Add canary restrictions for sdk_sandbox
Add sdk_sandbox_next and apply it if a new input selector,
isSdkSandboxNext, is applied. This is set to true by libselinux
if a flag is set in the seInfo passed to it.
This enables some testers to test out the set of restrictions
we're planning for the next SDK version.
sdk_sandbox_next is not the final set of restrictions of the next SDK
version.
Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
Merged-In: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_next.te b/prebuilts/api/34.0/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..87884a9
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_next.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
index fbdd93f..4454bd7 100644
--- a/prebuilts/api/34.0/private/seapp_contexts
+++ b/prebuilts/api/34.0/private/seapp_contexts
@@ -12,6 +12,7 @@
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
+# isSdkSandboxNext (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -64,6 +68,7 @@
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
new file mode 100644
index 0000000..87884a9
--- /dev/null
+++ b/private/sdk_sandbox_next.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
index fbdd93f..4454bd7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -12,6 +12,7 @@
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
+# isSdkSandboxNext (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -64,6 +68,7 @@
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@
user=_isolated domain=isolated_app levelFrom=user
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e57a6b3..0d7a4d1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -214,6 +214,7 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
{ .name = "type", .dir = dir_out, .fn_validate = validate_type },