Move parts of sdk_sandbox from private to apex policy
Bug: 236691128
Test: atest SeamendcHostTest
Change-Id: I3ce2845f259afb29b80e2d9b446aa94e64ef8902
diff --git a/Android.bp b/Android.bp
index 467f80e..0770a64 100644
--- a/Android.bp
+++ b/Android.bp
@@ -373,19 +373,44 @@
additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
}
-
se_policy_conf {
name: "apex_sepolicy-33.conf",
- srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy +
+ ["com.android.sepolicy/33/*.te"],
installable: false,
}
se_policy_cil {
name: "apex_sepolicy-33.cil",
src: ":apex_sepolicy-33.conf",
- filter_out: [":plat_sepolicy.cil"],
+ filter_out: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ],
installable: false,
stem: "apex_sepolicy.cil",
+ remove_line_marker: true,
+}
+
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
@@ -896,6 +921,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 3946a04..380faff 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -287,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -338,17 +342,22 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
- Flag("-C"). // Write CIL
- Flag("-M"). // Enable MLS
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- FlagWithOutput("-o ", cil).
- Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-b"). // Read binary
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
+ } else {
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
}
if len(c.properties.Filter_out) > 0 {
@@ -359,6 +368,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..06f7326
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,527 @@
+(sid test)
+(sidorder (test))
+
+(classorder (file service_manager fd sock_file unix_stream_socket process dir udp_socket anon_inode fifo_file lnk_file unix_dgram_socket lockdown netlink_route_socket tcp_socket rawip_socket icmp_socket chr_file binder hwservice_manager))
+
+;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read write getattr lock map open watch watch_reads execute_no_trans append create setattr unlink rename execute relabelfrom relabelto link watch_mount watch_sb watch_with_perm entrypoint execmod audit_access mounton quotaon))
+
+;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
+(role r)
+(role object_r)
+
+(class service_manager (add find list ))
+(class sock_file (write))
+(class fd (use ))
+(class unix_stream_socket (ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown connectto))
+(class process (fork sigchld sigkill sigstop signull ptrace transition signal siginh rlimitinh getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit execmem dyntransition noatsecure))
+(class dir (ioctl read write create getattr setattr lock rename open watch watch_reads relabelfrom relabelto append map unlink link add_name remove_name reparent search rmdir execute quotaon watch_with_perm watch_sb watch_mount execmod audit_access mounton))
+(class udp_socket (ioctl read write getattr setattr connect getopt setopt recvfrom sendto node_bind name_bind create lock append map bind shutdown))
+(class anon_inode (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads))
+(class unix_dgram_socket (ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown sendto))
+(class fifo_file (ioctl read write getattr lock append map open watch watch_reads))
+(class lnk_file (ioctl read getattr lock map open watch watch_reads))
+(class lockdown (confidentiality))
+(class netlink_route_socket (read write create getattr setattr lock append connect getopt setopt shutdown nlmsg_read bind nlmsg_getneigh nlmsg_readpriv))
