blob: 41b2799fb1464805e3b6f121e7ddbcee91d59846 [file] [log] [blame]
Mugdha Lakhani2ae45c52023-04-28 09:22:15 +00001###
2### sdk_sandbox_all
3###
4### This file defines the rules shared by all sdk_sandbox_all domains.
5### Apps are labeled based on mac_permissions.xml (maps signer and
6### optionally package name to seinfo value) and seapp_contexts (maps UID
7### and optionally seinfo value to domain for process and type for data
8### directory). The sdk_sandbox_all_all attribute is assigned to all default
9### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
10### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
11### value as determined from mac_permissions.xml.
12
13allow sdk_sandbox_all system_linker_exec:file execute_no_trans;
14
15# Required to read CTS tests data from the shell_data_file location.
16allow sdk_sandbox_all shell_data_file:file r_file_perms;
17allow sdk_sandbox_all shell_data_file:dir r_dir_perms;
18
19# allow sdk sandbox to use UDP sockets provided by the system server but not
20# modify them other than to connect
21allow sdk_sandbox_all system_server:udp_socket {
22 connect getattr read recvfrom sendto write getopt setopt };
23
24# allow sandbox to search in sdk system server directory
25# additionally, for webview to work, getattr has been permitted
26allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
27# allow sandbox to create files and dirs in sdk data directory
28allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
29allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
30
Gavin Corkeryd4d3c012023-05-10 16:13:53 +000031# allow apps to pass open fds to the sdk sandbox
32allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
33
Mugdha Lakhani2ae45c52023-04-28 09:22:15 +000034###
35### neverallow rules
36###
37
Steven Morelandf3722d52023-05-22 23:45:40 +000038neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
Mugdha Lakhani2ae45c52023-04-28 09:22:15 +000039
40# Receive or send uevent messages.
41neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
42
43# Receive or send generic netlink messages
44neverallow sdk_sandbox_all domain:netlink_socket *;
45
46# Too much leaky information in debugfs. It's a security
47# best practice to ensure these files aren't readable.
Steven Morelandb56bf682023-05-22 23:02:24 +000048neverallow sdk_sandbox_all debugfs_type:file read;
Mugdha Lakhani2ae45c52023-04-28 09:22:15 +000049
50# execute gpu_device
51neverallow sdk_sandbox_all gpu_device:chr_file execute;
52
53# access files in /sys with the default sysfs label
54neverallow sdk_sandbox_all sysfs:file *;
55
56# Avoid reads from generically labeled /proc files
57# Create a more specific label if needed
58neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };
59
60# Directly access external storage
61neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
62neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
63
64# Avoid reads to proc_net, it contains too much device wide information about
65# ongoing connections.
66neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
67
68# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
Steven Morelandf3722d52023-05-22 23:45:40 +000069# TODO(b/280514080): shell_data_file shouldn't be allowed here
70neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
71neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
Mugdha Lakhani2ae45c52023-04-28 09:22:15 +000072
73# SDK sandbox processes don't have any access to external storage
74neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
75neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;
76
77neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;
78
79neverallow sdk_sandbox_all hal_drm_service:service_manager find;
80
81# Only certain system components should have access to sdk_sandbox_system_data_file
82# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
83neverallow {
84 domain
85 -init
86 -installd
87 -system_server
88 -vold_prepare_subdirs
89} sdk_sandbox_system_data_file:dir { relabelfrom };
90
91neverallow {
92 domain
93 -init
94 -installd
95 -sdk_sandbox_all
96 -system_server
97 -vold_prepare_subdirs
98 -zygote
99} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
100
101# Only certain system components should have access to sdk_sandbox_all_system_data_file
102# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
103neverallow {
104 domain
105 -init
106 -installd
107 -system_server
108 -vold_prepare_subdirs
109} sdk_sandbox_system_data_file:dir { relabelfrom };
110
111neverallow {
112 domain
113 -init
114 -installd
115 -sdk_sandbox_all
116 -system_server
117 -vold_prepare_subdirs
118 -zygote
119} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
120
121# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
122neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };
123
124# Only dirs should be created at sdk_sandbox_all_system_data_file level
125neverallow { domain -init } sdk_sandbox_system_data_file:file *;
126
Sandro Montanari81225f12024-08-21 08:53:00 +0000127# Restrict unix stream sockets for IPC.
128neverallow sdk_sandbox_all {
129 domain
130 -sdk_sandbox_all
131 -netd
132 -logd
133 -adbd
134 userdebug_or_eng(`-su')
135 # needed for profiling
136 -traced
137 -traced_perf
138 -heapprofd
139 # fallback crash handling for processes that can't exec crash_dump.
140 -tombstoned
141 # needed to connect to PRNG seeder daemon.
142 -prng_seeder
143}:unix_stream_socket connectto;
144neverallow {
145 domain
146 -adbd
147 -sdk_sandbox_all
148} sdk_sandbox_all:unix_stream_socket connectto;