platform_system_sepolicy/private/sdk_sandbox.te
sandrom e6971f1330 Move parts of sdk_sandbox from private to apex policy
Bug: 236691128
Test: atest SeamendcHostTest

Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902
2022-07-27 13:39:06 +00:00

78 lines
2.6 KiB
Text

###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.
type sdk_sandbox;
###
### neverallow rules
###
neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;
# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };
neverallow {
domain
-init
-installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;