Add canary restrictions for sdk_sandbox Apply sdk_sandbox_next it if a new input selector, isSdkSandboxNext, is true. This is set to true by libselinux if a flag is set in the seInfo passed to it. This enables some testers to test out the set of restrictions we're planning for the next SDK version. sdk_sandbox_next is not the final set of restrictions of the next SDK version. Bug: b/270148964 Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest SdkSandboxRestrictionsTest Change-Id: Idbc3ab39a2d9ef6e1feaf8c212d81a1c79b0f787

commit: 49075f9cabcdb265a412e298d6fd1e611a30cc6a [log] [tgz]
author: Mugdha Lakhani <nator@google.com> Sun May 07 17:41:57 2023 +0000
committer: Mugdha Lakhani <nator@google.com> Thu May 11 17:42:48 2023 +0000
tree: 5b44a24f2c57777f1fddee06e1a5996acc4f3ab5
parent: 50ad933ebd0cc57dbcd809433aedf92db60434b3 [diff] [blame]
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e57a6b3..0d7a4d1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c

@@ -214,6 +214,7 @@
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
                 /*Outputs*/
                 { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },
                 { .name = "type",           .dir = dir_out, .fn_validate = validate_type  },
commit	49075f9cabcdb265a412e298d6fd1e611a30cc6a	[log] [tgz]
author	Mugdha Lakhani <nator@google.com>	Sun May 07 17:41:57 2023 +0000
committer	Mugdha Lakhani <nator@google.com>	Thu May 11 17:42:48 2023 +0000
tree	5b44a24f2c57777f1fddee06e1a5996acc4f3ab5
parent	50ad933ebd0cc57dbcd809433aedf92db60434b3 [diff] [blame]