Revert "Introduce a new sdk_sandbox domain"
This reverts commit 304962477a0c7de51a21368a87fe1cf94ce8cbab.
Reason for revert: b/279565840
Change-Id: I6fc3a102994157ea3da751364f80730f4d0e87f0
diff --git a/private/app.te b/private/app.te
index da60086..fa40b52 100644
--- a/private/app.te
+++ b/private/app.te
@@ -9,7 +9,7 @@
-platform_app
-priv_app
-shell
- -sdk_sandbox_all
+ -sdk_sandbox
-system_app
-untrusted_app_all
}, proc_net_type)
@@ -23,7 +23,7 @@
-priv_app
-shell
-su
- -sdk_sandbox_all
+ -sdk_sandbox
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@@ -81,7 +81,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow { appdomain -sdk_sandbox_all } mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
# allow apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -137,67 +137,67 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox_all)
+binder_call(appdomain, sdk_sandbox)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
-use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
# For app fuse.
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_client)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_manager)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, display_vsync)
-pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -223,11 +223,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app_all -sdk_sandbox_all } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app_all -sdk_sandbox_all } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow { appdomain -sdk_sandbox_all } tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -261,11 +261,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -411,7 +411,7 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app_all -sdk_sandbox_all } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
@@ -503,7 +503,7 @@
nfc
radio
shared_relro
- sdk_sandbox_all
+ sdk_sandbox
system_app
} {
data_file_type
diff --git a/private/attributes b/private/attributes
index 47303cc..991bac1 100644
--- a/private/attributes
+++ b/private/attributes
@@ -10,6 +10,3 @@
# property owner attributes must be exclusive.
attribute system_and_vendor_property_type;
expandattribute system_and_vendor_property_type false;
-
-# All SDK sandbox domains
-attribute sdk_sandbox_all;
diff --git a/private/domain.te b/private/domain.te
index 30ceb24..b51fd3c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -749,7 +749,7 @@
isolated_app_all
ephemeral_app
priv_app
- sdk_sandbox_all
+ sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 0617a57..200af1b 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -104,7 +104,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox_all untrusted_app_all }:{
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/net.te b/private/net.te
index 4adf84c..07e4271 100644
--- a/private/net.te
+++ b/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -13,7 +13,7 @@
-ephemeral_app
-mediaprovider
-priv_app
- -sdk_sandbox_all
+ -sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
new file mode 100644
index 0000000..4806e6d
--- /dev/null
+++ b/private/sdk_sandbox.te
@@ -0,0 +1,304 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes.
+
+type sdk_sandbox, domain;
+
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# TODO(b/252967582): remove this rule if it generates too much logs traffic.
+auditallow sdk_sandbox {
+ property_type
+ # remove expected properties to reduce noise.
+ -servicemanager_prop
+ -hwservicemanager_prop
+ -use_memfd_prop
+ -binder_cache_system_server_prop
+ -graphics_config_prop
+ -persist_wm_debug_prop
+ -aaudio_config_prop
+ -adbd_config_prop
+ -apex_ready_prop
+ -apexd_select_prop
+ -arm64_memtag_prop
+ -audio_prop
+ -binder_cache_bluetooth_server_prop
+ -binder_cache_telephony_server_prop
+ -bluetooth_config_prop
+ -boot_status_prop
+ -bootloader_prop
+ -bq_config_prop
+ -build_odm_prop
+ -build_prop
+ -build_vendor_prop
+ -camera2_extensions_prop
+ -camera_calibration_prop
+ -camera_config_prop
+ -camerax_extensions_prop
+ -codec2_config_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_config_prop_type
+ -dalvik_prop
+ -dalvik_runtime_prop
+ -dck_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_config_memory_safety_native_boot_prop
+ -device_config_memory_safety_native_prop
+ -device_config_nnapi_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -exported3_system_prop
+ -exported_config_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_pm_prop
+ -exported_system_prop
