Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b93f26fd899ba19d77af9444c9f60e4a4478070d / . / private / sdk_sandbox.te
blob: 782bb468d7f8153602fab20b39b0eac366d18565 [file] [log] [blame]
Bram Bonneb93f26f2022-03-15 18:28:02 +0100[diff] [blame^]1###
2### SDK Sandbox process.
3###
4### This file defines the security policy for the sdk sandbox processes.
5
6type sdk_sandbox, domain;
7
8typeattribute sdk_sandbox coredomain;
9
10net_domain(sdk_sandbox)
11app_domain(sdk_sandbox)
12
13# Allow finding services. This is different from ephemeral_app policy.
14# Adding services manually to the allowlist is preferred hence app_api_service is not used.
15allow sdk_sandbox activity_service:service_manager find;
16allow sdk_sandbox activity_task_service:service_manager find;
17allow sdk_sandbox audio_service:service_manager find;
18# Audit the access to signal that we are still investigating whether sdk_sandbox
19# should have access to audio_service
20# TODO(b/211632068): remove this line
21auditallow sdk_sandbox audio_service:service_manager find;
22allow sdk_sandbox hint_service:service_manager find;
23allow sdk_sandbox surfaceflinger_service:service_manager find;
24allow sdk_sandbox trust_service:service_manager find;
25allow sdk_sandbox uimode_service:service_manager find;
26allow sdk_sandbox webviewupdate_service:service_manager find;
27
28# Write app-specific trace data to the Perfetto traced damon. This requires
29# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
30perfetto_producer(sdk_sandbox)
31
32# Allow profiling if the app opts in by being marked profileable/debuggable.
33can_profile_heap(sdk_sandbox)
34can_profile_perf(sdk_sandbox)
35
36# allow sdk sandbox to use UDP sockets provided by the system server but not
37# modify them other than to connect
38allow sdk_sandbox system_server:udp_socket {
39 connect getattr read recvfrom sendto write getopt setopt };
40
41# allow access to sdksandbox data directory
42allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
43allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
44
45###
46### neverallow rules
47###
48
49neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
50
51# Receive or send uevent messages.
52neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
53
54# Receive or send generic netlink messages
55neverallow sdk_sandbox domain:netlink_socket *;
56
57# Too much leaky information in debugfs. It's a security
58# best practice to ensure these files aren't readable.
59neverallow sdk_sandbox debugfs:file read;
60
61# execute gpu_device
62neverallow sdk_sandbox gpu_device:chr_file execute;
63
64# access files in /sys with the default sysfs label
65neverallow sdk_sandbox sysfs:file *;
66
67# Avoid reads from generically labeled /proc files
68# Create a more specific label if needed
69neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
70
71# Directly access external storage
72neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
73neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
74
75# Avoid reads to proc_net, it contains too much device wide information about
76# ongoing connections.
77neverallow sdk_sandbox proc_net:file no_rw_file_perms;
78
79# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
80neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
81neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
82
83# SDK sandbox processes don't have any access to external storage
84neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
85neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
86
87neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;