Revert "Move parts of sdk_sandbox from private to apex policy"
Revert "Add java SeamendcHostTest in cts"
Revert submission 2111065-seamendc
Reason for revert: b/240731742, b/240462388 and b/240463116
Reverted Changes:
I3ce2845f2:Move parts of sdk_sandbox from private to apex pol...
I0c10106e2:Add java SeamendcHostTest in cts
Test: revert cl
Change-Id: If9981796694b22b7cbfe1368cd815889c741e69d
diff --git a/Android.bp b/Android.bp
index 0770a64..467f80e 100644
--- a/Android.bp
+++ b/Android.bp
@@ -373,44 +373,19 @@
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
+
se_policy_conf {
name: "apex_sepolicy-33.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy +
- product_public_policy +
- product_private_policy +
- ["com.android.sepolicy/33/*.te"],
+ srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
installable: false,
}
se_policy_cil {
name: "apex_sepolicy-33.cil",
src: ":apex_sepolicy-33.conf",
- filter_out: [
- ":plat_sepolicy.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ],
+ filter_out: [":plat_sepolicy.cil"],
installable: false,
stem: "apex_sepolicy.cil",
- remove_line_marker: true,
-}
-
-se_policy_cil {
- name: "decompiled_sepolicy-without_apex.cil",
- src: ":precompiled_sepolicy-without_apex",
- decompile_binary: true,
-}
-
-se_policy_cil {
- name: "apex_sepolicy-decompiled.cil",
- src: ":precompiled_sepolicy",
- decompile_binary: true,
- filter_out: [":decompiled_sepolicy-without_apex.cil"],
- additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
- secilc_check: false,
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
@@ -921,50 +896,6 @@
},
}
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy-without_apex",
- srcs: [
- ":plat_sepolicy.cil",
- ":plat_pub_versioned.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
- ],
- soong_config_variables: {
- BOARD_USES_ODMIMAGE: {
- device_specific: true,
- conditions_default: {
- vendor: true,
- },
- },
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
- },
- required: [
- "sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
- ],
- dist: {
- targets: ["base-sepolicy-files-for-mapping"],
- },
-}
-
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 380faff..3946a04 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -287,10 +287,6 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
- // If true, the input policy file is a binary policy that will be decompiled to a cil file.
- // Defaults to false.
- Decompile_binary *bool
-
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -342,22 +338,17 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
- if proptools.Bool(c.properties.Decompile_binary) {
- rule.Command().BuiltTool("checkpolicy").
- Flag("-b"). // Read binary
- Flag("-C"). // Write CIL
- Flag("-M"). // Enable MLS
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- FlagWithOutput("-o ", cil).
- Input(conf)
- } else {
- rule.Command().BuiltTool("checkpolicy").
- Flag("-C"). // Write CIL
- Flag("-M"). // Enable MLS
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- FlagWithOutput("-o ", cil).