+ -ffs_config_prop
+ -fingerprint_prop
+ -framework_status_prop
+ -gwp_asan_prop
+ -hal_instrumentation_prop
+ -hdmi_config_prop
+ -heapprofd_prop
+ -hw_timeout_multiplier_prop
+ -init_service_status_private_prop
+ -init_service_status_prop
+ -libc_debug_prop
+ -lmkd_config_prop
+ -locale_prop
+ -localization_prop
+ -log_file_logger_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -media_config_prop
+ -media_variant_prop
+ -mediadrm_config_prop
+ -module_sdkextensions_prop
+ -net_radio_prop
+ -nfc_prop
+ -nnapi_ext_deny_product_prop
+ -ota_prop
+ -packagemanager_config_prop
+ -pan_result_prop
+ -permissive_mte_prop
+ -persist_debug_prop
+ -persist_sysui_builder_extras_prop
+ -pm_prop
+ -powerctl_prop
+ -property_service_version_prop
+ -radio_control_prop
+ -radio_prop
+ -restorecon_prop
+ -rollback_test_prop
+ -sendbug_config_prop
+ -setupwizard_prop
+ -shell_prop
+ -soc_prop
+ -socket_hook_prop
+ -sqlite_log_prop
+ -storagemanager_config_prop
+ -surfaceflinger_color_prop
+ -surfaceflinger_prop
+ -system_prop
+ -system_user_mode_emulation_prop
+ -systemsound_config_prop
+ -telephony_config_prop
+ -telephony_status_prop
+ -test_harness_prop
+ -timezone_prop
+ -usb_config_prop
+ -usb_control_prop
+ -usb_prop
+ -userdebug_or_eng_prop
+ -userspace_reboot_config_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_log_prop
+ -userspace_reboot_test_prop
+ -vendor_socket_hook_prop
+ -vndk_prop
+ -vold_config_prop
+ -vold_prop
+ -vold_status_prop
+ -vts_config_prop
+ -vts_status_prop
+ -wifi_log_prop
+ -zygote_config_prop
+ -zygote_wrap_prop
+ -init_service_status_prop
+}:file { getattr open read map };
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
deleted file mode 100644
index c7672ac..0000000
--- a/private/sdk_sandbox_34.te
+++ /dev/null
@@ -1,81 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes
-### for targetSdkVersion=34.
-type sdk_sandbox_34, domain;
-
-typeattribute sdk_sandbox_34 coredomain;
-
-sdk_sandbox_domain(sdk_sandbox_34)
-app_domain(sdk_sandbox_34)
-
-# services
-allow sdk_sandbox_34 audioserver_service:service_manager find;
-allow sdk_sandbox_34 cameraserver_service:service_manager find;
-allow sdk_sandbox_34 mediaserver_service:service_manager find;
-allow sdk_sandbox_34 mediaextractor_service:service_manager find;
-allow sdk_sandbox_34 mediametrics_service:service_manager find;
-allow sdk_sandbox_34 mediadrmserver_service:service_manager find;
-allow sdk_sandbox_34 drmserver_service:service_manager find;
-allow sdk_sandbox_34 radio_service:service_manager find;
-allow sdk_sandbox_34 ephemeral_app_api_service:service_manager find;
-
-allow sdk_sandbox_34 activity_service:service_manager find;
-allow sdk_sandbox_34 activity_task_service:service_manager find;
-allow sdk_sandbox_34 appops_service:service_manager find;
-allow sdk_sandbox_34 audio_service:service_manager find;
-allow sdk_sandbox_34 batteryproperties_service:service_manager find;
-allow sdk_sandbox_34 batterystats_service:service_manager find;
-allow sdk_sandbox_34 connectivity_service:service_manager find;
-allow sdk_sandbox_34 connmetrics_service:service_manager find;
-allow sdk_sandbox_34 deviceidle_service:service_manager find;
-allow sdk_sandbox_34 display_service:service_manager find;
-allow sdk_sandbox_34 dropbox_service:service_manager find;
-allow sdk_sandbox_34 font_service:service_manager find;
-allow sdk_sandbox_34 gpu_service:service_manager find;
-allow sdk_sandbox_34 graphicsstats_service:service_manager find;
-allow sdk_sandbox_34 hardware_properties_service:service_manager find;
-allow sdk_sandbox_34 imms_service:service_manager find;
-allow sdk_sandbox_34 IProxyService_service:service_manager find;
-allow sdk_sandbox_34 ipsec_service:service_manager find;
-allow sdk_sandbox_34 launcherapps_service:service_manager find;
-allow sdk_sandbox_34 legacy_permission_service:service_manager find;
-allow sdk_sandbox_34 light_service:service_manager find;
-allow sdk_sandbox_34 locale_service:service_manager find;
-allow sdk_sandbox_34 media_communication_service:service_manager find;
-allow sdk_sandbox_34 media_session_service:service_manager find;
-allow sdk_sandbox_34 memtrackproxy_service:service_manager find;
-allow sdk_sandbox_34 midi_service:service_manager find;
-allow sdk_sandbox_34 notification_service:service_manager find;
-allow sdk_sandbox_34 package_service:service_manager find;
-allow sdk_sandbox_34 permission_checker_service:service_manager find;
