Add auditallow for system properties access from the sdk sandbox
We want to more closely monitor the system properties that the
sdk_sandbox has access to.
Bug: 210811873
Test: adb logcat | grep "r:sdk_sandbox"
Change-Id: I0d590374e931ca41d5451cd7c2de5b02fee619e9
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d851ab7..12310d2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,131 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# TODO(b/252967582): remove this rule if it generates too much logs traffic.
+auditallow sdk_sandbox {
+ property_type
+ # remove expected properties to reduce noise.
+ -servicemanager_prop
+ -hwservicemanager_prop
+ -use_memfd_prop
+ -binder_cache_system_server_prop
+ -graphics_config_prop
+ -persist_wm_debug_prop
+ -aaudio_config_prop
+ -adbd_config_prop
+ -apex_ready_prop
+ -apexd_select_prop
+ -arm64_memtag_prop
+ -audio_prop
+ -binder_cache_bluetooth_server_prop
+ -binder_cache_telephony_server_prop
+ -bluetooth_config_prop
+ -boot_status_prop
+ -bootloader_prop
+ -bq_config_prop
+ -build_odm_prop
+ -build_prop
+ -build_vendor_prop
+ -camera2_extensions_prop
+ -camera_calibration_prop
+ -camera_config_prop
+ -camerax_extensions_prop
+ -codec2_config_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_config_prop
+ -dalvik_prop
+ -dalvik_runtime_prop
+ -dck_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_config_memory_safety_native_prop
+ -device_config_nnapi_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -exported3_system_prop
+ -exported_config_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_pm_prop
+ -exported_system_prop
+ -ffs_config_prop
+ -fingerprint_prop
+ -framework_status_prop
+ -gwp_asan_prop
+ -hal_instrumentation_prop
+ -hdmi_config_prop
+ -heapprofd_prop
+ -hw_timeout_multiplier_prop
+ -init_service_status_private_prop
+ -init_service_status_prop
+ -libc_debug_prop
+ -lmkd_config_prop
+ -locale_prop
+ -localization_prop
+ -log_file_logger_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -media_config_prop
+ -media_variant_prop
+ -mediadrm_config_prop
+ -module_sdkextensions_prop
+ -net_radio_prop
+ -nfc_prop
+ -nnapi_ext_deny_product_prop
+ -ota_prop
+ -packagemanager_config_prop
+ -pan_result_prop
+ -permissive_mte_prop
+ -persist_debug_prop
+ -pm_prop
+ -powerctl_prop
+ -property_service_version_prop
+ -radio_control_prop
+ -radio_prop
+ -restorecon_prop
+ -rollback_test_prop
+ -sendbug_config_prop
+ -setupwizard_prop
+ -shell_prop
+ -soc_prop
+ -socket_hook_prop
+ -sqlite_log_prop
+ -storagemanager_config_prop
+ -surfaceflinger_color_prop
+ -surfaceflinger_prop
+ -system_prop
+ -system_user_mode_emulation_prop
+ -systemsound_config_prop
+ -telephony_config_prop
+ -telephony_status_prop
+ -test_harness_prop
+ -timezone_prop
+ -usb_config_prop
+ -usb_control_prop
+ -usb_prop
+ -userdebug_or_eng_prop
+ -userspace_reboot_config_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_log_prop
+ -userspace_reboot_test_prop
+ -vendor_socket_hook_prop
+ -vndk_prop
+ -vold_config_prop
+ -vold_prop
+ -vold_status_prop
+ -vts_config_prop
+ -vts_status_prop
+ -wifi_log_prop
+ -zygote_config_prop
+ -zygote_wrap_prop
+ -init_service_status_prop
+}:file { getattr open read map };
+
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.