| Bram Bonne | b93f26f | 2022-03-15 18:28:02 +0100 | [diff] [blame] | 1 | ### |
| 2 | ### SDK Sandbox process. |
| 3 | ### |
| 4 | ### This file defines the security policy for the sdk sandbox processes. |
| 5 | |
| 6 | type sdk_sandbox, domain; |
| 7 | |
| 8 | typeattribute sdk_sandbox coredomain; |
| 9 | |
| 10 | net_domain(sdk_sandbox) |
| 11 | app_domain(sdk_sandbox) |
| 12 | |
| 13 | # Allow finding services. This is different from ephemeral_app policy. |
| 14 | # Adding services manually to the allowlist is preferred hence app_api_service is not used. |
| 15 | allow sdk_sandbox activity_service:service_manager find; |
| 16 | allow sdk_sandbox activity_task_service:service_manager find; |
| 17 | allow sdk_sandbox audio_service:service_manager find; |
| 18 | # Audit the access to signal that we are still investigating whether sdk_sandbox |
| 19 | # should have access to audio_service |
| 20 | # TODO(b/211632068): remove this line |
| 21 | auditallow sdk_sandbox audio_service:service_manager find; |
| 22 | allow sdk_sandbox hint_service:service_manager find; |
| 23 | allow sdk_sandbox surfaceflinger_service:service_manager find; |
| Shiwangi Shah | 155d318 | 2022-03-24 12:52:32 +0000 | [diff] [blame] | 24 | allow sdk_sandbox thermal_service:service_manager find; |
| Bram Bonne | b93f26f | 2022-03-15 18:28:02 +0100 | [diff] [blame] | 25 | allow sdk_sandbox trust_service:service_manager find; |
| 26 | allow sdk_sandbox uimode_service:service_manager find; |
| 27 | allow sdk_sandbox webviewupdate_service:service_manager find; |
| 28 | |
| 29 | # Write app-specific trace data to the Perfetto traced damon. This requires |
| 30 | # connecting to its producer socket and obtaining a (per-process) tmpfs fd. |
| 31 | perfetto_producer(sdk_sandbox) |
| 32 | |
| 33 | # Allow profiling if the app opts in by being marked profileable/debuggable. |
| 34 | can_profile_heap(sdk_sandbox) |
| 35 | can_profile_perf(sdk_sandbox) |
| 36 | |
| 37 | # allow sdk sandbox to use UDP sockets provided by the system server but not |
| 38 | # modify them other than to connect |
| 39 | allow sdk_sandbox system_server:udp_socket { |
| 40 | connect getattr read recvfrom sendto write getopt setopt }; |
| 41 | |
| 42 | # allow access to sdksandbox data directory |
| 43 | allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms; |
| 44 | allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms; |
| 45 | |
| 46 | ### |
| 47 | ### neverallow rules |
| 48 | ### |
| 49 | |
| 50 | neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans }; |
| 51 | |
| 52 | # Receive or send uevent messages. |
| 53 | neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *; |
| 54 | |
| 55 | # Receive or send generic netlink messages |
| 56 | neverallow sdk_sandbox domain:netlink_socket *; |
| 57 | |
| 58 | # Too much leaky information in debugfs. It's a security |
| 59 | # best practice to ensure these files aren't readable. |
| 60 | neverallow sdk_sandbox debugfs:file read; |
| 61 | |
| 62 | # execute gpu_device |
| 63 | neverallow sdk_sandbox gpu_device:chr_file execute; |
| 64 | |
| 65 | # access files in /sys with the default sysfs label |
| 66 | neverallow sdk_sandbox sysfs:file *; |
| 67 | |
| 68 | # Avoid reads from generically labeled /proc files |
| 69 | # Create a more specific label if needed |
| 70 | neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms }; |
| 71 | |
| 72 | # Directly access external storage |
| 73 | neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create}; |
| 74 | neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search; |
| 75 | |
| 76 | # Avoid reads to proc_net, it contains too much device wide information about |
| 77 | # ongoing connections. |
| 78 | neverallow sdk_sandbox proc_net:file no_rw_file_perms; |
| 79 | |
| 80 | # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file |
| 81 | neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms; |
| 82 | neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms; |
| 83 | |
| 84 | # SDK sandbox processes don't have any access to external storage |
| 85 | neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms; |
| 86 | neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms; |
| 87 | |
| 88 | neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms; |
| Bram Bonne | 85dfe31 | 2022-03-23 17:48:48 +0100 | [diff] [blame] | 89 | |
| 90 | neverallow sdk_sandbox hal_drm_service:service_manager find; |