandbox restrictions_service:service_manager find;
|
|
allow sdk_sandbox rttmanager_service:service_manager find;
|
|
allow sdk_sandbox search_service:service_manager find;
|
|
allow sdk_sandbox selection_toolbar_service:service_manager find;
|
|
allow sdk_sandbox sensor_privacy_service:service_manager find;
|
|
allow sdk_sandbox sensorservice_service:service_manager find;
|
|
allow sdk_sandbox servicediscovery_service:service_manager find;
|
|
allow sdk_sandbox settings_service:service_manager find;
|
|
allow sdk_sandbox speech_recognition_service:service_manager find;
|
|
allow sdk_sandbox statusbar_service:service_manager find;
|
|
allow sdk_sandbox storagestats_service:service_manager find;
|
|
allow sdk_sandbox surfaceflinger_service:service_manager find;
|
|
allow sdk_sandbox telecom_service:service_manager find;
|
|
allow sdk_sandbox tethering_service:service_manager find;
|
|
allow sdk_sandbox textclassification_service:service_manager find;
|
|
allow sdk_sandbox textservices_service:service_manager find;
|
|
allow sdk_sandbox texttospeech_service:service_manager find;
|
|
allow sdk_sandbox thermal_service:service_manager find;
|
|
allow sdk_sandbox translation_service:service_manager find;
|
|
allow sdk_sandbox tv_iapp_service:service_manager find;
|
|
allow sdk_sandbox tv_input_service:service_manager find;
|
|
allow sdk_sandbox uimode_service:service_manager find;
|
|
allow sdk_sandbox vcn_management_service:service_manager find;
|
|
allow sdk_sandbox webviewupdate_service:service_manager find;
|
|
|
|
allow sdk_sandbox system_linker_exec:file execute_no_trans;
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(sdk_sandbox)
|
|
|
|
# Allow profiling if the app opts in by being marked profileable/debuggable.
|
|
can_profile_heap(sdk_sandbox)
|
|
can_profile_perf(sdk_sandbox)
|
|
|
|
# allow sdk sandbox to use UDP sockets provided by the system server but not
|
|
# modify them other than to connect
|
|
allow sdk_sandbox system_server:udp_socket {
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
# allow sandbox to search in sdk system server directory
|
|
# additionally, for webview to work, getattr has been permitted
|
|
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
|
|
# allow sandbox to create files and dirs in sdk data directory
|
|
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
|
|
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
|
|
|
|
# Receive or send uevent messages.
|
|
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
|
|
|
|
# Receive or send generic netlink messages
|
|
neverallow sdk_sandbox domain:netlink_socket *;
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
# best practice to ensure these files aren't readable.
|
|
neverallow sdk_sandbox debugfs:file read;
|
|
|
|
# execute gpu_device
|
|
neverallow sdk_sandbox gpu_device:chr_file execute;
|
|
|
|
# access files in /sys with the default sysfs label
|
|
neverallow sdk_sandbox sysfs:file *;
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
# Create a more specific label if needed
|
|
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
|
|
|
|
# Directly access external storage
|
|
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
|
|
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
# ongoing connections.
|
|
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
|
|
|
|
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
|
|
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
|
|
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
|
|
|
|
# SDK sandbox processes don't have any access to external storage
|
|
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
|
|
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
|
|
|
|
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
|
|
|
|
neverallow sdk_sandbox hal_drm_service:service_manager find;
|
|
|
|
# Only certain system components should have access to sdk_sandbox_system_data_file
|
|
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-installd
|
|
-sdk_sandbox
|
|
-system_server
|
|
-vold_prepare_subdirs
|
|
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
|
|
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
|
|
|
|
# Only dirs should be created at sdk_sandbox_system_data_file level
|
|
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
|