Introduce a new sdk_sandbox domain
Define the selinux domain to apply to SDK runtime for
targetSdkVersion=34.
The existing sdk_sandbox domain has been renamed to sdk_sandbox_next.
Future CLs will add logic to apply one of these to the SDK runtime
processes on the device, based on a flag.
auditallow block from sdk_sandbox has been removed as we haven't yet
measured the system health impact of adding this. It'll be added to an
audit domain later after we've ruled out negative system health impact.
Bug: 270148964
Test: make and boot the test device, load SDK using test app
Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d
diff --git a/private/app.te b/private/app.te
index fa40b52..da60086 100644
--- a/private/app.te
+++ b/private/app.te
@@ -9,7 +9,7 @@
-platform_app
-priv_app
-shell
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
}, proc_net_type)
@@ -23,7 +23,7 @@
-priv_app
-shell
-su
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@@ -81,7 +81,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -137,67 +137,67 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox)
+binder_call(appdomain, sdk_sandbox_all)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
-use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# For app fuse.
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -223,11 +223,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -261,11 +261,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -411,7 +411,7 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
@@ -503,7 +503,7 @@
nfc
radio
shared_relro
- sdk_sandbox
+ sdk_sandbox_all
system_app
} {
data_file_type
diff --git a/private/attributes b/private/attributes
index 991bac1..47303cc 100644
--- a/private/attributes
+++ b/private/attributes
@@ -10,3 +10,6 @@
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+
+# All SDK sandbox domains
+attribute sdk_sandbox_all;
diff --git a/private/domain.te b/private/domain.te
index b51fd3c..30ceb24 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -749,7 +749,7 @@
isolated_app_all
ephemeral_app
priv_app
- sdk_sandbox
+ sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 200af1b..0617a57 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -104,7 +104,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/net.te b/private/net.te
index 07e4271..4adf84c 100644
--- a/private/net.te
+++ b/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -13,7 +13,7 @@
-ephemeral_app
-mediaprovider
-priv_app
- -sdk_sandbox
+ -sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
deleted file mode 100644
index 4806e6d..0000000
--- a/private/sdk_sandbox.te
+++ /dev/null
@@ -1,304 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes.
-
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
- property_type
- # remove expected properties to reduce noise.
- -servicemanager_prop
- -hwservicemanager_prop
- -use_memfd_prop
- -binder_cache_system_server_prop
- -graphics_config_prop
- -persist_wm_debug_prop
- -aaudio_config_prop
- -adbd_config_prop
- -apex_ready_prop
- -apexd_select_prop
- -arm64_memtag_prop
- -audio_prop
- -binder_cache_bluetooth_server_prop
- -binder_cache_telephony_server_prop
- -bluetooth_config_prop
- -boot_status_prop
- -bootloader_prop
- -bq_config_prop
- -build_odm_prop
- -build_prop
- -build_vendor_prop
- -camera2_extensions_prop
- -camera_calibration_prop
- -camera_config_prop
- -camerax_extensions_prop
- -codec2_config_prop
- -config_prop
- -cppreopt_prop
- -dalvik_config_prop_type
- -dalvik_prop
- -dalvik_runtime_prop
- -dck_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_config_memory_safety_native_boot_prop
- -device_config_memory_safety_native_prop
- -device_config_nnapi_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -dhcp_prop
- -dumpstate_prop
- -exported3_system_prop
- -exported_config_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_pm_prop
- -exported_system_prop
- -ffs_config_prop
- -fingerprint_prop
- -framework_status_prop
- -gwp_asan_prop
- -hal_instrumentation_prop
- -hdmi_config_prop
- -heapprofd_prop
- -hw_timeout_multiplier_prop
- -init_service_status_private_prop
- -init_service_status_prop
- -libc_debug_prop
- -lmkd_config_prop
- -locale_prop
- -localization_prop
- -log_file_logger_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -media_config_prop
- -media_variant_prop
- -mediadrm_config_prop
- -module_sdkextensions_prop
- -net_radio_prop
- -nfc_prop
- -nnapi_ext_deny_product_prop
- -ota_prop
- -packagemanager_config_prop
- -pan_result_prop
- -permissive_mte_prop
- -persist_debug_prop
- -persist_sysui_builder_extras_prop
- -pm_prop
- -powerctl_prop
- -property_service_version_prop
- -radio_control_prop
- -radio_prop
- -restorecon_prop
- -rollback_test_prop
- -sendbug_config_prop
- -setupwizard_prop
- -shell_prop
- -soc_prop
- -socket_hook_prop
- -sqlite_log_prop
- -storagemanager_config_prop
- -surfaceflinger_color_prop
- -surfaceflinger_prop
- -system_prop
- -system_user_mode_emulation_prop
- -systemsound_config_prop
- -telephony_config_prop
- -telephony_status_prop
- -test_harness_prop
- -timezone_prop
- -usb_config_prop
- -usb_control_prop
- -usb_prop
- -userdebug_or_eng_prop
- -userspace_reboot_config_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_log_prop
- -userspace_reboot_test_prop
- -vendor_socket_hook_prop
- -vndk_prop
- -vold_config_prop
- -vold_prop
- -vold_status_prop
- -vts_config_prop
- -vts_status_prop
- -wifi_log_prop
- -zygote_config_prop
- -zygote_wrap_prop
- -init_service_status_prop
-}:file { getattr open read map };
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Required to read CTS tests data from the shell_data_file location.
