Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2b05965492ce4cf096039f753e1b0f1fbd506b7f / . / private / sdk_sandbox.te
blob: 4806e6d2c4e5abd119b6e626d8d43094dacbc3af [file] [log] [blame]
Bram Bonneb93f26f2022-03-15 18:28:02 +0100[diff] [blame]1###
2### SDK Sandbox process.
3###
4### This file defines the security policy for the sdk sandbox processes.
5
Lokesh Gidra1269a172022-08-01 17:20:38 +0000[diff] [blame]6type sdk_sandbox, domain;
7
8typeattribute sdk_sandbox coredomain;
9
10net_domain(sdk_sandbox)
11app_domain(sdk_sandbox)
12
Sandrod0553522022-10-04 12:52:09 +0000[diff] [blame]13# TODO(b/252967582): remove this rule if it generates too much logs traffic.
14auditallow sdk_sandbox {
15 property_type
16 # remove expected properties to reduce noise.
17 -servicemanager_prop
18 -hwservicemanager_prop
19 -use_memfd_prop
20 -binder_cache_system_server_prop
21 -graphics_config_prop
22 -persist_wm_debug_prop
23 -aaudio_config_prop
24 -adbd_config_prop
25 -apex_ready_prop
26 -apexd_select_prop
27 -arm64_memtag_prop
28 -audio_prop
29 -binder_cache_bluetooth_server_prop
30 -binder_cache_telephony_server_prop
31 -bluetooth_config_prop
32 -boot_status_prop
33 -bootloader_prop
34 -bq_config_prop
35 -build_odm_prop
36 -build_prop
37 -build_vendor_prop
38 -camera2_extensions_prop
39 -camera_calibration_prop
40 -camera_config_prop
41 -camerax_extensions_prop
42 -codec2_config_prop
43 -config_prop
44 -cppreopt_prop
Jiakai Zhang22fb5c72023-03-30 15:50:05 +0100[diff] [blame]45 -dalvik_config_prop_type
Sandrod0553522022-10-04 12:52:09 +0000[diff] [blame]46 -dalvik_prop
47 -dalvik_runtime_prop
48 -dck_prop
49 -debug_prop
50 -debuggerd_prop
51 -default_prop
Florian Mayer94926f52023-01-31 15:47:07 -0800[diff] [blame]52 -device_config_memory_safety_native_boot_prop
Sandrod0553522022-10-04 12:52:09 +0000[diff] [blame]53 -device_config_memory_safety_native_prop
54 -device_config_nnapi_native_prop
55 -device_config_runtime_native_boot_prop
56 -device_config_runtime_native_prop
57 -dhcp_prop
58 -dumpstate_prop
59 -exported3_system_prop
60 -exported_config_prop
61 -exported_default_prop
62 -exported_dumpstate_prop
63 -exported_pm_prop
64 -exported_system_prop
65 -ffs_config_prop
66 -fingerprint_prop
67 -framework_status_prop
68 -gwp_asan_prop
69 -hal_instrumentation_prop
70 -hdmi_config_prop
71 -heapprofd_prop
72 -hw_timeout_multiplier_prop
73 -init_service_status_private_prop
74 -init_service_status_prop
75 -libc_debug_prop
76 -lmkd_config_prop
77 -locale_prop
78 -localization_prop
79 -log_file_logger_prop
80 -log_prop
81 -log_tag_prop
82 -logd_prop
83 -media_config_prop
84 -media_variant_prop
85 -mediadrm_config_prop
86 -module_sdkextensions_prop
87 -net_radio_prop
88 -nfc_prop
89 -nnapi_ext_deny_product_prop
90 -ota_prop
91 -packagemanager_config_prop
92 -pan_result_prop
93 -permissive_mte_prop
94 -persist_debug_prop
Alexander Roederer2b059652023-04-14 19:35:46 +0000[diff] [blame^]95 -persist_sysui_builder_extras_prop
Sandrod0553522022-10-04 12:52:09 +0000[diff] [blame]96 -pm_prop
97 -powerctl_prop
98 -property_service_version_prop
99 -radio_control_prop
100 -radio_prop
101 -restorecon_prop
102 -rollback_test_prop
103 -sendbug_config_prop
104 -setupwizard_prop
105 -shell_prop
106 -soc_prop
107 -socket_hook_prop
108 -sqlite_log_prop
109 -storagemanager_config_prop
110 -surfaceflinger_color_prop
111 -surfaceflinger_prop
112 -system_prop
113 -system_user_mode_emulation_prop
114 -systemsound_config_prop
115 -telephony_config_prop
116 -telephony_status_prop
117 -test_harness_prop
118 -timezone_prop
119 -usb_config_prop
120 -usb_control_prop
121 -usb_prop
122 -userdebug_or_eng_prop
123 -userspace_reboot_config_prop
124 -userspace_reboot_exported_prop
125 -userspace_reboot_log_prop
126 -userspace_reboot_test_prop
127 -vendor_socket_hook_prop
128 -vndk_prop
129 -vold_config_prop
130 -vold_prop
131 -vold_status_prop
132 -vts_config_prop
133 -vts_status_prop
134 -wifi_log_prop
135 -zygote_config_prop
136 -zygote_wrap_prop
137 -init_service_status_prop
138}:file { getattr open read map };
139
Sandro692c3ad2022-09-14 11:58:21 +0000[diff] [blame]140# Allow finding services. This is different from ephemeral_app policy.
