| ### |
| ### SDK Sandbox process. |
| ### |
| ### This file defines the security policy for the sdk sandbox processes. |
| |
| type sdk_sandbox_next, domain; |
| |
| typeattribute sdk_sandbox_next coredomain; |
| sdk_sandbox_domain(sdk_sandbox_next) |
| |
| net_domain(sdk_sandbox_next) |
| app_domain(sdk_sandbox_next) |
| |
| # Allow finding services. This is different from ephemeral_app policy. |
| # Adding services manually to the allowlist is preferred hence app_api_service is not used. |
| |
| allow sdk_sandbox_next activity_service:service_manager find; |
| allow sdk_sandbox_next activity_task_service:service_manager find; |
| allow sdk_sandbox_next appops_service:service_manager find; |
| allow sdk_sandbox_next audio_service:service_manager find; |
| allow sdk_sandbox_next audioserver_service:service_manager find; |
| allow sdk_sandbox_next batteryproperties_service:service_manager find; |
| allow sdk_sandbox_next batterystats_service:service_manager find; |
| allow sdk_sandbox_next connectivity_service:service_manager find; |
| allow sdk_sandbox_next connmetrics_service:service_manager find; |
| allow sdk_sandbox_next deviceidle_service:service_manager find; |
| allow sdk_sandbox_next display_service:service_manager find; |
| allow sdk_sandbox_next dropbox_service:service_manager find; |
| allow sdk_sandbox_next font_service:service_manager find; |
| allow sdk_sandbox_next game_service:service_manager find; |
| allow sdk_sandbox_next gpu_service:service_manager find; |
| allow sdk_sandbox_next graphicsstats_service:service_manager find; |
| allow sdk_sandbox_next hardware_properties_service:service_manager find; |
| allow sdk_sandbox_next hint_service:service_manager find; |
| allow sdk_sandbox_next imms_service:service_manager find; |
| allow sdk_sandbox_next input_method_service:service_manager find; |
| allow sdk_sandbox_next input_service:service_manager find; |
| allow sdk_sandbox_next IProxyService_service:service_manager find; |
| allow sdk_sandbox_next ipsec_service:service_manager find; |
| allow sdk_sandbox_next launcherapps_service:service_manager find; |
| allow sdk_sandbox_next legacy_permission_service:service_manager find; |
| allow sdk_sandbox_next light_service:service_manager find; |
| allow sdk_sandbox_next locale_service:service_manager find; |
| allow sdk_sandbox_next media_communication_service:service_manager find; |
| allow sdk_sandbox_next mediaextractor_service:service_manager find; |
| allow sdk_sandbox_next mediametrics_service:service_manager find; |
| allow sdk_sandbox_next media_projection_service:service_manager find; |
| allow sdk_sandbox_next media_router_service:service_manager find; |
| allow sdk_sandbox_next mediaserver_service:service_manager find; |
| allow sdk_sandbox_next media_session_service:service_manager find; |
| allow sdk_sandbox_next memtrackproxy_service:service_manager find; |
| allow sdk_sandbox_next midi_service:service_manager find; |
| allow sdk_sandbox_next netpolicy_service:service_manager find; |
| allow sdk_sandbox_next netstats_service:service_manager find; |
| allow sdk_sandbox_next network_management_service:service_manager find; |
| allow sdk_sandbox_next notification_service:service_manager find; |
| allow sdk_sandbox_next package_service:service_manager find; |
| allow sdk_sandbox_next permission_checker_service:service_manager find; |
| allow sdk_sandbox_next permission_service:service_manager find; |
| allow sdk_sandbox_next permissionmgr_service:service_manager find; |
| allow sdk_sandbox_next platform_compat_service:service_manager find; |
| allow sdk_sandbox_next power_service:service_manager find; |
| allow sdk_sandbox_next procstats_service:service_manager find; |
| allow sdk_sandbox_next registry_service:service_manager find; |
| allow sdk_sandbox_next restrictions_service:service_manager find; |
| allow sdk_sandbox_next rttmanager_service:service_manager find; |
| allow sdk_sandbox_next search_service:service_manager find; |
| allow sdk_sandbox_next selection_toolbar_service:service_manager find; |
| allow sdk_sandbox_next sensor_privacy_service:service_manager find; |
| allow sdk_sandbox_next sensorservice_service:service_manager find; |
| allow sdk_sandbox_next servicediscovery_service:service_manager find; |
| allow sdk_sandbox_next settings_service:service_manager find; |
| allow sdk_sandbox_next speech_recognition_service:service_manager find; |
| allow sdk_sandbox_next statusbar_service:service_manager find; |
| allow sdk_sandbox_next storagestats_service:service_manager find; |
| allow sdk_sandbox_next surfaceflinger_service:service_manager find; |
| allow sdk_sandbox_next telecom_service:service_manager find; |
| allow sdk_sandbox_next tethering_service:service_manager find; |
| allow sdk_sandbox_next textclassification_service:service_manager find; |
| allow sdk_sandbox_next textservices_service:service_manager find; |
| allow sdk_sandbox_next texttospeech_service:service_manager find; |
| allow sdk_sandbox_next thermal_service:service_manager find; |
| allow sdk_sandbox_next translation_service:service_manager find; |
| allow sdk_sandbox_next tv_iapp_service:service_manager find; |
| allow sdk_sandbox_next tv_input_service:service_manager find; |
| allow sdk_sandbox_next uimode_service:service_manager find; |
| allow sdk_sandbox_next vcn_management_service:service_manager find; |
| allow sdk_sandbox_next webviewupdate_service:service_manager find; |
| |
| allow sdk_sandbox_next system_linker_exec:file execute_no_trans; |
| |
| # Required to read CTS tests data from the shell_data_file location. |
| allow sdk_sandbox_next shell_data_file:file r_file_perms; |
| allow sdk_sandbox_next shell_data_file:dir r_dir_perms; |
| |
| # allow sdk sandbox to use UDP sockets provided by the system server but not |
| # modify them other than to connect |
| allow sdk_sandbox_next system_server:udp_socket { |
| connect getattr read recvfrom sendto write getopt setopt }; |
| |