Introduce a new sdk_sandbox domain Define the selinux domain to apply to SDK runtime for targetSdkVersion=34. The existing sdk_sandbox domain has been renamed to sdk_sandbox_next. Future CLs will add logic to apply one of these to the SDK runtime processes on the device, based on a flag. auditallow block from sdk_sandbox has been removed as we haven't yet measured the system health impact of adding this. It'll be added to an audit domain later after we've ruled out negative system health impact. Bug: 270148964 Test: make and boot the test device, load SDK using test app Change-Id: I7438fb16c1c5e85e30683e421ce463f9e0b1470d

commit: 304962477a0c7de51a21368a87fe1cf94ce8cbab [log] [tgz]
author: Mugdha Lakhani <nator@google.com> Mon Mar 20 09:17:33 2023 +0000
committer: Mugdha Lakhani <nator@google.com> Fri Apr 21 17:26:26 2023 +0000
tree: 08746f6b16345919be8bf1f4b8a2294c2e960784
parent: 27a8f43fde05d988606eef18a46794a808b50160 [diff] [blame]
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 200af1b..0617a57 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te

@@ -104,7 +104,7 @@
 # excluding unix_stream_socket and unix_dgram_socket.
 # Many of these are socket families which have never and will never
 # be compiled into the Android kernel.
-neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
   socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
   key_socket appletalk_socket netlink_route_socket
   netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
commit	304962477a0c7de51a21368a87fe1cf94ce8cbab	[log] [tgz]
author	Mugdha Lakhani <nator@google.com>	Mon Mar 20 09:17:33 2023 +0000
committer	Mugdha Lakhani <nator@google.com>	Fri Apr 21 17:26:26 2023 +0000
tree	08746f6b16345919be8bf1f4b8a2294c2e960784
parent	27a8f43fde05d988606eef18a46794a808b50160 [diff] [blame]