+(class tcp_socket (node_bind name_bind ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown))
+(class rawip_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
+(class icmp_socket (node_bind ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown))
+(class binder (call transfer))
+(class chr_file (ioctl read write getattr lock append map open watch watch_reads))
+(class hwservice_manager (find))
+
+(typeattribute domain)
+(typeattribute coredomain)
+(typeattribute netdomain)
+(typeattribute appdomain)
+
+(type activity_service)
+(type activity_task_service)
+(type adbd)
+(type adsprpcd)
+(type aidl_lazy_test_server)
+(type airbrush)
+(type apexd)
+(type apexd_derive_classpath)
+(type apex_test_prepostinstall)
+(type appdomain_tmpfs)
+(type appops_service)
+(type app_zygote)
+(type artd)
+(type atrace)
+(type audioserver)
+(type audioserver_service)
+(type audio_service)
+(type auditctl)
+(type automotive_display_service)
+(type batteryproperties_service)
+(type batterystats_service)
+(type binder_device)
+(type blank_screen)
+(type blkid)
+(type blkid_untrusted)
+(type bluetooth)
+(type bootanim)
+(type bootstat)
+(type boringssl_self_test)
+(type bpfloader)
+(type bt_logger)
+(type bufferhubd)
+(type cameraserver)
+(type canhalconfigurator)
+(type cbrs_setup_app)
+(type cdsprpcd)
+(type charger)
+(type charger_vendor)
+(type chre)
+(type citadeld)
+(type citadel_provision)
+(type clatd)
+(type cnd)
+(type codec2_config_prop)
+(type color_init)
+(type composd)
+(type compos_fd_server)
+(type compos_verify)
+(type con_monitor_app)
+(type connectivity_service)
+(type connmetrics_service)
+(type cppreopts)
+(type crash_dump)
+(type crash_dump_exec)
+(type credstore)
+(type crosvm)
+(type dataservice_app)
+(type derive_classpath)
+(type derive_sdk)
+(type device_config_nnapi_native_prop)
+(type device_drop_monitor)
+(type deviceidle_service)
+(type dex2oat)
+(type dexoptanalyzer)
+(type dhcp)
+(type diag)
+(type diced)
+(type display_service)
+(type dmabuf_system_heap_device)
+(type dmabuf_system_secure_heap_device)
+(type dmesgd)
+(type dnsmasq)
+(type drmserver)
+(type dropbox_service)
+(type dumpstate)
+(type e2fs)
+(type ephemeral_app)
+(type evsmanagerd)
+(type extra_free_kbytes)
+(type face_debug)
+(type fastbootd)
+(type fingerprintd)
+(type flags_health_check)
+(type font_service)
+(type fsck)
+(type fsck_untrusted)
+(type fstman)
+(type fsverity_init)
+(type fwk_bufferhub)
+(type game_service)
+(type gatekeeperd)
+(type gki_apex_prepostinstall)
+(type gmscore_app)
+(type google_camera_app)
+(type google_touch_app)
+(type gpu_device)
+(type gpu_service)
+(type gpuservice)
+(type graphicsstats_service)
+(type grilservice_app)
+(type gsid)
+(type hal_allocator_default)
+(type hal_allocator_server)
+(type hal_atrace_default)
+(type hal_audiocontrol_default)
+(type hal_audio_default)
+(type hal_authsecret_default)
+(type hal_bluetooth_btlinux)
+(type hal_bluetooth_default)
+(type hal_bluetooth_qti)
+(type hal_bootctl_default)
+(type hal_broadcastradio_default)
+(type hal_camera_default)
+(type hal_can_socketcan)
+(type hal_cas_default)
+(type hal_cas_hwservice)
+(type hal_cas_server)
+(type hal_codec2_hwservice)
+(type hal_codec2_server)
+(type hal_configstore_default)
+(type hal_configstore_ISurfaceFlingerConfigs)
+(type hal_configstore_server)
+(type hal_confirmationui_default)
+(type hal_contexthub_default)
+(type hal_dice_default)
+(type hal_display_color_default)
+(type hal_drm_clearkey)
+(type hal_drm_clearkey_aidl)
+(type hal_drm_default)
+(type hal_drm_server)
+(type hal_drm_widevine)
+(type hal_dumpstate_default)
+(type hal_dumpstate_impl)