141# Adding services manually to the allowlist is preferred hence app_api_service is not used.
142
143allow sdk_sandbox activity_service:service_manager find;
144allow sdk_sandbox activity_task_service:service_manager find;
145allow sdk_sandbox appops_service:service_manager find;
146allow sdk_sandbox audio_service:service_manager find;
147allow sdk_sandbox audioserver_service:service_manager find;
148allow sdk_sandbox batteryproperties_service:service_manager find;
149allow sdk_sandbox batterystats_service:service_manager find;
150allow sdk_sandbox connectivity_service:service_manager find;
151allow sdk_sandbox connmetrics_service:service_manager find;
152allow sdk_sandbox deviceidle_service:service_manager find;
153allow sdk_sandbox display_service:service_manager find;
154allow sdk_sandbox dropbox_service:service_manager find;
155allow sdk_sandbox font_service:service_manager find;
156allow sdk_sandbox game_service:service_manager find;
157allow sdk_sandbox gpu_service:service_manager find;
158allow sdk_sandbox graphicsstats_service:service_manager find;
159allow sdk_sandbox hardware_properties_service:service_manager find;
160allow sdk_sandbox hint_service:service_manager find;
161allow sdk_sandbox imms_service:service_manager find;
162allow sdk_sandbox input_method_service:service_manager find;
163allow sdk_sandbox input_service:service_manager find;
164allow sdk_sandbox IProxyService_service:service_manager find;
165allow sdk_sandbox ipsec_service:service_manager find;
166allow sdk_sandbox launcherapps_service:service_manager find;
167allow sdk_sandbox legacy_permission_service:service_manager find;
168allow sdk_sandbox light_service:service_manager find;
169allow sdk_sandbox locale_service:service_manager find;
170allow sdk_sandbox media_communication_service:service_manager find;
171allow sdk_sandbox mediaextractor_service:service_manager find;
172allow sdk_sandbox mediametrics_service:service_manager find;
173allow sdk_sandbox media_projection_service:service_manager find;
174allow sdk_sandbox media_router_service:service_manager find;
175allow sdk_sandbox mediaserver_service:service_manager find;
176allow sdk_sandbox media_session_service:service_manager find;
177allow sdk_sandbox memtrackproxy_service:service_manager find;
178allow sdk_sandbox midi_service:service_manager find;
179allow sdk_sandbox netpolicy_service:service_manager find;
180allow sdk_sandbox netstats_service:service_manager find;
181allow sdk_sandbox network_management_service:service_manager find;
182allow sdk_sandbox notification_service:service_manager find;
183allow sdk_sandbox package_service:service_manager find;
184allow sdk_sandbox permission_checker_service:service_manager find;
185allow sdk_sandbox permission_service:service_manager find;
186allow sdk_sandbox permissionmgr_service:service_manager find;
187allow sdk_sandbox platform_compat_service:service_manager find;
188allow sdk_sandbox power_service:service_manager find;
189allow sdk_sandbox procstats_service:service_manager find;
190allow sdk_sandbox registry_service:service_manager find;
191allow sdk_sandbox restrictions_service:service_manager find;
192allow sdk_sandbox rttmanager_service:service_manager find;
193allow sdk_sandbox search_service:service_manager find;
194allow sdk_sandbox selection_toolbar_service:service_manager find;
195allow sdk_sandbox sensor_privacy_service:service_manager find;
196allow sdk_sandbox sensorservice_service:service_manager find;
197allow sdk_sandbox servicediscovery_service:service_manager find;
198allow sdk_sandbox settings_service:service_manager find;
199allow sdk_sandbox speech_recognition_service:service_manager find;
200allow sdk_sandbox statusbar_service:service_manager find;
201allow sdk_sandbox storagestats_service:service_manager find;
202allow sdk_sandbox surfaceflinger_service:service_manager find;
203allow sdk_sandbox telecom_service:service_manager find;
204allow sdk_sandbox tethering_service:service_manager find;
205allow sdk_sandbox textclassification_service:service_manager find;
206allow sdk_sandbox textservices_service:service_manager find;
207allow sdk_sandbox texttospeech_service:service_manager find;
208allow sdk_sandbox thermal_service:service_manager find;
209allow sdk_sandbox translation_service:service_manager find;
210allow sdk_sandbox tv_iapp_service:service_manager find;
211allow sdk_sandbox tv_input_service:service_manager find;
212allow sdk_sandbox uimode_service:service_manager find;
213allow sdk_sandbox vcn_management_service:service_manager find;
214allow sdk_sandbox webviewupdate_service:service_manager find;
215
216allow sdk_sandbox system_linker_exec:file execute_no_trans;
217
Sandrof7894fc2022-12-12 17:16:34 +0000[diff] [blame]218# Required to read CTS tests data from the shell_data_file location.
