Create sdk_sandbox_all.
Rename sdk_sandbox to sdk_sandbox_34.
Additionally, Extract out parts of sdk_sandbox_34 to
sdk_sandbox_all.te that will be shared with all sdk_sandbox domains.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: I36e0c8795148de83c81dfe12559452812aa2b25e
diff --git a/private/net.te b/private/net.te
index 07e4271..4adf84c 100644
--- a/private/net.te
+++ b/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -13,7 +13,7 @@
-ephemeral_app
-mediaprovider
-priv_app
- -sdk_sandbox
+ -sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };