Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c56709f9af9969de2fab39b4627729014015f087 / . / private / sdk_sandbox.te
blob: 3aca881c88b76f13b87395e6e4d52385b33c1676 [file] [log] [blame]
###
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes.
type sdk_sandbox, domain;
typeattribute sdk_sandbox coredomain;
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
allow sdk_sandbox {
activity_service
activity_task_service
appops_service
audio_service
audioserver_service
batteryproperties_service
batterystats_service
cameraserver_service
connectivity_service
connmetrics_service
deviceidle_service
display_service
dropbox_service
ephemeral_app_api_service
font_service
game_service
gpu_service
graphicsstats_service
hardware_properties_service
hint_service
imms_service
input_method_service
input_service
IProxyService_service
ipsec_service
launcherapps_service
legacy_permission_service
light_service
locale_service
media_communication_service
mediadrmserver_service
mediaextractor_service
mediametrics_service
media_projection_service
media_router_service
mediaserver_service
media_session_service
memtrackproxy_service
midi_service
netpolicy_service
netstats_service
network_management_service
notification_service
package_service
permission_checker_service
permission_service
permissionmgr_service
platform_compat_service
power_service
procstats_service
radio_service
registry_service
restrictions_service
rttmanager_service
search_service
selection_toolbar_service
sensor_privacy_service
sensorservice_service
servicediscovery_service
settings_service
speech_recognition_service
statusbar_service
storagestats_service
surfaceflinger_service
telecom_service
tethering_service
textclassification_service
textservices_service
texttospeech_service
thermal_service
translation_service
tv_iapp_service
tv_input_service
uimode_service
vcn_management_service
webviewupdate_service
}:service_manager find;
allow sdk_sandbox system_linker_exec:file execute_no_trans;
# Required to read CTS tests data from the shell_data_file location.
allow sdk_sandbox shell_data_file:file r_file_perms;
allow sdk_sandbox shell_data_file:dir r_dir_perms;
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
###
### neverallow rules
###
neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow sdk_sandbox domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow sdk_sandbox debugfs:file read;
# execute gpu_device
neverallow sdk_sandbox gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow sdk_sandbox sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow sdk_sandbox proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { relabelfrom };
neverallow {
domain
-init
-installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# Only certain domains should be able to open and write to the SDK's data directory.
neverallow {
domain
-artd
-init
-installd
-sdk_sandbox
-vold_prepare_subdirs
} sdk_sandbox_data_file:dir ~{read getattr search};
# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
neverallow {
domain
-artd
-init
-installd
-sdk_sandbox
-vold_prepare_subdirs
} sdk_sandbox_data_file:file ~{append read write getattr lock map};
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;