Blame - private/sdk_sandbox.te - android_system_sepolicy

blob: 3aca881c88b76f13b87395e6e4d52385b33c1676 [file] [log] [blame]

Bram Bonne	b93f26f	2022-03-15 18:28:02 +0100	[diff] [blame]	1	###
				2	### SDK Sandbox process.
				3	###
				4	### This file defines the security policy for the sdk sandbox processes.
				5
Lokesh Gidra	1269a17	2022-08-01 17:20:38 +0000	[diff] [blame]	6	type sdk_sandbox, domain;
				7
				8	typeattribute sdk_sandbox coredomain;
				9
				10	net_domain(sdk_sandbox)
				11	app_domain(sdk_sandbox)
				12
Sandro	692c3ad	2022-09-14 11:58:21 +0000	[diff] [blame]	13	# Allow finding services. This is different from ephemeral_app policy.
				14	# Adding services manually to the allowlist is preferred hence app_api_service is not used.
Mugdha Lakhani	837b232	2023-04-28 09:22:15 +0000	[diff] [blame]	15	allow sdk_sandbox {
				16	activity_service
				17	activity_task_service
				18	appops_service
				19	audio_service
				20	audioserver_service
				21	batteryproperties_service
				22	batterystats_service
				23	cameraserver_service
				24	connectivity_service
				25	connmetrics_service
				26	deviceidle_service
				27	display_service
				28	dropbox_service
				29	ephemeral_app_api_service
				30	font_service
				31	game_service
				32	gpu_service
				33	graphicsstats_service
				34	hardware_properties_service
				35	hint_service
				36	imms_service
				37	input_method_service
				38	input_service
				39	IProxyService_service
				40	ipsec_service
				41	launcherapps_service
				42	legacy_permission_service
				43	light_service
				44	locale_service
				45	media_communication_service
				46	mediadrmserver_service
				47	mediaextractor_service
				48	mediametrics_service
				49	media_projection_service
				50	media_router_service
				51	mediaserver_service
				52	media_session_service
				53	memtrackproxy_service
				54	midi_service
				55	netpolicy_service
				56	netstats_service
				57	network_management_service
				58	notification_service
				59	package_service
				60	permission_checker_service
				61	permission_service
				62	permissionmgr_service
				63	platform_compat_service
				64	power_service
				65	procstats_service
				66	radio_service
				67	registry_service
				68	restrictions_service
				69	rttmanager_service
				70	search_service
				71	selection_toolbar_service
				72	sensor_privacy_service
				73	sensorservice_service
				74	servicediscovery_service
				75	settings_service
				76	speech_recognition_service
				77	statusbar_service
				78	storagestats_service
				79	surfaceflinger_service
				80	telecom_service
				81	tethering_service
				82	textclassification_service
				83	textservices_service
				84	texttospeech_service
				85	thermal_service
				86	translation_service
				87	tv_iapp_service
				88	tv_input_service
				89	uimode_service
				90	vcn_management_service
				91	webviewupdate_service
				92	}:service_manager find;
Sandro	692c3ad	2022-09-14 11:58:21 +0000	[diff] [blame]	93
				94	allow sdk_sandbox system_linker_exec:file execute_no_trans;
				95
Sandro	f7894fc	2022-12-12 17:16:34 +0000	[diff] [blame]	96	# Required to read CTS tests data from the shell_data_file location.