- Input(conf)
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
}
if len(c.properties.Filter_out) > 0 {
@@ -368,12 +359,6 @@
FlagWithOutput("-t ", cil)
}
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
- }
-
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
deleted file mode 100644
index 447f2be..0000000
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ /dev/null
@@ -1,528 +0,0 @@
-(sid test)
-(sidorder (test))
-
-(classorder (file service_manager fd sock_file unix_stream_socket process dir udp_socket anon_inode fifo_file lnk_file unix_dgram_socket lockdown netlink_route_socket tcp_socket rawip_socket icmp_socket chr_file binder hwservice_manager))
-
-;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
-(type shell)
-(type sepolicy_test_file)
-(class file (ioctl read write getattr lock map open watch watch_reads execute_no_trans append create setattr unlink rename execute relabelfrom relabelto link watch_mount watch_sb watch_with_perm entrypoint execmod audit_access mounton quotaon))
-
-;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
-(role r)
-(role object_r)
-
-(class service_manager (add find list ))
-(class sock_file (write))
-(class fd (use ))
-(class unix_stream_socket (ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown connectto))
-(class process (fork sigchld sigkill sigstop signull ptrace transition signal siginh rlimitinh getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit execmem dyntransition noatsecure))
-(class dir (ioctl read write create getattr setattr lock rename open watch watch_reads relabelfrom relabelto append map unlink link add_name remove_name reparent search rmdir execute quotaon watch_with_perm watch_sb watch_mount execmod audit_access mounton))
-(class udp_socket (ioctl read write getattr setattr connect getopt setopt recvfrom sendto node_bind name_bind create lock append map bind shutdown))
-(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
-(class unix_dgram_socket (ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown sendto))
-(class fifo_file (ioctl read write getattr lock append map open watch watch_reads))
-(class lnk_file (ioctl read getattr lock map open watch watch_reads))
-(class lockdown (confidentiality))
-(class netlink_route_socket (read write create getattr setattr lock append connect getopt setopt shutdown nlmsg_read bind nlmsg_getneigh nlmsg_readpriv))
-(class tcp_socket (node_bind name_bind ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown))
-(class rawip_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
-(class icmp_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
-(class binder (call transfer))
-(class chr_file (ioctl read write getattr lock append map open watch watch_reads))
-(class hwservice_manager (find))
-
-(typeattribute domain)
-(typeattribute coredomain)
-(typeattribute netdomain)
-(typeattribute appdomain)
-
-(type activity_service)
-(type activity_task_service)
-(type adbd)
-(type adsprpcd)
-(type aidl_lazy_test_server)
-(type airbrush)
-(type apexd)
-(type apexd_derive_classpath)
-(type apex_test_prepostinstall)
-(type appdomain_tmpfs)
-(type appops_service)
-(type app_zygote)
-(type artd)
-(type atrace)
-(type audioserver)
-(type audioserver_service)
-(type audio_service)
-(type auditctl)
-(type automotive_display_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type binder_device)
-(type blank_screen)
-(type blkid)
-(type blkid_untrusted)
-(type bluetooth)
-(type bootanim)
-(type bootstat)
-(type boringssl_self_test)
-(type bpfloader)
-(type bt_logger)
-(type bufferhubd)
-(type cameraserver)
-(type canhalconfigurator)
-(type cbrs_setup_app)
-(type cdsprpcd)
-(type charger)
-(type charger_vendor)
-(type chre)
-(type citadeld)
-(type citadel_provision)
-(type clatd)
-(type cnd)
-(type codec2_config_prop)
-(type color_init)
-(type composd)