-allow sdk_sandbox shell_data_file:file r_file_perms;
-allow sdk_sandbox shell_data_file:dir r_dir_perms;
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow sdk_sandbox domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox debugfs:file read;
-
-# execute gpu_device
-neverallow sdk_sandbox gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow sdk_sandbox sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow sdk_sandbox proc_net:file no_rw_file_perms;
-
-# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
-
-# SDK sandbox processes don't have any access to external storage
-neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
-
-neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
-
-neverallow sdk_sandbox hal_drm_service:service_manager find;
-
-# Only certain system components should have access to sdk_sandbox_system_data_file
-# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
-neverallow {
- domain
- -init
- -installd
- -system_server
- -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { relabelfrom };
-
-neverallow {
- domain
- -init
- -installd
- -sdk_sandbox
- -system_server
- -vold_prepare_subdirs
- -zygote
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
-
-# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
-neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
-
-# Only dirs should be created at sdk_sandbox_system_data_file level
-neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
new file mode 100644
index 0000000..c7672ac
--- /dev/null
+++ b/private/sdk_sandbox_34.te
@@ -0,0 +1,81 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_34, domain;
+
+typeattribute sdk_sandbox_34 coredomain;
+
+sdk_sandbox_domain(sdk_sandbox_34)
+app_domain(sdk_sandbox_34)
+
+# services
+allow sdk_sandbox_34 audioserver_service:service_manager find;
+allow sdk_sandbox_34 cameraserver_service:service_manager find;
+allow sdk_sandbox_34 mediaserver_service:service_manager find;
+allow sdk_sandbox_34 mediaextractor_service:service_manager find;
+allow sdk_sandbox_34 mediametrics_service:service_manager find;
+allow sdk_sandbox_34 mediadrmserver_service:service_manager find;
+allow sdk_sandbox_34 drmserver_service:service_manager find;
+allow sdk_sandbox_34 radio_service:service_manager find;
+allow sdk_sandbox_34 ephemeral_app_api_service:service_manager find;
+
+allow sdk_sandbox_34 activity_service:service_manager find;
+allow sdk_sandbox_34 activity_task_service:service_manager find;
+allow sdk_sandbox_34 appops_service:service_manager find;
+allow sdk_sandbox_34 audio_service:service_manager find;
+allow sdk_sandbox_34 batteryproperties_service:service_manager find;
+allow sdk_sandbox_34 batterystats_service:service_manager find;
+allow sdk_sandbox_34 connectivity_service:service_manager find;
+allow sdk_sandbox_34 connmetrics_service:service_manager find;
+allow sdk_sandbox_34 deviceidle_service:service_manager find;
+allow sdk_sandbox_34 display_service:service_manager find;
+allow sdk_sandbox_34 dropbox_service:service_manager find;
+allow sdk_sandbox_34 font_service:service_manager find;
+allow sdk_sandbox_34 gpu_service:service_manager find;
+allow sdk_sandbox_34 graphicsstats_service:service_manager find;
+allow sdk_sandbox_34 hardware_properties_service:service_manager find;
+allow sdk_sandbox_34 imms_service:service_manager find;
+allow sdk_sandbox_34 IProxyService_service:service_manager find;
+allow sdk_sandbox_34 ipsec_service:service_manager find;
+allow sdk_sandbox_34 launcherapps_service:service_manager find;
+allow sdk_sandbox_34 legacy_permission_service:service_manager find;
+allow sdk_sandbox_34 light_service:service_manager find;
+allow sdk_sandbox_34 locale_service:service_manager find;
+allow sdk_sandbox_34 media_communication_service:service_manager find;
