| Mugdha Lakhani | 2ae45c5 | 2023-04-28 09:22:15 +0000 | [diff] [blame] | 1 | ### |
| 2 | ### sdk_sandbox_all |
| 3 | ### |
| 4 | ### This file defines the rules shared by all sdk_sandbox_all domains. |
| 5 | ### Apps are labeled based on mac_permissions.xml (maps signer and |
| 6 | ### optionally package name to seinfo value) and seapp_contexts (maps UID |
| 7 | ### and optionally seinfo value to domain for process and type for data |
| 8 | ### directory). The sdk_sandbox_all_all attribute is assigned to all default |
| 9 | ### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000) |
| 10 | ### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo |
| 11 | ### value as determined from mac_permissions.xml. |
| 12 | |
| 13 | allow sdk_sandbox_all system_linker_exec:file execute_no_trans; |
| 14 | |
| 15 | # Required to read CTS tests data from the shell_data_file location. |
| 16 | allow sdk_sandbox_all shell_data_file:file r_file_perms; |
| 17 | allow sdk_sandbox_all shell_data_file:dir r_dir_perms; |
| 18 | |
| 19 | # allow sdk sandbox to use UDP sockets provided by the system server but not |
| 20 | # modify them other than to connect |
| 21 | allow sdk_sandbox_all system_server:udp_socket { |
| 22 | connect getattr read recvfrom sendto write getopt setopt }; |
| 23 | |
| 24 | # allow sandbox to search in sdk system server directory |
| 25 | # additionally, for webview to work, getattr has been permitted |
| 26 | allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search }; |
| 27 | # allow sandbox to create files and dirs in sdk data directory |
| 28 | allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms; |
| 29 | allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms; |
| 30 | |
| Gavin Corkery | d4d3c01 | 2023-05-10 16:13:53 +0000 | [diff] [blame^] | 31 | # allow apps to pass open fds to the sdk sandbox |
| 32 | allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read }; |
| 33 | |
| Mugdha Lakhani | 2ae45c5 | 2023-04-28 09:22:15 +0000 | [diff] [blame] | 34 | ### |
| 35 | ### neverallow rules |
| 36 | ### |
| 37 | |
| 38 | neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans }; |
| 39 | |
| 40 | # Receive or send uevent messages. |
| 41 | neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *; |
| 42 | |
| 43 | # Receive or send generic netlink messages |
| 44 | neverallow sdk_sandbox_all domain:netlink_socket *; |
| 45 | |
| 46 | # Too much leaky information in debugfs. It's a security |
| 47 | # best practice to ensure these files aren't readable. |
| 48 | neverallow sdk_sandbox_all debugfs:file read; |
| 49 | |
| 50 | # execute gpu_device |
| 51 | neverallow sdk_sandbox_all gpu_device:chr_file execute; |
| 52 | |
| 53 | # access files in /sys with the default sysfs label |
| 54 | neverallow sdk_sandbox_all sysfs:file *; |
| 55 | |
| 56 | # Avoid reads from generically labeled /proc files |
| 57 | # Create a more specific label if needed |
| 58 | neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms }; |
| 59 | |
| 60 | # Directly access external storage |
| 61 | neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create}; |
| 62 | neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search; |
| 63 | |
| 64 | # Avoid reads to proc_net, it contains too much device wide information about |
| 65 | # ongoing connections. |
| 66 | neverallow sdk_sandbox_all proc_net:file no_rw_file_perms; |
| 67 | |
| 68 | # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file |
| 69 | neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms; |
| Gavin Corkery | d4d3c01 | 2023-05-10 16:13:53 +0000 | [diff] [blame^] | 70 | neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read }; |
| Mugdha Lakhani | 2ae45c5 | 2023-04-28 09:22:15 +0000 | [diff] [blame] | 71 | |
| 72 | # SDK sandbox processes don't have any access to external storage |
| 73 | neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms; |
| 74 | neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms; |
| 75 | |
| 76 | neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms; |
| 77 | |
| 78 | neverallow sdk_sandbox_all hal_drm_service:service_manager find; |
| 79 | |
| 80 | # Only certain system components should have access to sdk_sandbox_system_data_file |
| 81 | # sdk_sandbox only needs search. Restricted in follow up neverallow rule. |
| 82 | neverallow { |
| 83 | domain |
| 84 | -init |
| 85 | -installd |
| 86 | -system_server |
| 87 | -vold_prepare_subdirs |
| 88 | } sdk_sandbox_system_data_file:dir { relabelfrom }; |
| 89 | |
| 90 | neverallow { |
| 91 | domain |
| 92 | -init |
| 93 | -installd |
| 94 | -sdk_sandbox_all |
| 95 | -system_server |
| 96 | -vold_prepare_subdirs |
| 97 | -zygote |
| 98 | } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; |
| 99 | |
| 100 | # Only certain system components should have access to sdk_sandbox_all_system_data_file |
| 101 | # sdk_sandbox_all only needs search. Restricted in follow up neverallow rule. |
| 102 | neverallow { |
| 103 | domain |
| 104 | -init |
| 105 | -installd |
| 106 | -system_server |
| 107 | -vold_prepare_subdirs |
| 108 | } sdk_sandbox_system_data_file:dir { relabelfrom }; |
| 109 | |
| 110 | neverallow { |
| 111 | domain |
| 112 | -init |
| 113 | -installd |
| 114 | -sdk_sandbox_all |
| 115 | -system_server |
| 116 | -vold_prepare_subdirs |
| 117 | -zygote |
| 118 | } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; |
| 119 | |
| 120 | # sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file |
| 121 | neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search }; |
| 122 | |
| 123 | # Only dirs should be created at sdk_sandbox_all_system_data_file level |
| 124 | neverallow { domain -init } sdk_sandbox_system_data_file:file *; |
| 125 | |