platform_system_sepolicy/private/sdk_sandbox.te

###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.

type sdk_sandbox, domain;

typeattribute sdk_sandbox coredomain;

net_domain(sdk_sandbox)
app_domain(sdk_sandbox)

# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox {
    activity_service
    activity_task_service
    appops_service
    audio_service
    audioserver_service
    batteryproperties_service
    batterystats_service
    cameraserver_service
    connectivity_service
    connmetrics_service
    deviceidle_service
    display_service
    dropbox_service
    ephemeral_app_api_service
    font_service
    game_service
    gpu_service
    graphicsstats_service
    hardware_properties_service
    hint_service
    imms_service
    input_method_service
    input_service
    IProxyService_service
    ipsec_service
    launcherapps_service
    legacy_permission_service
    light_service
    locale_service
    media_communication_service
    mediadrmserver_service
    mediaextractor_service
    mediametrics_service
    media_projection_service
    media_router_service
    mediaserver_service
    media_session_service
    memtrackproxy_service
    midi_service
    netpolicy_service
    netstats_service
    network_management_service
    notification_service
    package_service
    permission_checker_service
    permission_service
    permissionmgr_service
    platform_compat_service
    power_service
    procstats_service
    radio_service
    registry_service
    restrictions_service
    rttmanager_service
    search_service
    selection_toolbar_service
    sensor_privacy_service
    sensorservice_service
    servicediscovery_service
    settings_service
    speech_recognition_service
    statusbar_service
    storagestats_service
    surfaceflinger_service
    telecom_service
    tethering_service
    textclassification_service
    textservices_service
    texttospeech_service
    thermal_service
    translation_service
    tv_iapp_service
    tv_input_service
    uimode_service
    vcn_management_service
    webviewupdate_service
}:service_manager find;

allow sdk_sandbox system_linker_exec:file execute_no_trans;

# Required to read CTS tests data from the shell_data_file location.
allow sdk_sandbox shell_data_file:file r_file_perms;
allow sdk_sandbox shell_data_file:dir r_dir_perms;

# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
        connect getattr read recvfrom sendto write getopt setopt };

# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;

###
### neverallow rules
###

neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };

# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;

# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;

# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;

# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;

# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;

# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };

# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;

# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;

# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;

# SDK sandbox processes don't  have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;

neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;

neverallow sdk_sandbox hal_drm_service:service_manager find;

# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
    domain
    -init
    -installd
    -system_server
    -vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };

neverallow {
    domain
    -init
    -installd
    -sdk_sandbox
    -system_server
    -vold_prepare_subdirs
    -zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };

# Only certain domains should be able to open and write to the SDK's data directory.
neverallow {
    domain
    -artd
    -init
    -installd
    -sdk_sandbox
    -vold_prepare_subdirs
} sdk_sandbox_data_file:dir ~{read getattr search};

# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
neverallow {
    domain
    -artd
    -init
    -installd
    -sdk_sandbox
    -vold_prepare_subdirs
} sdk_sandbox_data_file:file ~{append read write getattr lock map};

# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };

# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;