-(type compos_fd_server)
-(type compos_verify)
-(type con_monitor_app)
-(type connectivity_service)
-(type connmetrics_service)
-(type cppreopts)
-(type crash_dump)
-(type crash_dump_exec)
-(type credstore)
-(type crosvm)
-(type dataservice_app)
-(type derive_classpath)
-(type derive_sdk)
-(type device_config_nnapi_native_prop)
-(type device_drop_monitor)
-(type deviceidle_service)
-(type dex2oat)
-(type dexoptanalyzer)
-(type dhcp)
-(type diag)
-(type diced)
-(type display_service)
-(type dmabuf_system_heap_device)
-(type dmabuf_system_secure_heap_device)
-(type dmesgd)
-(type dnsmasq)
-(type drmserver)
-(type dropbox_service)
-(type dumpstate)
-(type e2fs)
-(type ephemeral_app)
-(type evsmanagerd)
-(type extra_free_kbytes)
-(type face_debug)
-(type fastbootd)
-(type fingerprintd)
-(type flags_health_check)
-(type font_service)
-(type fsck)
-(type fsck_untrusted)
-(type fstman)
-(type fsverity_init)
-(type fwk_bufferhub)
-(type game_service)
-(type gatekeeperd)
-(type gki_apex_prepostinstall)
-(type gmscore_app)
-(type google_camera_app)
-(type google_touch_app)
-(type gpu_device)
-(type gpu_service)
-(type gpuservice)
-(type graphicsstats_service)
-(type grilservice_app)
-(type gsid)
-(type hal_allocator_default)
-(type hal_allocator_server)
-(type hal_atrace_default)
-(type hal_audiocontrol_default)
-(type hal_audio_default)
-(type hal_authsecret_default)
-(type hal_bluetooth_btlinux)
-(type hal_bluetooth_default)
-(type hal_bluetooth_qti)
-(type hal_bootctl_default)
-(type hal_broadcastradio_default)
-(type hal_camera_default)
-(type hal_can_socketcan)
-(type hal_cas_default)
-(type hal_cas_hwservice)
-(type hal_cas_server)
-(type hal_codec2_hwservice)
-(type hal_codec2_server)
-(type hal_configstore_default)
-(type hal_configstore_ISurfaceFlingerConfigs)
-(type hal_configstore_server)
-(type hal_confirmationui_default)
-(type hal_contexthub_default)
-(type hal_dice_default)
-(type hal_display_color_default)
-(type hal_drm_clearkey)
-(type hal_drm_clearkey_aidl)
-(type hal_drm_default)
-(type hal_drm_server)
-(type hal_drm_widevine)
-(type hal_dumpstate_default)
-(type hal_dumpstate_impl)
-(type hal_evs_default)
-(type hal_face_default)
-(type hal_fingerprint_default)
-(type hal_gatekeeper_default)
-(type hal_gatekeeper_qti)
-(type hal_gnss_default)
-(type hal_gnss_qti)
-(type hal_graphics_allocator_default)
-(type hal_graphics_allocator_hwservice)
-(type hal_graphics_allocator_server)
-(type hal_graphics_allocator_service)
-(type hal_graphics_composer_default)
-(type hal_graphics_mapper_hwservice)
-(type hal_health_default)
-(type hal_health_storage_default)
-(type hal_identity_citadel)
-(type hal_identity_default)
-(type hal_imsrtp)
-(type hal_input_classifier_default)
-(type hal_input_processor_default)
-(type hal_ir_default)
-(type hal_keymaster_citadel)
-(type hal_keymaster_default)
-(type hal_keymaster_qti)
-(type hal_keymint_citadel)
-(type hal_keymint_default)
-(type hal_light_default)
-(type hal_lowpan_default)
-(type hal_memtrack_default)
-(type hal_neuralnetworks_darwinn)
-(type hal_neuralnetworks_default)
-(type hal_neuralnetworks_hwservice)
-(type hal_neuralnetworks_server)
-(type hal_neuralnetworks_service)
-(type hal_nfc_default)
-(type hal_oemlock_default)
-(type hal_omx_hwservice)
-(type hal_omx_server)
-(type hal_power_default)
-(type hal_power_stats_default)
-(type hal_qseecom_default)
-(type hal_qteeconnector_qti)
-(type hal_radio_config_default)
-(type hal_radio_default)
-(type hal_radioext_default)
-(type hal_rcsservice)
-(type hal_rebootescrow_citadel)
-(type hal_rebootescrow_default)
-(type hal_renderscript_hwservice)
-(type hal_secure_element_default)
-(type hal_sensors_default)
-(type hal_tetheroffload_default)
-(type hal_thermal_default)
-(type hal_tui_comm_qti)
-(type hal_tv_cec_default)
-(type hal_tv_input_default)
-(type hal_tv_tuner_default)