+(type hal_evs_default)
+(type hal_face_default)
+(type hal_fingerprint_default)
+(type hal_gatekeeper_default)
+(type hal_gatekeeper_qti)
+(type hal_gnss_default)
+(type hal_gnss_qti)
+(type hal_graphics_allocator_default)
+(type hal_graphics_allocator_hwservice)
+(type hal_graphics_allocator_server)
+(type hal_graphics_allocator_service)
+(type hal_graphics_composer_default)
+(type hal_graphics_mapper_hwservice)
+(type hal_health_default)
+(type hal_health_storage_default)
+(type hal_identity_citadel)
+(type hal_identity_default)
+(type hal_imsrtp)
+(type hal_input_classifier_default)
+(type hal_input_processor_default)
+(type hal_ir_default)
+(type hal_keymaster_citadel)
+(type hal_keymaster_default)
+(type hal_keymaster_qti)
+(type hal_keymint_citadel)
+(type hal_keymint_default)
+(type hal_light_default)
+(type hal_lowpan_default)
+(type hal_memtrack_default)
+(type hal_neuralnetworks_darwinn)
+(type hal_neuralnetworks_default)
+(type hal_neuralnetworks_hwservice)
+(type hal_neuralnetworks_server)
+(type hal_neuralnetworks_service)
+(type hal_nfc_default)
+(type hal_oemlock_default)
+(type hal_omx_hwservice)
+(type hal_omx_server)
+(type hal_power_default)
+(type hal_power_stats_default)
+(type hal_qseecom_default)
+(type hal_qteeconnector_qti)
+(type hal_radio_config_default)
+(type hal_radio_default)
+(type hal_radioext_default)
+(type hal_rcsservice)
+(type hal_rebootescrow_citadel)
+(type hal_rebootescrow_default)
+(type hal_renderscript_hwservice)
+(type hal_secure_element_default)
+(type hal_sensors_default)
+(type hal_tetheroffload_default)
+(type hal_thermal_default)
+(type hal_tui_comm_qti)
+(type hal_tv_cec_default)
+(type hal_tv_input_default)
+(type hal_tv_tuner_default)
+(type hal_tv_tuner_server)
+(type hal_usb_default)
+(type hal_usb_gadget_default)
+(type hal_usb_gadget_impl)
+(type hal_usb_impl)
+(type hal_uwb_default)
+(type hal_vehicle_default)
+(type hal_vibrator_default)
+(type hal_vr_default)
+(type hal_weaver_citadel)
+(type hal_weaver_default)
+(type hal_wifi_default)
+(type hal_wifi_ext)
+(type hal_wifi_hostapd_default)
+(type hal_wifi_supplicant_default)
+(type hal_wlc)
+(type hardware_info_app)
+(type hardware_properties_service)
+(type hbmsvmanager_app)
+(type healthd)
+(type heapprofd)
+(type heapprofd_socket)
+(type heapprofd_tmpfs)
+(type hidl_allocator_hwservice)
+(type hidl_lazy_test_server)
+(type hidl_manager_hwservice)
+(type hidl_memory_hwservice)
+(type hidl_token_hwservice)
+(type hint_service)
+(type hwbinder_device)
+(type hwservicemanager)
+(type hwservicemanager_prop)
+(type idmap)
+(type imms_service)
+(type ims)
+(type incident)
+(type incidentd)
+(type incident_helper)
+(type init)
+(type init_citadel)
+(type init_dp)
+(type init-insmod-sh)
+(type init-mm-logging-sh)
+(type init-qti-keymaster-sh)
+(type init_radio)
+(type init-thermal-logging-sh)
+(type init-thermal-symlinks-sh)
+(type inputflinger)
+(type input_method_service)
+(type input_service)
+(type installd)
+(type ion_device)
+(type IProxyService_service)
+(type ipsec_service)
+(type irsc_util)
+(type isolated_app)
+(type iw)
+(type kernel)
+(type keystore)
+(type launcherapps_service)
+(type legacy_permission_service)
+(type light_service)
+(type linkerconfig)
+(type llkd)
+(type lmkd)
+(type locale_service)
+(type location)
+(type logd)
+(type logger_app)
+(type logpersist)
+(type lpdumpd)
+(type mdm_helper)
+(type mdnsd)
+(type mediacodec)
+(type media_communication_service)
+(type mediadrmserver)
+(type mediaextractor)
+(type mediaextractor_service)
+(type mediametrics)
+(type mediametrics_service)
+(type media_projection_service)
+(type mediaprovider)
+(type mediaprovider_app)
+(type media_router_service)
+(type mediaserver)
+(type mediaserver_service)
+(type media_session_service)
+(type mediaswcodec)
+(type mediatranscoding)
+(type mediatuner)
+(type media_variant_prop)
+(type memtrackproxy_service)
+(type midi_service)
+(type migrate_legacy_obb_data)
+(type mm_events)
+(type modem_diagnostic_app)
+(type modem_svc)
+(type modprobe)
+(type msm_irqbalanced)
+(type mtectrl)
+(type mtp)
+(type netd)
+(type netmgrd)
+(type netpolicy_service)
+(type netstats_service)
+(type netutils_wrapper)
+(type network_management_service)
+(type network_stack)
+(type nfc)
+(type nnapi_ext_deny_product_prop)
+(type notification_service)
+(type obdm_app)
+(type odrefresh)
+(type odsign)
+(type omadm_app)
+(type oslo_app)
+(type otapreopt_chroot)
+(type otapreopt_slot)
+(type package_service)
+(type perfetto)
+(type performanced)
+(type permission_checker_service)
+(type permissioncontroller_app)
+(type permissionmgr_service)
+(type permission_service)
+(type pixelstats_system)
+(type pixelstats_vendor)
+(type pixel-thermal-control-sh)
+(type platform_app)
+(type platform_compat_service)
+(type port-bridge)
+(type postinstall)
+(type postinstall_dexopt)
+(type power_service)
+(type ppp)
+(type preloads_copy)
+(type preopt2cachename)
+(type priv_app)
+(type procstats_service)
+(type profcollectd)
+(type profman)
+(type qlogd)
+(type qrtr)
+(type qtelephony)
+(type qtidataservices_app)
+(type qti_init_shell)
+(type racoon)
+(type radio)
+(type radio_data_file)
+(type ramdump_app)
+(type ramoops)
+(type recovery)
+(type recovery_persist)
+(type recovery_refresh)
+(type registry_service)
+(type remote_prov_app)
+(type remount)
+(type restrictions_service)
+(type rfs_access)
+(type ril_config_service_app)
+(type rild)
+(type rlsservice)
+(type rmt_storage)
+(type rs)
+(type rss_hwm_reset)
+(type rttmanager_service)
+(type runas)
+(type runas_app)
+(type same_process_hal_file)
+(type sdcardd)
+(type sdk_sandbox)
+(type sdk_sandbox_data_file)
+(type sdk_sandbox_system_data_file)
+(type search_service)
+(type sec_nvm)
+(type secure_element)
+(type secure_ui_service_app)
+(type selection_toolbar_service)
+(type sensor_privacy_service)
+(type sensors)
+(type sensorservice_service)
+(type servicediscovery_service)
+(type servicemanager)
+(type settings_service)
+(type sgdisk)
+(type shared_relro)
+; (type shell)
+(type simpleperf)
+(type simpleperf_app_runner)
+(type simpleperf_boot)
+(type slideshow)
+(type smcinvoke_daemon)
+(type snapshotctl)
+(type snapuserd)
+(type spdaemon)
+(type speech_recognition_service)
+(type sprint_hidden_menu)
+(type ssr_detector_app)
+(type stats)
+(type statsd)
+(type statusbar_service)
+(type storaged)
+(type storagestats_service)
+(type su)
+(type surfaceflinger)
+(type surfaceflinger_service)
+(type sysfs_gpu)
+(type system_app)
+(type system_linker_exec)
+(type system_server)
+(type system_server_startup)
+(type system_suspend)
+(type tcpdump_logger)
+(type tee)
+(type telecom_service)
+(type tethering_service)
+(type textclassification_service)
+(type textclassifier_data_file)
+(type textservices_service)
+(type texttospeech_service)
+(type thermal-engine)
+(type thermal_service)
+(type time_daemon)
+(type timeservice_app)
+(type tmpfs)
+(type tombstoned)
+(type toolbox)
+(type traced)
+(type traced_perf)
+(type traced_perf_socket)
+(type traced_probes)
+(type traced_producer_socket)
+(type traced_tmpfs)
+(type traceur_app)
+(type translation_service)
+(type tv_iapp_service)
+(type tv_input_service)
+(type twoshay)