-allow sdk_sandbox_34 permissionmgr_service:service_manager find;
-allow sdk_sandbox_34 permission_service:service_manager find;
-allow sdk_sandbox_34 platform_compat_service:service_manager find;
-allow sdk_sandbox_34 procstats_service:service_manager find;
-allow sdk_sandbox_34 registry_service:service_manager find;
-allow sdk_sandbox_34 restrictions_service:service_manager find;
-allow sdk_sandbox_34 search_service:service_manager find;
-allow sdk_sandbox_34 selection_toolbar_service:service_manager find;
-allow sdk_sandbox_34 sensor_privacy_service:service_manager find;
-allow sdk_sandbox_34 sensorservice_service:service_manager find;
-allow sdk_sandbox_34 servicediscovery_service:service_manager find;
-allow sdk_sandbox_34 settings_service:service_manager find;
-allow sdk_sandbox_34 speech_recognition_service:service_manager find;
-allow sdk_sandbox_34 statusbar_service:service_manager find;
-allow sdk_sandbox_34 surfaceflinger_service:service_manager find;
-allow sdk_sandbox_34 telecom_service:service_manager find;
-allow sdk_sandbox_34 textservices_service:service_manager find;
-allow sdk_sandbox_34 texttospeech_service:service_manager find;
-allow sdk_sandbox_34 thermal_service:service_manager find;
-allow sdk_sandbox_34 translation_service:service_manager find;
-allow sdk_sandbox_34 tv_iapp_service:service_manager find;
-allow sdk_sandbox_34 tv_input_service:service_manager find;
-allow sdk_sandbox_34 uimode_service:service_manager find;
-allow sdk_sandbox_34 vcn_management_service:service_manager find;
-allow sdk_sandbox_34 webviewupdate_service:service_manager find;
-
-# Allow sdk_sandbox_34 to read/write files in visible storage if provided fds
-allow sdk_sandbox_34 { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
-
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
deleted file mode 100644
index 807b51f..0000000
--- a/private/sdk_sandbox_all.te
+++ /dev/null
@@ -1,91 +0,0 @@
-###
-### sdk_sandbox_all
-###
-### This file defines the rules shared by all sdk_sandbox* domains.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The sdk_sandbox_all attribute is assigned to all default
-### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
-### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
-### value as determined from mac_permissions.xml.
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
-
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
-
-allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
-
-# Required to read CTS tests data from the shell_data_file location.
-allow sdk_sandbox_all shell_data_file:file r_file_perms;
-allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox_all system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow sdk_sandbox_all domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
-
-# execute gpu_device
-neverallow sdk_sandbox_all gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow sdk_sandbox_all sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:file {open create};
-neverallow { sdk_sandbox_all -sdk_sandbox_34 } { sdcard_type media_rw_data_file }:dir search;
-neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:dir no_rw_file_perms;
-neverallow { sdk_sandbox_all -sdk_sandbox_34 } { media_rw_data_file }:file no_rw_file_perms;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
-
-neverallow { sdk_sandbox_all } { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
-
-# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow { sdk_sandbox_all } { app_data_file privapp_data_file }:file no_rw_file_perms;
-
-neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
-
-neverallow { sdk_sandbox_all -sdk_sandbox_34 } hal_drm_service:service_manager find;
-
-# Only certain system components should have access to sdk_sandbox_system_data_file
-# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
-neverallow {
- domain
- -init
- -installd
- -system_server
- -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { relabelfrom };
-
-# sdk_sandbox_all only needs to traverse through the sdk_sandbox_system_data_file
-neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
-
-# Only dirs should be created at sdk_sandbox_system_data_file level
-neverallow { domain -init } sdk_sandbox_system_data_file:file *;
-
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
deleted file mode 100644
index 3d83274..0000000
--- a/private/sdk_sandbox_next.te
+++ /dev/null
@@ -1,100 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes.