-(type hal_tv_tuner_server)
-(type hal_usb_default)
-(type hal_usb_gadget_default)
-(type hal_usb_gadget_impl)
-(type hal_usb_impl)
-(type hal_uwb_default)
-(type hal_vehicle_default)
-(type hal_vibrator_default)
-(type hal_vr_default)
-(type hal_weaver_citadel)
-(type hal_weaver_default)
-(type hal_wifi_default)
-(type hal_wifi_ext)
-(type hal_wifi_hostapd_default)
-(type hal_wifi_supplicant_default)
-(type hal_wlc)
-(type hardware_info_app)
-(type hardware_properties_service)
-(type hbmsvmanager_app)
-(type healthd)
-(type heapprofd)
-(type heapprofd_socket)
-(type heapprofd_tmpfs)
-(type hidl_allocator_hwservice)
-(type hidl_lazy_test_server)
-(type hidl_manager_hwservice)
-(type hidl_memory_hwservice)
-(type hidl_token_hwservice)
-(type hint_service)
-(type hwbinder_device)
-(type hwservicemanager)
-(type hwservicemanager_prop)
-(type idmap)
-(type imms_service)
-(type ims)
-(type incident)
-(type incidentd)
-(type incident_helper)
-(type init)
-(type init_citadel)
-(type init_dp)
-(type init-insmod-sh)
-(type init-mm-logging-sh)
-(type init-qti-keymaster-sh)
-(type init_radio)
-(type init-thermal-logging-sh)
-(type init-thermal-symlinks-sh)
-(type inputflinger)
-(type input_method_service)
-(type input_service)
-(type installd)
-(type ion_device)
-(type IProxyService_service)
-(type ipsec_service)
-(type irsc_util)
-(type isolated_app)
-(type iw)
-(type kernel)
-(type keystore)
-(type launcherapps_service)
-(type legacy_permission_service)
-(type light_service)
-(type linkerconfig)
-(type llkd)
-(type lmkd)
-(type locale_service)
-(type location)
-(type logd)
-(type logger_app)
-(type logpersist)
-(type lpdumpd)
-(type mdm_helper)
-(type mdnsd)
-(type mediacodec)
-(type media_communication_service)
-(type mediadrmserver)
-(type mediaextractor)
-(type mediaextractor_service)
-(type mediametrics)
-(type mediametrics_service)
-(type media_projection_service)
-(type mediaprovider)
-(type mediaprovider_app)
-(type media_router_service)
-(type mediaserver)
-(type mediaserver_service)
-(type media_session_service)
-(type mediaswcodec)
-(type mediatranscoding)
-(type mediatuner)
-(type media_variant_prop)
-(type memtrackproxy_service)
-(type midi_service)
-(type migrate_legacy_obb_data)
-(type mm_events)
-(type modem_diagnostic_app)
-(type modem_svc)
-(type modprobe)
-(type msm_irqbalanced)
-(type mtectrl)
-(type mtp)
-(type netd)
-(type netmgrd)
-(type netpolicy_service)
-(type netstats_service)
-(type netutils_wrapper)
-(type network_management_service)
-(type network_stack)
-(type nfc)
-(type nnapi_ext_deny_product_prop)
-(type notification_service)
-(type obdm_app)
-(type odrefresh)
-(type odsign)
-(type omadm_app)
-(type oslo_app)
-(type otapreopt_chroot)
-(type otapreopt_slot)
-(type package_service)
-(type perfetto)
-(type performanced)
-(type permission_checker_service)
-(type permissioncontroller_app)
-(type permissionmgr_service)
-(type permission_service)
-(type pixelstats_system)
-(type pixelstats_vendor)
-(type pixel-thermal-control-sh)
-(type platform_app)
-(type platform_compat_service)
-(type port-bridge)
-(type postinstall)
-(type postinstall_dexopt)
-(type power_service)
-(type ppp)
-(type preloads_copy)
-(type preopt2cachename)
-(type priv_app)
-(type procstats_service)
-(type profcollectd)
-(type profman)
-(type qlogd)
-(type qrtr)
-(type qtelephony)
-(type qtidataservices_app)
-(type qti_init_shell)
-(type racoon)
-(type radio)
-(type radio_data_file)
-(type ramdump_app)
-(type ramoops)
-(type recovery)
-(type recovery_persist)
-(type recovery_refresh)
-(type registry_service)
-(type remote_prov_app)
-(type remount)
-(type restrictions_service)
-(type rfs_access)
-(type ril_config_service_app)
-(type rild)
-(type rlsservice)
-(type rmt_storage)
-(type rs)
-(type rss_hwm_reset)
-(type rttmanager_service)
-(type runas)
-(type runas_app)
-(type same_process_hal_file)
-(type sdcardd)
