Merge "Relax sepolicy for device_config_runtime_native_*."
diff --git a/README.apps.md b/README.apps.md
new file mode 100644
index 0000000..bdb13e9
--- /dev/null
+++ b/README.apps.md
@@ -0,0 +1,57 @@
+The policy defines multiple types and attributes for apps. This document is a
+high-level overview of these. For further details on each type, refer to their
+specific files in the public/ and private/ directories.
+
+## appdomain
+In general, all apps will have the `appdomain` attribute. You can think of
+`appdomain` as any app started by Zygote. The macro `app_domain()` should be
+used to define a type that is considered an app (see public/te_macros).
+
+## untrusted_app
+Third-party apps (for example, installed from the Play Store), targeting the
+most recent SDK version will be typed as `untrusted_app`. This is the default
+domain for apps, unless a more specific criteria applies.
+
+When an app is targeting a previous SDK version, it may have the
+`untrusted_app_xx` type where xx is the targetSdkVersion. For instance, an app
+with `targetSdkVersion = 32` in its manifest will be typed as `untrusted_app_32`.
+Not all targetSdkVersion have a specific type, some version are skipped when no
+differences were introduced (see public/untrusted_app.te for more details).
+
+The `untrusted_app_all` attribute can be used to reference all the types
+described in this section (that is, `untrusted_app`, `untrusted_app_30`,
+`untrusted_app_32`, etc.).
+
+## isolated_app
+Apps may be restricted when using isolatedProcess=true in their manifest. In
+this case, they will be assigned the `isolated_app` type. A similar type
+`isolated_compute_app` exist for some restricted services.
+
+Both types `isolated_app` and `isolated_compute_app` are grouped under the
+attribute `isolated_app_all`.
+
+## ephemeral_app
+Apps that are run without installation. These are apps deployed for example via
+Google Play Instant. These are more constrained than `untrusted_app`.
+
+## sdk_sandbox
+SDK runtime apps, installed as part of the Privacy Sandbox project. These are
+sandboxed to limit their communication channels.
+
+## platform_app
+Apps that are signed with the platform key. These are installed within the
+system or vendor image. com.android.systemui is an example of an app running
+with this type.
+
+## system_app
+Apps pre-installed on a device, signed by the platform key and running with the
+system UID. com.android.settings is an example of an app running with this
+type.
+
+## priv_app
+Apps shipped as part of the device and installed in one of the
+`/{system,vendor,product}/priv-app` directories.
+com.google.android.apps.messaging is an example of an app running as priv_app.
+Permissions for these apps need to be explicitly granted, see
+https://source.android.com/docs/core/permissions/perms-allowlist for more
+details.
diff --git a/apex/Android.bp b/apex/Android.bp
index 0183f0f..2dcae6f 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -239,13 +239,6 @@
}
filegroup {
- name: "com.android.tethering.inprocess-file_contexts",
- srcs: [
- "com.android.tethering.inprocess-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.extservices-file_contexts",
srcs: [
"com.android.extservices-file_contexts",
diff --git a/apex/com.android.tethering.inprocess-file_contexts b/apex/com.android.tethering.inprocess-file_contexts
deleted file mode 100644
index af366d8..0000000
--- a/apex/com.android.tethering.inprocess-file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/for-system/clatd u:object_r:clatd_exec:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 133fc38..7eac769 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -260,7 +260,7 @@
"gnss_time_update_service": EXCEPTION_NO_FUZZER,
"grammatical_inflection": EXCEPTION_NO_FUZZER,
"graphicsstats": EXCEPTION_NO_FUZZER,
- "gpu": EXCEPTION_NO_FUZZER,
+ "gpu": []string{"gpu_service_fuzzer"},
"hardware": EXCEPTION_NO_FUZZER,
"hardware_properties": EXCEPTION_NO_FUZZER,
"hdmi_control": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index df1ac1b..754c802 100644
--- a/private/app.te
+++ b/private/app.te
@@ -9,7 +9,7 @@
-platform_app
-priv_app
-shell
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
}, proc_net_type)
@@ -23,7 +23,7 @@
-priv_app
-shell
-su
- -sdk_sandbox
+ -sdk_sandbox_all
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@@ -76,7 +76,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -132,67 +132,67 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox)
+binder_call(appdomain, sdk_sandbox_all)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