				97	allow sdk_sandbox shell_data_file:file r_file_perms;
				98	allow sdk_sandbox shell_data_file:dir r_dir_perms;
				99
Lokesh Gidra	1269a17	2022-08-01 17:20:38 +0000	[diff] [blame]	100	# allow sdk sandbox to use UDP sockets provided by the system server but not
				101	# modify them other than to connect
				102	allow sdk_sandbox system_server:udp_socket {
				103	connect getattr read recvfrom sendto write getopt setopt };
				104
				105	# allow sandbox to search in sdk system server directory
				106	# additionally, for webview to work, getattr has been permitted
				107	allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
				108	# allow sandbox to create files and dirs in sdk data directory
				109	allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
				110	allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
Bram Bonne	b93f26f	2022-03-15 18:28:02 +0100	[diff] [blame]	111
				112	###
				113	### neverallow rules
				114	###
				115
Bram Bonne	078b43c	2022-04-25 13:28:52 +0200	[diff] [blame]	116	neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
Bram Bonne	b93f26f	2022-03-15 18:28:02 +0100	[diff] [blame]	117
				118	# Receive or send uevent messages.
				119	neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
				120
				121	# Receive or send generic netlink messages
				122	neverallow sdk_sandbox domain:netlink_socket *;
				123
				124	# Too much leaky information in debugfs. It's a security
				125	# best practice to ensure these files aren't readable.
				126	neverallow sdk_sandbox debugfs:file read;
				127
				128	# execute gpu_device
				129	neverallow sdk_sandbox gpu_device:chr_file execute;
				130
				131	# access files in /sys with the default sysfs label
				132	neverallow sdk_sandbox sysfs:file *;
				133
				134	# Avoid reads from generically labeled /proc files
				135	# Create a more specific label if needed
				136	neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms };
				137
				138	# Directly access external storage
				139	neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create};
				140	neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search;
				141
				142	# Avoid reads to proc_net, it contains too much device wide information about
				143	# ongoing connections.
				144	neverallow sdk_sandbox proc_net:file no_rw_file_perms;
				145
				146	# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
				147	neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms;
				148	neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms;
				149
				150	# SDK sandbox processes don't have any access to external storage
				151	neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
				152	neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
				153
				154	neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
Bram Bonne	85dfe31	2022-03-23 17:48:48 +0100	[diff] [blame]	155
				156	neverallow sdk_sandbox hal_drm_service:service_manager find;
Mohammad Samiul Islam	d2ffd35	2022-05-11 21:43:54 +0100	[diff] [blame]	157
				158	# Only certain system components should have access to sdk_sandbox_system_data_file
				159	# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
				160	neverallow {
				161	domain
				162	-init
				163	-installd
Sanjana Sunil	5630163	2022-05-20 11:24:32 +0000	[diff] [blame]	164	-system_server
				165	-vold_prepare_subdirs
				166	} sdk_sandbox_system_data_file:dir { relabelfrom };
				167
				168	neverallow {
				169	domain
				170	-init
				171	-installd
Mohammad Samiul Islam	d2ffd35	2022-05-11 21:43:54 +0100	[diff] [blame]	172	-sdk_sandbox
				173	-system_server
				174	-vold_prepare_subdirs
Sanjana Sunil	5630163	2022-05-20 11:24:32 +0000	[diff] [blame]	175	-zygote
				176	} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
Mohammad Samiul Islam	d2ffd35	2022-05-11 21:43:54 +0100	[diff] [blame]	177
Mugdha Lakhani	407163c	2023-04-27 17:26:09 +0000	[diff] [blame]	178	# Only certain domains should be able to open and write to the SDK's data directory.
				179	neverallow {
				180	domain
				181	-artd
				182	-init
				183	-installd
				184	-sdk_sandbox
				185	-vold_prepare_subdirs
				186	} sdk_sandbox_data_file:dir ~{read getattr search};
				187
				188	# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
				189	neverallow {
				190	domain
				191	-artd
				192	-init
				193	-installd
				194	-sdk_sandbox
				195	-vold_prepare_subdirs
				196	} sdk_sandbox_data_file:file ~{append read write getattr lock map};
				197
Mohammad Samiul Islam	d2ffd35	2022-05-11 21:43:54 +0100	[diff] [blame]	198	# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
				199	neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
				200
				201	# Only dirs should be created at sdk_sandbox_system_data_file level
				202	neverallow { domain -init } sdk_sandbox_system_data_file:file *;