-(type sdk_sandbox)
-(type sdk_sandbox_data_file)
-(type sdk_sandbox_system_data_file)
-(type search_service)
-(type sec_nvm)
-(type secure_element)
-(type secure_ui_service_app)
-(type selection_toolbar_service)
-(type sensor_privacy_service)
-(type sensors)
-(type sensorservice_service)
-(type servicediscovery_service)
-(type servicemanager)
-(type servicemanager_prop)
-(type settings_service)
-(type sgdisk)
-(type shared_relro)
-; (type shell)
-(type simpleperf)
-(type simpleperf_app_runner)
-(type simpleperf_boot)
-(type slideshow)
-(type smcinvoke_daemon)
-(type snapshotctl)
-(type snapuserd)
-(type spdaemon)
-(type speech_recognition_service)
-(type sprint_hidden_menu)
-(type ssr_detector_app)
-(type stats)
-(type statsd)
-(type statusbar_service)
-(type storaged)
-(type storagestats_service)
-(type su)
-(type surfaceflinger)
-(type surfaceflinger_service)
-(type sysfs_gpu)
-(type system_app)
-(type system_linker_exec)
-(type system_server)
-(type system_server_startup)
-(type system_suspend)
-(type tcpdump_logger)
-(type tee)
-(type telecom_service)
-(type tethering_service)
-(type textclassification_service)
-(type textclassifier_data_file)
-(type textservices_service)
-(type texttospeech_service)
-(type thermal-engine)
-(type thermal_service)
-(type time_daemon)
-(type timeservice_app)
-(type tmpfs)
-(type tombstoned)
-(type toolbox)
-(type traced)
-(type traced_perf)
-(type traced_perf_socket)
-(type traced_probes)
-(type traced_producer_socket)
-(type traced_tmpfs)
-(type traceur_app)
-(type translation_service)
-(type tv_iapp_service)
-(type tv_input_service)
-(type twoshay)
-(type ueventd)
-(type uimode_service)
-(type uncrypt)
-(type untrusted_app)
-(type untrusted_app_25)
-(type untrusted_app_27)
-(type untrusted_app_29)
-(type untrusted_app_30)
-(type update_engine)
-(type update_verifier)
-(type usbd)
-(type uscc_omadm)
-(type uv_exposure_reporter)
-(type vcn_management_service)
-(type vdc)
-(type vehicle_binding_util)
-(type vendor_boringssl_self_test)
-(type vendor_file)
-(type vendor_ia_crash_dump)
-(type vendor_init)
-(type vendor_install_recovery)
-(type vendor_misc_writer)
-(type vendor_modprobe)
-(type vendor_pd_mapper)
-(type vendor_per_mgr)
-(type vendor_shell)
-(type vendor_ssr_diag)
-(type vendor_ssr_setup)
-(type vendor_subsystem_ramdump)
-(type viewcompiler)
-(type virtualizationservice)
-(type virtual_touchpad)
-(type vndservicemanager)
-(type vold)
-(type vold_prepare_subdirs)
-(type vzw_omadm_connmo)
-(type vzw_omadm_dcmo)
-(type vzw_omadm_diagmon)
-(type vzw_omadm_trigger)
-(type vzwomatrigger_app)
-(type wait_for_keymaster)
-(type wait_for_strongbox)
-(type watchdogd)
-(type wcnss_service)
-(type webviewupdate_service)
-(type webview_zygote)
-(type wfc_activation_app)
-(type wificond)
-(type wifidisplayhalservice_qti)
-(type wifi_sniffer)
-(type wigighalsvc)
-(type wigignpt)
-(type wpantund)
-(type zygote)
-
-(type boot_status_prop)
-(allow dumpstate domain (dir (ioctl read getattr lock open watch watch_reads search)))
-(allow coredomain boot_status_prop (file (read getattr map open)))
-(allow netdomain netd (unix_stream_socket (connectto)))
-(allow appdomain traced (fd (use)))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
deleted file mode 100644
index f3f9a67..0000000
--- a/com.android.sepolicy/33/sdk_sandbox.te
+++ /dev/null
@@ -1,112 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file extends the sdk sandbox policy at system/sepolicy/private/sdk_sandbox.te
-
-typeattribute sdk_sandbox domain;
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 1bb2c21..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -3,7 +3,114 @@
###
### This file defines the security policy for the sdk sandbox processes.
-type sdk_sandbox;
+type sdk_sandbox, domain;
+
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
###
### neverallow rules