commit 85dfe313e58d619c545a67f9b8093b2dca42e02f
author Bram Bonne <brambonne@google.com> Wed Mar 23 17:48:48 2022 +0100
committer Bram Bonne <brambonne@google.com> Thu Mar 24 14:09:46 2022 +0100
tree 84ca6d4b3490c7149adc4012a3a0e089223fa638
parent ee0b51e09900a73fbc89841f3dd7b3680dbfb7ed

Restrict sandbox access to drmservice

Bug: 226390597
Test: atest SdkSandboxRestrictionsTest

Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3

private/sdk_sandbox.te

diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 782bb46..4a7a9bb 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -85,3 +85,5 @@
 neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
 
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;

private/technical_debt.cil

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fb..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
 
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
 
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language: