diff options
author | ThiƩbaud Weksteen <tweek@google.com> | 2023-11-15 03:49:52 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-11-15 03:49:52 +0000 |
commit | 0452ec285460b613cb435eec74321dd8873b9b65 (patch) | |
tree | d457d55a9720998a6fa5c53e7328b1c1975c6f08 | |
parent | b38ed49b92be209750547a33d958c8dd0dbdbf87 (diff) | |
parent | ef37aaba1e6fa34fe56aea5efe53a4d5675f9618 (diff) | |
download | sepolicy-0452ec285460b613cb435eec74321dd8873b9b65.tar.gz |
Revert "Prebuilt updates for aosp/2827450" am: b460885e50 am: ef37aaba1e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2830890
Change-Id: Ie3e0400349ddeec66008d9b90585a9d2ecf0fc65
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | prebuilts/api/34.0/private/attributes | 3 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/sdk_sandbox_34.te | 84 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/sdk_sandbox_audit.te | 34 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/sdk_sandbox_current.te | 87 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/seapp_contexts | 12 |
5 files changed, 84 insertions, 136 deletions
diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes index fe50b0dfb..77143a3ca 100644 --- a/prebuilts/api/34.0/private/attributes +++ b/prebuilts/api/34.0/private/attributes @@ -13,5 +13,4 @@ expandattribute system_and_vendor_property_type false; # All SDK sandbox domains attribute sdk_sandbox_all; -# The SDK sandbox domains for the current SDK level. -attribute sdk_sandbox_current; + diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te index bb150576b..d45da8888 100644 --- a/prebuilts/api/34.0/private/sdk_sandbox_34.te +++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te @@ -3,7 +3,89 @@ ### ### This file defines the security policy for the sdk sandbox processes ### for targetSdkVersion=34. -type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; +type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all; net_domain(sdk_sandbox_34) app_domain(sdk_sandbox_34) + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +allow sdk_sandbox_34 { + activity_service + activity_task_service + appops_service + audio_service + audioserver_service + batteryproperties_service + batterystats_service + cameraserver_service + connectivity_service + connmetrics_service + deviceidle_service + display_service + dropbox_service + ephemeral_app_api_service + font_service + game_service + gpu_service + graphicsstats_service + hardware_properties_service + hint_service + imms_service + input_method_service + input_service + IProxyService_service + ipsec_service + launcherapps_service + legacy_permission_service + light_service + locale_service + media_communication_service + mediadrmserver_service + mediaextractor_service + mediametrics_service + media_projection_service + media_router_service + mediaserver_service + media_session_service + memtrackproxy_service + midi_service + netpolicy_service + netstats_service + network_management_service + notification_service + package_service + permission_checker_service + permission_service + permissionmgr_service + platform_compat_service + power_service + procstats_service + radio_service + registry_service + restrictions_service + rttmanager_service + search_service + selection_toolbar_service + sensor_privacy_service + sensorservice_service + servicediscovery_service + settings_service + speech_recognition_service + statusbar_service + storagestats_service + surfaceflinger_service + telecom_service + tethering_service + textclassification_service + textservices_service + texttospeech_service + thermal_service + translation_service + tv_iapp_service + tv_input_service + uimode_service + vcn_management_service + webviewupdate_service +}:service_manager find; + diff --git a/prebuilts/api/34.0/private/sdk_sandbox_audit.te b/prebuilts/api/34.0/private/sdk_sandbox_audit.te deleted file mode 100644 index bb531ca44..000000000 --- a/prebuilts/api/34.0/private/sdk_sandbox_audit.te +++ /dev/null @@ -1,34 +0,0 @@ -### -### SDK Sandbox process. -### -### This file defines the audit sdk sandbox security policy for -### the set of restrictions proposed for the next SDK level. -### -### The sdk_sandbox_audit domain has the same rules as the -### sdk_sandbox_current domain and additional auditing rules -### for the accesses we are considering forbidding in the upcoming -### sdk_sandbox_next domain. -type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; - -net_domain(sdk_sandbox_audit) -app_domain(sdk_sandbox_audit) - -# Auditallow rules for accesses that are currently allowed but we -# might remove in the future. - -auditallow sdk_sandbox_audit { - cameraserver_service - ephemeral_app_api_service - mediadrmserver_service - radio_service -}:service_manager find; - -auditallow sdk_sandbox_audit { - property_type - -system_property_type -}:file rw_file_perms; - -auditallow sdk_sandbox_audit { - property_type - -system_property_type -}:dir rw_dir_perms; diff --git a/prebuilts/api/34.0/private/sdk_sandbox_current.te b/prebuilts/api/34.0/private/sdk_sandbox_current.te deleted file mode 100644 index 55e5bc135..000000000 --- a/prebuilts/api/34.0/private/sdk_sandbox_current.te +++ /dev/null @@ -1,87 +0,0 @@ -### -### SDK Sandbox process. -### -### This file defines the security policy for the sdk sandbox processes -### for the current SDK level. - -# Allow finding services. This is different from ephemeral_app policy. -# Adding services manually to the allowlist is preferred hence app_api_service is not used. -allow sdk_sandbox_current { - activity_service - activity_task_service - appops_service - audio_service - audioserver_service - batteryproperties_service - batterystats_service - cameraserver_service - connectivity_service - connmetrics_service - deviceidle_service - display_service - dropbox_service - ephemeral_app_api_service - font_service - game_service - gpu_service - graphicsstats_service - hardware_properties_service - hint_service - imms_service - input_method_service - input_service - IProxyService_service - ipsec_service - launcherapps_service - legacy_permission_service - light_service - locale_service - media_communication_service - mediadrmserver_service - mediaextractor_service - mediametrics_service - media_projection_service - media_router_service - mediaserver_service - media_session_service - memtrackproxy_service - midi_service - netpolicy_service - netstats_service - network_management_service - notification_service - package_service - permission_checker_service - permission_service - permissionmgr_service - platform_compat_service - power_service - procstats_service - radio_service - registry_service - restrictions_service - rttmanager_service - search_service - selection_toolbar_service - sensor_privacy_service - sensorservice_service - servicediscovery_service - settings_service - speech_recognition_service - statusbar_service - storagestats_service - surfaceflinger_service - telecom_service - tethering_service - textclassification_service - textservices_service - texttospeech_service - thermal_service - translation_service - tv_iapp_service - tv_input_service - uimode_service - vcn_management_service - webviewupdate_service -}:service_manager find; - diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts index 8f3cae9f8..4454bd73f 100644 --- a/prebuilts/api/34.0/private/seapp_contexts +++ b/prebuilts/api/34.0/private/seapp_contexts @@ -13,7 +13,6 @@ # fromRunAs (boolean) # isIsolatedComputeApp (boolean) # isSdkSandboxNext (boolean) -# isSdkSandboxAudit (boolean) # # All specified input selectors in an entry must match (i.e. logical AND). # An unspecified string or boolean selector with no default will match any @@ -49,19 +48,9 @@ # with user=_isolated. This selector should not be used unless it is intended # to provide isolated processes with relaxed security restrictions. # -# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the -# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed -# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions -# as the current dessert release, with additional auditing rules for the accesses -# we are considering forbidding in the upcoming release. -# # isSdkSandboxNext=true means sdk sandbox processes will get # sdk_sandbox_next sepolicy applied to them. # -# isSdkSandboxAudit=true means sdk sandbox processes will get -# sdk_sandbox_audit sepolicy applied to them. -# An unspecified isSdkSandboxAudit defaults to false. -# # Precedence: entries are compared using the following rules, in the order shown # (see external/selinux/libselinux/src/android/android_platform.c, # seapp_context_cmp()). @@ -182,7 +171,6 @@ user=_isolated domain=isolated_app levelFrom=user user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all -user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user |