-use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
# For app fuse.
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -218,11 +218,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -256,11 +256,14 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -406,7 +409,7 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
@@ -498,7 +501,7 @@
nfc
radio
shared_relro
- sdk_sandbox
+ sdk_sandbox_all
system_app
} {
data_file_type
diff --git a/private/attributes b/private/attributes
index 991bac1..77143a3 100644
--- a/private/attributes
+++ b/private/attributes
@@ -10,3 +10,7 @@
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
+
+# All SDK sandbox domains
+attribute sdk_sandbox_all;
+
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3bfdcc8..3a49745 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -59,7 +59,9 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
+ setupwizard_esim_prop
shutdown_checkpoints_system_data_file
+ snapuserd_log_data_file
stats_config_data_file
sysfs_fs_fuse_features
system_net_netd_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a5..8abc646 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
+get_prop(coredomain, setupwizard_esim_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/domain.te b/private/domain.te
index 26d9750..2cffdd8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -754,7 +754,7 @@
isolated_app_all
ephemeral_app
priv_app
- sdk_sandbox
+ sdk_sandbox_all
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/file_contexts b/private/file_contexts
index b1c7508..bb86761 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -664,6 +664,7 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/misc/snapuserd_log(/.*)? u:object_r:snapuserd_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 08c3902..297a876 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,6 +64,8 @@
# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)
+neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
+
# Needed for querying permission
allow gpuservice permission_service:service_manager find;
diff --git a/private/gsid.te b/private/gsid.te
index e795cea..9391016 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -150,7 +150,7 @@
allow gsid {
gsi_data_file
ota_image_data_file
-}:dir rw_dir_perms;
+}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 200af1b..0617a57 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -104,7 +104,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/mediaserver.te b/private/mediaserver.te
index aaf49f6..f44cbde 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -19,6 +19,9 @@
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
+# Allow mediaserver to read SDK sandbox data files
+allow mediaserver sdk_sandbox_data_file:file { getattr read };
+
# Needed for stats callback registration to statsd.
allow mediaserver stats_service:service_manager find;
allow mediaserver statsmanager_service:service_manager find;
diff --git a/private/net.te b/private/net.te
index 07e4271..4adf84c 100644
--- a/private/net.te
+++ b/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -13,7 +13,7 @@
-ephemeral_app
-mediaprovider
-priv_app
- -sdk_sandbox
+ -sdk_sandbox_all
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/property.te b/private/property.te
index 35f9bc7..928f86c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -598,6 +598,10 @@
-init
} setupwizard_prop:property_service set;
+neverallow {
+ domain
+ -init
+} setupwizard_esim_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 4dd1fda..102c111 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -406,6 +406,8 @@
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
+ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -1450,8 +1452,8 @@
partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
deleted file mode 100644
index 4806e6d..0000000
--- a/private/sdk_sandbox.te
+++ /dev/null
@@ -1,304 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes.
-
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# TODO(b/252967582): remove this rule if it generates too much logs traffic.
-auditallow sdk_sandbox {
- property_type
- # remove expected properties to reduce noise.
- -servicemanager_prop
- -hwservicemanager_prop
- -use_memfd_prop
- -binder_cache_system_server_prop
- -graphics_config_prop
- -persist_wm_debug_prop
- -aaudio_config_prop
- -adbd_config_prop
- -apex_ready_prop
- -apexd_select_prop
- -arm64_memtag_prop
- -audio_prop
- -binder_cache_bluetooth_server_prop
- -binder_cache_telephony_server_prop
- -bluetooth_config_prop
- -boot_status_prop
- -bootloader_prop
- -bq_config_prop
- -build_odm_prop
- -build_prop
- -build_vendor_prop
- -camera2_extensions_prop
- -camera_calibration_prop
- -camera_config_prop
- -camerax_extensions_prop
- -codec2_config_prop
- -config_prop
- -cppreopt_prop
- -dalvik_config_prop_type
- -dalvik_prop
- -dalvik_runtime_prop
- -dck_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_config_memory_safety_native_boot_prop
- -device_config_memory_safety_native_prop
- -device_config_nnapi_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -dhcp_prop
- -dumpstate_prop
- -exported3_system_prop
- -exported_config_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_pm_prop
- -exported_system_prop
- -ffs_config_prop
- -fingerprint_prop
- -framework_status_prop
- -gwp_asan_prop
- -hal_instrumentation_prop
- -hdmi_config_prop
- -heapprofd_prop
- -hw_timeout_multiplier_prop
- -init_service_status_private_prop
- -init_service_status_prop
- -libc_debug_prop
- -lmkd_config_prop
- -locale_prop
- -localization_prop
- -log_file_logger_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -media_config_prop
- -media_variant_prop
- -mediadrm_config_prop
- -module_sdkextensions_prop
- -net_radio_prop
- -nfc_prop
- -nnapi_ext_deny_product_prop
- -ota_prop
- -packagemanager_config_prop
- -pan_result_prop
- -permissive_mte_prop
- -persist_debug_prop
- -persist_sysui_builder_extras_prop
- -pm_prop
- -powerctl_prop
- -property_service_version_prop
- -radio_control_prop
- -radio_prop
- -restorecon_prop
- -rollback_test_prop
- -sendbug_config_prop
- -setupwizard_prop
- -shell_prop
- -soc_prop
- -socket_hook_prop
- -sqlite_log_prop
- -storagemanager_config_prop
- -surfaceflinger_color_prop
- -surfaceflinger_prop
- -system_prop
- -system_user_mode_emulation_prop
- -systemsound_config_prop
- -telephony_config_prop
- -telephony_status_prop
- -test_harness_prop
- -timezone_prop
- -usb_config_prop
- -usb_control_prop
- -usb_prop
- -userdebug_or_eng_prop
- -userspace_reboot_config_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_log_prop
- -userspace_reboot_test_prop
- -vendor_socket_hook_prop
- -vndk_prop
- -vold_config_prop
- -vold_prop
- -vold_status_prop
- -vts_config_prop
- -vts_status_prop
- -wifi_log_prop
- -zygote_config_prop
- -zygote_wrap_prop
- -init_service_status_prop
-}:file { getattr open read map };
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Required to read CTS tests data from the shell_data_file location.
-allow sdk_sandbox shell_data_file:file r_file_perms;
-allow sdk_sandbox shell_data_file:dir r_dir_perms;
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow sdk_sandbox domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox debugfs:file read;
-
-# execute gpu_device
-neverallow sdk_sandbox gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow sdk_sandbox sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
-neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow sdk_sandbox proc_net:file no_rw_file_perms;
-
-# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
-
-# SDK sandbox processes don't have any access to external storage
-neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
-
-neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
-
-neverallow sdk_sandbox hal_drm_service:service_manager find;
-
-# Only certain system components should have access to sdk_sandbox_system_data_file
-# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
-neverallow {
- domain
- -init
- -installd
- -system_server
- -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { relabelfrom };
-
-neverallow {
- domain
- -init
- -installd
- -sdk_sandbox
- -system_server
- -vold_prepare_subdirs
- -zygote
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
-
-# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
-neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
-
-# Only dirs should be created at sdk_sandbox_system_data_file level
-neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
new file mode 100644
index 0000000..d45da88
--- /dev/null
+++ b/private/sdk_sandbox_34.te
@@ -0,0 +1,91 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_34)
+app_domain(sdk_sandbox_34)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_34 {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
new file mode 100644
index 0000000..6e7ba50
--- /dev/null
+++ b/private/sdk_sandbox_all.te
@@ -0,0 +1,125 @@
+###
+### sdk_sandbox_all
+###
+### This file defines the rules shared by all sdk_sandbox_all domains.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The sdk_sandbox_all_all attribute is assigned to all default
+### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
+### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
+### value as determined from mac_permissions.xml.
+
+allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox_all shell_data_file:file r_file_perms;
+allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox_all domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox_all debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox_all gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox_all sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox_all hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# Only certain system components should have access to sdk_sandbox_all_system_data_file
+# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox_all
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
+neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_all_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
+
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..6fd16ca
--- /dev/null
+++ b/private/sdk_sandbox_next.te
@@ -0,0 +1,89 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for a test set of restrictions. These restrictions will be adapted
+### with modifications, into the set of restrictions for the next SDK
+### level.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 48ddeb8..4454bd7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -12,6 +12,7 @@
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
+# isSdkSandboxNext (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -64,6 +68,7 @@
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -148,8 +153,8 @@
isSystemServer=true domain=system_server_startup
-# sdksandbox must run in the sdksandbox domain
-neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
+# sdksandbox must run in an sdksandbox domain
+neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -164,7 +169,8 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
-user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 69c4a94..a617016 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -383,6 +383,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
+# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 797a6c2..8cd9e63 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -57,6 +57,13 @@
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+# write to /data/misc/snapuserd_log
+allow snapuserd snapuserd_log_data_file:dir create_dir_perms;
+allow snapuserd snapuserd_log_data_file:file create_file_perms;
+
+# Read /proc/stat to determine boot time
+allow snapuserd proc_stat:file r_file_perms;
+
# This capability allows snapuserd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
diff --git a/private/system_server.te b/private/system_server.te
index db6820d..4356c26 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1207,6 +1207,7 @@
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
+ allow system_server user_profile_data_file:dir w_dir_perms;
allow system_server user_profile_data_file:file create_file_perms;
')
# Allow system server to load JVMTI agents under control of a property.
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 485ce53..4286053 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -22,7 +22,7 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 58d6efa..cc3678c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -259,6 +259,9 @@
# Access /data/misc/update_engine & /data/misc/update_engine_log
allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
+# Access /data/misc/snapuserd_log
+allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
+allow dumpstate snapuserd_log_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
diff --git a/public/file.te b/public/file.te
index da76aee..7aad936 100644
--- a/public/file.te
+++ b/public/file.te
@@ -460,6 +460,7 @@
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 832bc8d..59a6df8 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -4,6 +4,6 @@
hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
+binder_use(hal_gnss_server)
+binder_use(hal_gnss_client)
diff --git a/public/netd.te b/public/netd.te
index e3ea1cb..3854017 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -80,7 +80,7 @@
allow netd system_file:file lock;
# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
+allow netd dnsmasq:process { sigkill signal };
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
diff --git a/public/property.te b/public/property.te
index 8d6b8ee..076ced9 100644
--- a/public/property.te
+++ b/public/property.te
@@ -88,6 +88,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(setupwizard_esim_prop)
system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
@@ -101,7 +102,6 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-system_restricted_prop(graphics_config_writable_prop)
compatible_property_only(`
@@ -223,6 +223,7 @@
system_public_prop(ffs_control_prop)
system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
+system_public_prop(graphics_config_writable_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 288d035..3942c27 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -251,6 +251,7 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, graphics_config_writable_prop)
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e57a6b3..0d7a4d1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -214,6 +214,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index ff28a03..710e2df 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -13,6 +13,7 @@
# Allow reading graphics properties, specifically for EGL blobcache mode
get_prop(hal_camera_default, graphics_config_prop);
+get_prop(hal_camera_default, graphics_config_writable_prop);
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;