-
-type sdk_sandbox_next, domain;
-
-typeattribute sdk_sandbox_next coredomain;
-sdk_sandbox_domain(sdk_sandbox_next)
-
-net_domain(sdk_sandbox_next)
-app_domain(sdk_sandbox_next)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox_next activity_service:service_manager find;
-allow sdk_sandbox_next activity_task_service:service_manager find;
-allow sdk_sandbox_next appops_service:service_manager find;
-allow sdk_sandbox_next audio_service:service_manager find;
-allow sdk_sandbox_next audioserver_service:service_manager find;
-allow sdk_sandbox_next batteryproperties_service:service_manager find;
-allow sdk_sandbox_next batterystats_service:service_manager find;
-allow sdk_sandbox_next connectivity_service:service_manager find;
-allow sdk_sandbox_next connmetrics_service:service_manager find;
-allow sdk_sandbox_next deviceidle_service:service_manager find;
-allow sdk_sandbox_next display_service:service_manager find;
-allow sdk_sandbox_next dropbox_service:service_manager find;
-allow sdk_sandbox_next font_service:service_manager find;
-allow sdk_sandbox_next game_service:service_manager find;
-allow sdk_sandbox_next gpu_service:service_manager find;
-allow sdk_sandbox_next graphicsstats_service:service_manager find;
-allow sdk_sandbox_next hardware_properties_service:service_manager find;
-allow sdk_sandbox_next hint_service:service_manager find;
-allow sdk_sandbox_next imms_service:service_manager find;
-allow sdk_sandbox_next input_method_service:service_manager find;
-allow sdk_sandbox_next input_service:service_manager find;
-allow sdk_sandbox_next IProxyService_service:service_manager find;
-allow sdk_sandbox_next ipsec_service:service_manager find;
-allow sdk_sandbox_next launcherapps_service:service_manager find;
-allow sdk_sandbox_next legacy_permission_service:service_manager find;
-allow sdk_sandbox_next light_service:service_manager find;
-allow sdk_sandbox_next locale_service:service_manager find;
-allow sdk_sandbox_next media_communication_service:service_manager find;
-allow sdk_sandbox_next mediaextractor_service:service_manager find;
-allow sdk_sandbox_next mediametrics_service:service_manager find;
-allow sdk_sandbox_next media_projection_service:service_manager find;
-allow sdk_sandbox_next media_router_service:service_manager find;
-allow sdk_sandbox_next mediaserver_service:service_manager find;
-allow sdk_sandbox_next media_session_service:service_manager find;
-allow sdk_sandbox_next memtrackproxy_service:service_manager find;
-allow sdk_sandbox_next midi_service:service_manager find;
-allow sdk_sandbox_next netpolicy_service:service_manager find;
-allow sdk_sandbox_next netstats_service:service_manager find;
-allow sdk_sandbox_next network_management_service:service_manager find;
-allow sdk_sandbox_next notification_service:service_manager find;
-allow sdk_sandbox_next package_service:service_manager find;
-allow sdk_sandbox_next permission_checker_service:service_manager find;
-allow sdk_sandbox_next permission_service:service_manager find;
-allow sdk_sandbox_next permissionmgr_service:service_manager find;
-allow sdk_sandbox_next platform_compat_service:service_manager find;
-allow sdk_sandbox_next power_service:service_manager find;
-allow sdk_sandbox_next procstats_service:service_manager find;
-allow sdk_sandbox_next registry_service:service_manager find;
-allow sdk_sandbox_next restrictions_service:service_manager find;
-allow sdk_sandbox_next rttmanager_service:service_manager find;
-allow sdk_sandbox_next search_service:service_manager find;
-allow sdk_sandbox_next selection_toolbar_service:service_manager find;
-allow sdk_sandbox_next sensor_privacy_service:service_manager find;
-allow sdk_sandbox_next sensorservice_service:service_manager find;
-allow sdk_sandbox_next servicediscovery_service:service_manager find;
-allow sdk_sandbox_next settings_service:service_manager find;
-allow sdk_sandbox_next speech_recognition_service:service_manager find;
-allow sdk_sandbox_next statusbar_service:service_manager find;
-allow sdk_sandbox_next storagestats_service:service_manager find;
-allow sdk_sandbox_next surfaceflinger_service:service_manager find;
-allow sdk_sandbox_next telecom_service:service_manager find;
-allow sdk_sandbox_next tethering_service:service_manager find;
-allow sdk_sandbox_next textclassification_service:service_manager find;
-allow sdk_sandbox_next textservices_service:service_manager find;
-allow sdk_sandbox_next texttospeech_service:service_manager find;
-allow sdk_sandbox_next thermal_service:service_manager find;
-allow sdk_sandbox_next translation_service:service_manager find;
-allow sdk_sandbox_next tv_iapp_service:service_manager find;
-allow sdk_sandbox_next tv_input_service:service_manager find;
-allow sdk_sandbox_next uimode_service:service_manager find;
-allow sdk_sandbox_next vcn_management_service:service_manager find;
-allow sdk_sandbox_next webviewupdate_service:service_manager find;
-
-allow sdk_sandbox_next system_linker_exec:file execute_no_trans;
-
-# Required to read CTS tests data from the shell_data_file location.
-allow sdk_sandbox_next shell_data_file:file r_file_perms;
-allow sdk_sandbox_next shell_data_file:dir r_dir_perms;
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox_next system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ba0b1d2..48ddeb8 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -148,8 +148,8 @@
isSystemServer=true domain=system_server_startup
-# sdksandbox must run in the sdk_sandbox domain
-neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
+# sdksandbox must run in the sdksandbox domain
+neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
@@ -164,8 +164,7 @@
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
-user=_sdksandbox minTargetSdkVersion=34 domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
-user=_sdksandbox minTargetSdkVersion=35 domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 9a8de7b..5fc14f3 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -382,7 +382,6 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
-# sdk_sandbox here refers to the service name, not the domain name.
sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4286053..485ce53 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -22,7 +22,7 @@
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox_all)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language: