Rename SupplementalProcess to SdkSandbox
Ignore-AOSP-First: sepolicy is not in aosp, yet
Bug: 220320098
Test: presubmit
Change-Id: I9fb98e0caee75bdaaa35d11d174004505f236799
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 2d3b9ae..dbdf144 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,7 +22,7 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
-all_plat_keys := platform supplemental_process media networkstack shared testkey
+all_plat_keys := platform sdk_sandbox media networkstack shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
diff --git a/private/app.te b/private/app.te
index d020c38..4d51767 100644
--- a/private/app.te
+++ b/private/app.te
@@ -9,7 +9,7 @@
-platform_app
-priv_app
-shell
- -supplemental_process
+ -sdk_sandbox
-system_app
-untrusted_app_all
}, proc_net_type)
@@ -23,7 +23,7 @@
-priv_app
-shell
-su
- -supplemental_process
+ -sdk_sandbox
-system_app
-untrusted_app_all
} proc_net_type:{ dir file lnk_file } { getattr open read };
@@ -72,7 +72,7 @@
dontaudit appdomain vendor_default_prop:file read;
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow { appdomain -supplemental_process } mnt_media_rw_file:dir search;
+allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
@@ -119,67 +119,67 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -supplemental_process } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -supplemental_process } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -supplemental_process } vendor_file:file x_file_perms;')
+allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -supplemental_process }, vendor_app_file)
-allow { appdomain -ephemeral_app -supplemental_process } vendor_app_file:file execute;
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
-# Perform binder IPC to supplemental process.
-binder_call(appdomain, supplemental_process)
+# Perform binder IPC to sdk sandbox.
+binder_call(appdomain, sdk_sandbox)
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -ephemeral_app -supplemental_process })
+control_logd({ appdomain -ephemeral_app -sdk_sandbox })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } keystore:keystore2 get_state;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
-use_keystore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
+use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
-use_credstore({ appdomain -isolated_app -ephemeral_app -supplemental_process })
+use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
# For app fuse.
-pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app -supplemental_process }, performance_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app -supplemental_process }, bufferhub_client)
+pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app -supplemental_process } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
# WebView and other application-specific JIT compilers
@@ -205,11 +205,11 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app -supplemental_process } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app -supplemental_process } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
-allow { appdomain -supplemental_process } tmpfs:dir r_dir_perms;
+allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
@@ -243,11 +243,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject -supplemental_process } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app -supplemental_process } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -384,7 +384,7 @@
allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app -supplemental_process } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
@@ -476,7 +476,7 @@
nfc
radio
shared_relro
- supplemental_process
+ sdk_sandbox
system_app
} {
data_file_type
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 286f408..496832e 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -42,7 +42,7 @@
proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
- supplemental_process_service
+ sdk_sandbox_service
sysfs_fs_fuse_bpf
sysfs_vendor_sched
tv_iapp_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ee7d51e..c835579 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -55,8 +55,8 @@
remotelyprovisionedkeypool_service
resources_manager_service
selection_toolbar_service
+ sdk_sandbox_service
snapuserd_proxy_socket
- supplemental_process_service
sysfs_fs_fuse_bpf
system_dlkm_file
tare_service
diff --git a/private/domain.te b/private/domain.te
index 5019952..12d649c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -626,6 +626,6 @@
isolated_app
ephemeral_app
priv_app
- supplemental_process
+ sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/file.te b/private/file.te
index 82db1f7..54d6df6 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,8 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc_{ce/de}/<user>/sdk/<app-name>/* subdirectory for supplemental apps
-type supplemental_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
+type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 1fc9f00..0d90756 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -136,7 +136,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app supplemental_process untrusted_app_all }:{
+neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/keys.conf b/private/keys.conf
index cc4e1f3..30739f9 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -11,8 +11,8 @@
[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-[@SUPPLEMENTAL_PROCESS]
-ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/supplemental_process.x509.pem
+[@SDK_SANDBOX]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 0e77637..ec3df0f 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,9 +51,9 @@
<seinfo value="platform" />
</signer>
- <!-- Supplemental process key -->
- <signer signature="@SUPPLEMENTAL_PROCESS" >
- <seinfo value="supplemental_process" />
+ <!-- Sdk Sandbox key -->
+ <signer signature="@SDK_SANDBOX" >
+ <seinfo value="sdk_sandbox" />
</signer>
<!-- Media key in AOSP -->
diff --git a/private/net.te b/private/net.te
index 3e20274..9e15f41 100644
--- a/private/net.te
+++ b/private/net.te
@@ -1,7 +1,7 @@
# Bind to ports.
-allow {netdomain -ephemeral_app -supplemental_process} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app -supplemental_process} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app -supplemental_process} port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
@@ -12,7 +12,7 @@
netdomain
-ephemeral_app
-mediaprovider
- -supplemental_process
+ -sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
new file mode 100644
index 0000000..782bb46
--- /dev/null
+++ b/private/sdk_sandbox.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes.
+
+type sdk_sandbox, domain;
+
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox trust_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow access to sdksandbox data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow sdk_sandbox domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow sdk_sandbox debugfs:file read;
+
+# execute gpu_device
+neverallow sdk_sandbox gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow sdk_sandbox sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
+neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow sdk_sandbox proc_net:file no_rw_file_perms;
+
+# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
+neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
+
+# SDK sandbox processes don't have any access to external storage
+neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
+
+neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 0f1195c..0e3d816 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -26,7 +26,7 @@
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
-# user=_supplemental will match supplemental process for an app.
+# user=_sdksandbox will match sdk sandbox process for an app.
# Other values of user are matched against the name associated with the process
# UID.
# seinfo= matches aginst the seinfo tag for the app, determined from
@@ -138,8 +138,8 @@
isSystemServer=true domain=system_server_startup
-# supplemental_process must run in the supplemental_process domain
-neverallow name=com.android.supplemental.process domain=((?!supplemental_process).)*
+# sdksandbox must run in the sdksandbox domain
+neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
@@ -153,7 +153,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
-user=_supplemental domain=supplemental_process type=supplemental_app_data_file levelFrom=all
+user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 9424355..c6fb3d5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -324,7 +324,7 @@
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
-supplemental_process u:object_r:supplemental_process_service:s0
+sdk_sandbox u:object_r:sdk_sandbox_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
diff --git a/private/supplemental_process.te b/private/supplemental_process.te
deleted file mode 100644
index 720f71b..0000000
--- a/private/supplemental_process.te
+++ /dev/null
@@ -1,87 +0,0 @@
-###
-### Supplemental Process.
-###
-### This file defines the security policy for the supplemental process.
-
-type supplemental_process, domain;
-
-typeattribute supplemental_process coredomain;
-
-net_domain(supplemental_process)
-app_domain(supplemental_process)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow supplemental_process activity_service:service_manager find;
-allow supplemental_process activity_task_service:service_manager find;
-allow supplemental_process audio_service:service_manager find;
-# Audit the access to signal that we are still investigating whether supplemental_process
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow supplemental_process audio_service:service_manager find;
-allow supplemental_process hint_service:service_manager find;
-allow supplemental_process surfaceflinger_service:service_manager find;
-allow supplemental_process trust_service:service_manager find;
-allow supplemental_process uimode_service:service_manager find;
-allow supplemental_process webviewupdate_service:service_manager find;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(supplemental_process)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(supplemental_process)
-can_profile_perf(supplemental_process)
-
-# allow supplemental processes to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow supplemental_process system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow access to supplemental data directory
-allow supplemental_process supplemental_app_data_file:dir create_dir_perms;
-allow supplemental_process supplemental_app_data_file:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow supplemental_process { app_data_file privapp_data_file }:file { execute execute_no_trans };
-
-# Receive or send uevent messages.
-neverallow supplemental_process domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow supplemental_process domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow supplemental_process debugfs:file read;
-
-# execute gpu_device
-neverallow supplemental_process gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow supplemental_process sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow supplemental_process proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow supplemental_process { sdcard_type media_rw_data_file }:file {open create};
-neverallow supplemental_process { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow supplemental_process proc_net:file no_rw_file_perms;
-
-# Supplemental process doesn't have its own private app data directory
-neverallow supplemental_process { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow supplemental_process { app_data_file privapp_data_file }:file no_rw_file_perms;
-
-# Supplemental process doesn't have any access to external storage
-neverallow supplemental_process { media_rw_data_file }:dir no_rw_file_perms;
-neverallow supplemental_process { media_rw_data_file }:file no_rw_file_perms;
-
-neverallow { supplemental_process } tmpfs:dir no_rw_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e6a2370..e1c8044 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -26,7 +26,7 @@
iris_vendor_data_file
rollback_data_file
storaged_data_file
- supplemental_app_data_file
+ sdk_sandbox_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
@@ -42,7 +42,7 @@
iris_vendor_data_file
rollback_data_file
storaged_data_file
- supplemental_app_data_file
+ sdk_sandbox_data_file
system_data_file
vold_data_file
}:file { getattr unlink };
diff --git a/public/service.te b/public/service.te
index 3a2afa9..1b17973 100644
--- a/public/service.te
+++ b/public/service.te
@@ -211,7 +211,7 @@
type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type supplemental_process_service, app_api_service, system_server_service, service_manager_type;
+type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;