+allow sdk_sandbox_34 media_session_service:service_manager find;
+allow sdk_sandbox_34 memtrackproxy_service:service_manager find;
+allow sdk_sandbox_34 midi_service:service_manager find;
+allow sdk_sandbox_34 notification_service:service_manager find;
+allow sdk_sandbox_34 package_service:service_manager find;
+allow sdk_sandbox_34 permission_checker_service:service_manager find;
+allow sdk_sandbox_34 permissionmgr_service:service_manager find;
+allow sdk_sandbox_34 permission_service:service_manager find;
+allow sdk_sandbox_34 platform_compat_service:service_manager find;
+allow sdk_sandbox_34 procstats_service:service_manager find;
+allow sdk_sandbox_34 registry_service:service_manager find;
+allow sdk_sandbox_34 restrictions_service:service_manager find;
+allow sdk_sandbox_34 search_service:service_manager find;
+allow sdk_sandbox_34 selection_toolbar_service:service_manager find;
+allow sdk_sandbox_34 sensor_privacy_service:service_manager find;
+allow sdk_sandbox_34 sensorservice_service:service_manager find;
+allow sdk_sandbox_34 servicediscovery_service:service_manager find;
+allow sdk_sandbox_34 settings_service:service_manager find;
+allow sdk_sandbox_34 speech_recognition_service:service_manager find;
+allow sdk_sandbox_34 statusbar_service:service_manager find;
+allow sdk_sandbox_34 surfaceflinger_service:service_manager find;
+allow sdk_sandbox_34 telecom_service:service_manager find;
+allow sdk_sandbox_34 textservices_service:service_manager find;
+allow sdk_sandbox_34 texttospeech_service:service_manager find;
+allow sdk_sandbox_34 thermal_service:service_manager find;
+allow sdk_sandbox_34 translation_service:service_manager find;
+allow sdk_sandbox_34 tv_iapp_service:service_manager find;
+allow sdk_sandbox_34 tv_input_service:service_manager find;
+allow sdk_sandbox_34 uimode_service:service_manager find;
+allow sdk_sandbox_34 vcn_management_service:service_manager find;
+allow sdk_sandbox_34 webviewupdate_service:service_manager find;
+
+# Allow sdk_sandbox_34 to read/write files in visible storage if provided fds
+allow sdk_sandbox_34 { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
+
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
new file mode 100644
index 0000000..807b51f
--- /dev/null
+++ b/private/sdk_sandbox_all.te
@@ -0,0 +1,91 @@
+###
+### sdk_sandbox_all
+###
+### This file defines the rules shared by all sdk_sandbox* domains.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The sdk_sandbox_all attribute is assigned to all default
+### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
+### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
+
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+
+allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox_all shell_data_file:file r_file_perms;
+allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox_all domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox_all debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox_all gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox_all sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:file {open create};
+neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:dir search;
+neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:dir no_rw_file_perms;
+neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:file no_rw_file_perms;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
+
+neverallow { sdk_sandbox_all } { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
+
+neverallow { sdk_sandbox_all -sdk_sandbox_34 } hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+# sdk_sandbox_all only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..3d83274
--- /dev/null
+++ b/private/sdk_sandbox_next.te
@@ -0,0 +1,100 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes.
