Merge "aconfigd: cleanup" into main
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index b4c655b..41b2799 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -124,3 +124,25 @@
# Only dirs should be created at sdk_sandbox_all_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+# Restrict unix stream sockets for IPC.
+neverallow sdk_sandbox_all {
+ domain
+ -sdk_sandbox_all
+ -netd
+ -logd
+ -adbd
+ userdebug_or_eng(`-su')
+ # needed for profiling
+ -traced
+ -traced_perf
+ -heapprofd
+ # fallback crash handling for processes that can't exec crash_dump.
+ -tombstoned
+ # needed to connect to PRNG seeder daemon.
+ -prng_seeder
+}:unix_stream_socket connectto;
+neverallow {
+ domain
+ -adbd
+ -sdk_sandbox_all
+} sdk_sandbox_all:unix_stream_socket connectto;