| Sandro Montanari | 4db0e27 | 2023-10-19 15:00:55 +0000 | [diff] [blame^] | 1 | ### |
| 2 | ### SDK Sandbox process. |
| 3 | ### |
| 4 | ### This file defines the audit sdk sandbox security policy for |
| 5 | ### the set of restrictions proposed for the next SDK level. |
| 6 | ### |
| 7 | ### The sdk_sandbox_audit domain has the same rules as the |
| 8 | ### sdk_sandbox_current domain and additional auditing rules |
| 9 | ### for the accesses we are considering forbidding in the upcoming |
| 10 | ### sdk_sandbox_next domain. |
| 11 | type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; |
| 12 | |
| 13 | net_domain(sdk_sandbox_audit) |
| 14 | app_domain(sdk_sandbox_audit) |
| 15 | |
| 16 | # Auditallow rules for accesses that are currently allowed but we |
| 17 | # might remove in the future. |
| 18 | |
| 19 | auditallow sdk_sandbox_audit { |
| 20 | cameraserver_service |
| 21 | ephemeral_app_api_service |
| 22 | mediadrmserver_service |
| 23 | radio_service |
| 24 | }:service_manager find; |
| 25 | |
| 26 | auditallow sdk_sandbox_audit { |
| 27 | property_type |
| 28 | -system_property_type |
| 29 | }:file rw_file_perms; |
| 30 | |
| 31 | auditallow sdk_sandbox_audit { |
| 32 | property_type |
| 33 | -system_property_type |
| 34 | }:dir rw_dir_perms; |