+(type ueventd)
+(type uimode_service)
+(type uncrypt)
+(type untrusted_app)
+(type untrusted_app_25)
+(type untrusted_app_27)
+(type untrusted_app_29)
+(type untrusted_app_30)
+(type update_engine)
+(type update_verifier)
+(type usbd)
+(type uscc_omadm)
+(type uv_exposure_reporter)
+(type vcn_management_service)
+(type vdc)
+(type vehicle_binding_util)
+(type vendor_boringssl_self_test)
+(type vendor_file)
+(type vendor_ia_crash_dump)
+(type vendor_init)
+(type vendor_install_recovery)
+(type vendor_misc_writer)
+(type vendor_modprobe)
+(type vendor_pd_mapper)
+(type vendor_per_mgr)
+(type vendor_shell)
+(type vendor_ssr_diag)
+(type vendor_ssr_setup)
+(type vendor_subsystem_ramdump)
+(type viewcompiler)
+(type virtualizationservice)
+(type virtual_touchpad)
+(type vndservicemanager)
+(type vold)
+(type vold_prepare_subdirs)
+(type vzw_omadm_connmo)
+(type vzw_omadm_dcmo)
+(type vzw_omadm_diagmon)
+(type vzw_omadm_trigger)
+(type vzwomatrigger_app)
+(type wait_for_keymaster)
+(type wait_for_strongbox)
+(type watchdogd)
+(type wcnss_service)
+(type webviewupdate_service)
+(type webview_zygote)
+(type wfc_activation_app)
+(type wificond)
+(type wifidisplayhalservice_qti)
+(type wifi_sniffer)
+(type wigighalsvc)
+(type wigignpt)
+(type wpantund)
+(type zygote)
+
+(type boot_status_prop)
+(allow dumpstate domain (dir (ioctl read getattr lock open watch watch_reads search)))
+(allow coredomain boot_status_prop (file (read getattr map open)))
+(allow netdomain netd (unix_stream_socket (connectto)))
+(allow appdomain traced (fd (use)))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
new file mode 100644
index 0000000..f3f9a67
--- /dev/null
+++ b/com.android.sepolicy/33/sdk_sandbox.te
@@ -0,0 +1,112 @@
+###
+### SDK Sandbox process.
+###
+### This file extends the sdk sandbox policy at system/sepolicy/private/sdk_sandbox.te
+
+typeattribute sdk_sandbox domain;
+typeattribute sdk_sandbox coredomain;
+
+net_domain(sdk_sandbox)
+app_domain(sdk_sandbox)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+# Audit the access to signal that we are still investigating whether sdk_sandbox
+# should have access to audio_service
+# TODO(b/211632068): remove this line
+auditallow sdk_sandbox audio_service:service_manager find;
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(sdk_sandbox)
+
+# Allow profiling if the app opts in by being marked profileable/debuggable.
+can_profile_heap(sdk_sandbox)
+can_profile_perf(sdk_sandbox)
+
+# allow sdk sandbox to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow sdk_sandbox system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
+allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
+allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..1bb2c21 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -3,114 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes.
-type sdk_sandbox, domain;
-
-typeattribute sdk_sandbox coredomain;
-
-net_domain(sdk_sandbox)
-app_domain(sdk_sandbox)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
-
-# allow sdk sandbox to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow sdk_sandbox system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow sandbox to search in sdk system server directory
-# additionally, for webview to work, getattr has been permitted
-allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
-# allow sandbox to create files and dirs in sdk data directory
-allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
-allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
+type sdk_sandbox;
###
### neverallow rules