+
+type sdk_sandbox_next, domain;
+
+typeattribute sdk_sandbox_next coredomain;
+sdk_sandbox_domain(sdk_sandbox_next)
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox_next activity_service:service_manager find;
+allow sdk_sandbox_next activity_task_service:service_manager find;
+allow sdk_sandbox_next appops_service:service_manager find;
+allow sdk_sandbox_next audio_service:service_manager find;
+allow sdk_sandbox_next audioserver_service:service_manager find;
+allow sdk_sandbox_next batteryproperties_service:service_manager find;
+allow sdk_sandbox_next batterystats_service:service_manager find;
+allow sdk_sandbox_next connectivity_service:service_manager find;
+allow sdk_sandbox_next connmetrics_service:service_manager find;
+allow sdk_sandbox_next deviceidle_service:service_manager find;
+allow sdk_sandbox_next display_service:service_manager find;
+allow sdk_sandbox_next dropbox_service:service_manager find;
+allow sdk_sandbox_next font_service:service_manager find;
+allow sdk_sandbox_next game_service:service_manager find;
+allow sdk_sandbox_next gpu_service:service_manager find;
+allow sdk_sandbox_next graphicsstats_service:service_manager find;
+allow sdk_sandbox_next hardware_properties_service:service_manager find;
+allow sdk_sandbox_next hint_service:service_manager find;
+allow sdk_sandbox_next imms_service:service_manager find;
+allow sdk_sandbox_next input_method_service:service_manager find;
+allow sdk_sandbox_next input_service:service_manager find;
+allow sdk_sandbox_next IProxyService_service:service_manager find;
+allow sdk_sandbox_next ipsec_service:service_manager find;
+allow sdk_sandbox_next launcherapps_service:service_manager find;
+allow sdk_sandbox_next legacy_permission_service:service_manager find;
+allow sdk_sandbox_next light_service:service_manager find;
+allow sdk_sandbox_next locale_service:service_manager find;
+allow sdk_sandbox_next media_communication_service:service_manager find;
+allow sdk_sandbox_next mediaextractor_service:service_manager find;
+allow sdk_sandbox_next mediametrics_service:service_manager find;
+allow sdk_sandbox_next media_projection_service:service_manager find;
+allow sdk_sandbox_next media_router_service:service_manager find;
+allow sdk_sandbox_next mediaserver_service:service_manager find;
+allow sdk_sandbox_next media_session_service:service_manager find;
+allow sdk_sandbox_next memtrackproxy_service:service_manager find;
+allow sdk_sandbox_next midi_service:service_manager find;
+allow sdk_sandbox_next netpolicy_service:service_manager find;
+allow sdk_sandbox_next netstats_service:service_manager find;
+allow sdk_sandbox_next network_management_service:service_manager find;
+allow sdk_sandbox_next notification_service:service_manager find;
+allow sdk_sandbox_next package_service:service_manager find;
+allow sdk_sandbox_next permission_checker_service:service_manager find;
+allow sdk_sandbox_next permission_service:service_manager find;
+allow sdk_sandbox_next permissionmgr_service:service_manager find;
+allow sdk_sandbox_next platform_compat_service:service_manager find;
+allow sdk_sandbox_next power_service:service_manager find;
+allow sdk_sandbox_next procstats_service:service_manager find;
+allow sdk_sandbox_next registry_service:service_manager find;
+allow sdk_sandbox_next restrictions_service:service_manager find;
+allow sdk_sandbox_next rttmanager_service:service_manager find;
+allow sdk_sandbox_next search_service:service_manager find;
+allow sdk_sandbox_next selection_toolbar_service:service_manager find;
+allow sdk_sandbox_next sensor_privacy_service:service_manager find;
+allow sdk_sandbox_next sensorservice_service:service_manager find;
+allow sdk_sandbox_next servicediscovery_service:service_manager find;
+allow sdk_sandbox_next settings_service:service_manager find;
+allow sdk_sandbox_next speech_recognition_service:service_manager find;
+allow sdk_sandbox_next statusbar_service:service_manager find;
+allow sdk_sandbox_next storagestats_service:service_manager find;
+allow sdk_sandbox_next surfaceflinger_service:service_manager find;
+allow sdk_sandbox_next telecom_service:service_manager find;
+allow sdk_sandbox_next tethering_service:service_manager find;
+allow sdk_sandbox_next textclassification_service:service_manager find;
+allow sdk_sandbox_next textservices_service:service_manager find;
+allow sdk_sandbox_next texttospeech_service:service_manager find;
+allow sdk_sandbox_next thermal_service:service_manager find;
+allow sdk_sandbox_next translation_service:service_manager find;
+allow sdk_sandbox_next tv_iapp_service:service_manager find;
+allow sdk_sandbox_next tv_input_service:service_manager find;
+allow sdk_sandbox_next uimode_service:service_manager find;
+allow sdk_sandbox_next vcn_management_service:service_manager find;
+allow sdk_sandbox_next webviewupdate_service:service_manager find;
+
+allow sdk_sandbox_next system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox_next shell_data_file:file r_file_perms;
+allow sdk_sandbox_next shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox_next system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 48ddeb8..ba0b1d2 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -148,8 +148,8 @@
isSystemServer=true domain=system_server_startup
-# sdksandbox must run in the sdksandbox domain
-neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+# sdksandbox must run in the sdk_sandbox domain
+neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -164,7 +164,8 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
-user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox minTargetSdkVersion=34 domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox minTargetSdkVersion=35 domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 5fc14f3..9a8de7b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -382,6 +382,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
+# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 485ce53..4286053 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -22,7 +22,7 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language: