Create sdk_sandbox_all.
Rename sdk_sandbox to sdk_sandbox_34.
Additionally, Extract out parts of sdk_sandbox_34 to
sdk_sandbox_all.te that will be shared with all sdk_sandbox domains.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: I36e0c8795148de83c81dfe12559452812aa2b25e
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
new file mode 100644
index 0000000..9a3f05f
--- /dev/null
+++ b/private/sdk_sandbox_all.te
@@ -0,0 +1,122 @@
+###
+### sdk_sandbox_all
+###
+### This file defines the rules shared by all sdk_sandbox_all domains.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The sdk_sandbox_all_all attribute is assigned to all default
+### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
+### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.
+
+allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox_all shell_data_file:file r_file_perms;
+allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox_all domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox_all debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox_all gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox_all sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox_all hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# Only certain system components should have access to sdk_sandbox_all_system_data_file
+# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
+neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_all_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+