Move allow rules of sdk_sandbox to apex policy
Third attempt to roll-forward the apex_sepolicy changes from
aosp/2179294 and aosp/2170746.
I was finally able to figure out the likely root cause of the test
breakages in internal b/243971667. The related CL aosp/2199179 is making
the apex_sepolicy files mandatory for all AOSP builds.
Without the apex_sepolicy files, mixed GSI builds in internal using AOSP
as base would not implement the sdk_sandbox rules, causing breakages for
the SdkSandbox components.
Bug: 243923977
Test: atest SeamendcHostTest
Change-Id: I27ee933da6648cca8ff1f37bde388f72b4fe6ad6
diff --git a/Android.mk b/Android.mk
index 21bc6a9..c3728fd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -477,6 +477,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
index 9b35268..3c47764 100644
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -1,8 +1,93 @@
-(sid apex)
-(sidorder (apex))
+; This file is required for sepolicy amend (go/seamendc).
+; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
+; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
+; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
+; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
+; successfully.
+(sid amend)
+(sidorder (amend))
-(classorder (file))
+(classorder (file service_manager))
+;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
(type shell)
(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads))
+(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
+
+;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
+(class service_manager (add find list ))
+
+(type activity_service)
+(type activity_task_service)
+(type appops_service)
+(type audioserver_service)
+(type audio_service)
+(type batteryproperties_service)
+(type batterystats_service)
+(type connectivity_service)
+(type connmetrics_service)
+(type deviceidle_service)
+(type display_service)
+(type dropbox_service)
+(type font_service)
+(type game_service)
+(type gpu_service)
+(type graphicsstats_service)
+(type hardware_properties_service)
+(type hint_service)
+(type imms_service)
+(type input_method_service)
+(type input_service)
+(type IProxyService_service)
+(type ipsec_service)
+(type launcherapps_service)
+(type legacy_permission_service)
+(type light_service)
+(type locale_service)
+(type media_communication_service)
+(type mediaextractor_service)
+(type mediametrics_service)
+(type media_projection_service)
+(type media_router_service)
+(type mediaserver_service)
+(type media_session_service)
+(type memtrackproxy_service)
+(type midi_service)
+(type netpolicy_service)
+(type netstats_service)
+(type network_management_service)
+(type notification_service)
+(type package_service)
+(type permission_checker_service)
+(type permissionmgr_service)
+(type permission_service)
+(type platform_compat_service)
+(type power_service)
+(type procstats_service)
+(type registry_service)
+(type restrictions_service)
+(type rttmanager_service)
+(type sdk_sandbox)
+(type search_service)
+(type selection_toolbar_service)
+(type sensor_privacy_service)
+(type sensorservice_service)
+(type servicediscovery_service)
+(type settings_service)
+(type speech_recognition_service)
+(type statusbar_service)
+(type storagestats_service)
+(type surfaceflinger_service)
+(type system_linker_exec)
+(type telecom_service)
+(type tethering_service)
+(type textclassification_service)
+(type textservices_service)
+(type texttospeech_service)
+(type thermal_service)
+(type translation_service)
+(type tv_iapp_service)
+(type tv_input_service)
+(type uimode_service)
+(type vcn_management_service)
+(type webviewupdate_service)
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
new file mode 100644
index 0000000..7c7b15b
--- /dev/null
+++ b/com.android.sepolicy/33/sdk_sandbox.te
@@ -0,0 +1,77 @@
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d851ab7..3f4a49b 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,84 +10,6 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)