219allow sdk_sandbox shell_data_file:file r_file_perms;
220allow sdk_sandbox shell_data_file:dir r_dir_perms;
221
Lokesh Gidra1269a172022-08-01 17:20:38 +0000[diff] [blame]222# allow sdk sandbox to use UDP sockets provided by the system server but not
223# modify them other than to connect
224allow sdk_sandbox system_server:udp_socket {
225 connect getattr read recvfrom sendto write getopt setopt };
226
227# allow sandbox to search in sdk system server directory
228# additionally, for webview to work, getattr has been permitted
229allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
230# allow sandbox to create files and dirs in sdk data directory
231allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
232allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
Bram Bonneb93f26f2022-03-15 18:28:02 +0100[diff] [blame]233
234###
235### neverallow rules
236###
237
Bram Bonne078b43c2022-04-25 13:28:52 +0200[diff] [blame]238neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
Bram Bonneb93f26f2022-03-15 18:28:02 +0100[diff] [blame]239
240# Receive or send uevent messages.
241neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
242
243# Receive or send generic netlink messages
244neverallow sdk_sandbox domain:netlink_socket *;
245
246# Too much leaky information in debugfs. It's a security
247# best practice to ensure these files aren't readable.
248neverallow sdk_sandbox debugfs:file read;
249
250# execute gpu_device
251neverallow sdk_sandbox gpu_device:chr_file execute;
252
253# access files in /sys with the default sysfs label
254neverallow sdk_sandbox sysfs:file *;
255
256# Avoid reads from generically labeled /proc files
257# Create a more specific label if needed
258neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
259
260# Directly access external storage
261neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
262neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
263
264# Avoid reads to proc_net, it contains too much device wide information about
265# ongoing connections.
266neverallow sdk_sandbox proc_net:file no_rw_file_perms;
267
268# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
269neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
270neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
271
272# SDK sandbox processes don't have any access to external storage
273neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
274neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
275
276neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
Bram Bonne85dfe312022-03-23 17:48:48 +0100[diff] [blame]277
278neverallow sdk_sandbox hal_drm_service:service_manager find;
Mohammad Samiul Islamd2ffd352022-05-11 21:43:54 +0100[diff] [blame]279
280# Only certain system components should have access to sdk_sandbox_system_data_file
281# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
282neverallow {
283 domain
284 -init
285 -installd
Sanjana Sunil56301632022-05-20 11:24:32 +0000[diff] [blame]286 -system_server
287 -vold_prepare_subdirs
288} sdk_sandbox_system_data_file:dir { relabelfrom };
289
290neverallow {
291 domain
292 -init
293 -installd
Mohammad Samiul Islamd2ffd352022-05-11 21:43:54 +0100[diff] [blame]294 -sdk_sandbox
295 -system_server
296 -vold_prepare_subdirs
Sanjana Sunil56301632022-05-20 11:24:32 +0000[diff] [blame]297 -zygote
298} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
Mohammad Samiul Islamd2ffd352022-05-11 21:43:54 +0100[diff] [blame]299
300# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
301neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
302
303# Only dirs should be created at sdk_sandbox_system_data_file level
304neverallow { domain -init } sdk_sandbox_system_data_file:file *;