Restrict SDK sandbox unix_stream_socket connections Bug: 328729812 Test: atest --test-mapping packages/modules/AdServices/sdksandbox Change-Id: If26e853d66039aebead20076df4387cd6ca9788d

commit: d226ac41e2e6ebd67f5ea98b0e224bc928de98bb [log] [tgz]
author: Sandro Montanari <sandrom@google.com> Wed Feb 21 14:35:41 2024 +0000
committer: Sandro Montanari <sandrom@google.com> Wed Mar 20 14:10:12 2024 +0000
tree: 6fbd67d3381cccaf4964f9f6a93be8042a5be644
parent: 26477ab5a09585ad442451947e569a8ecf0c4d6d [diff] [blame]
diff --git a/private/app.te b/private/app.te
index b0b5dbb..07e0be0 100644
--- a/private/app.te
+++ b/private/app.te

@@ -407,7 +407,13 @@
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+allow {
+  appdomain
+  -sdk_sandbox_all
+} {
+  appdomain
+  -sdk_sandbox_all
+}:unix_stream_socket { getopt getattr read write shutdown };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
commit	d226ac41e2e6ebd67f5ea98b0e224bc928de98bb	[log] [tgz]
author	Sandro Montanari <sandrom@google.com>	Wed Feb 21 14:35:41 2024 +0000
committer	Sandro Montanari <sandrom@google.com>	Wed Mar 20 14:10:12 2024 +0000
tree	6fbd67d3381cccaf4964f9f6a93be8042a5be644
parent	26477ab5a09585ad442451947e569a8ecf0c4d6d [diff] [blame]