Merge "Revert "Introduce sdk_sandbox_audit SELinux domain"" into android14-tests-dev am: 3195af1315

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829793

Change-Id: Idf07bcc0ae1b8d70290dbd6aaec5b9e4fda38fa1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

6 files changed, 84 insertions, 137 deletions

diff --git a/private/attributes b/private/attributes
index fe50b0dfb..77143a3ca 100644
--- a/private/attributes
+++ b/private/attributes
@@ -13,5 +13,4 @@ expandattribute system_and_vendor_property_type false;
 
 # All SDK sandbox domains
 attribute sdk_sandbox_all;
-# The SDK sandbox domains for the current SDK level.
-attribute sdk_sandbox_current;
+
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
index bb150576b..d45da8888 100644
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te
@@ -3,7 +3,89 @@
 ###
 ### This file defines the security policy for the sdk sandbox processes
 ### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
 
 net_domain(sdk_sandbox_34)
 app_domain(sdk_sandbox_34)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_34 {
+    activity_service
+    activity_task_service
+    appops_service
+    audio_service
+    audioserver_service
+    batteryproperties_service
+    batterystats_service
+    cameraserver_service
+    connectivity_service
+    connmetrics_service
+    deviceidle_service
+    display_service
+    dropbox_service
+    ephemeral_app_api_service
+    font_service
+    game_service
+    gpu_service
+    graphicsstats_service
+    hardware_properties_service
+    hint_service
+    imms_service
+    input_method_service
+    input_service
+    IProxyService_service
+    ipsec_service
+    launcherapps_service
+    legacy_permission_service
+    light_service
+    locale_service
+    media_communication_service
+    mediadrmserver_service
+    mediaextractor_service
+    mediametrics_service
+    media_projection_service
+    media_router_service
+    mediaserver_service
+    media_session_service
+    memtrackproxy_service
+    midi_service
+    netpolicy_service
+    netstats_service
+    network_management_service
+    notification_service
+    package_service
+    permission_checker_service
+    permission_service
+    permissionmgr_service
+    platform_compat_service
+    power_service
+    procstats_service
+    radio_service
+    registry_service
+    restrictions_service
+    rttmanager_service
+    search_service
+    selection_toolbar_service
+    sensor_privacy_service
+    sensorservice_service
+    servicediscovery_service
+    settings_service
+    speech_recognition_service
+    statusbar_service
+    storagestats_service
+    surfaceflinger_service
+    telecom_service
+    tethering_service
+    textclassification_service
+    textservices_service
+    texttospeech_service
+    thermal_service
+    translation_service
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
+
diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te
deleted file mode 100644
index bb531ca44..000000000
--- a/private/sdk_sandbox_audit.te
+++ /dev/null
@@ -1,34 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the audit sdk sandbox security policy for
-### the set of restrictions proposed for the next SDK level.
-###
-### The sdk_sandbox_audit domain has the same rules as the
-### sdk_sandbox_current domain and additional auditing rules
-### for the accesses we are considering forbidding in the upcoming
-### sdk_sandbox_next domain.
-type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
-
-net_domain(sdk_sandbox_audit)
-app_domain(sdk_sandbox_audit)
-
-# Auditallow rules for accesses that are currently allowed but we
-# might remove in the future.
-
-auditallow sdk_sandbox_audit {
-    cameraserver_service
-    ephemeral_app_api_service
-    mediadrmserver_service
-    radio_service
-}:service_manager find;
-
-auditallow sdk_sandbox_audit {
-    property_type
-    -system_property_type
-}:file rw_file_perms;
-
-auditallow sdk_sandbox_audit {
-    property_type
-    -system_property_type
-}:dir rw_dir_perms;
diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te
deleted file mode 100644
index 55e5bc135..000000000
--- a/private/sdk_sandbox_current.te
+++ /dev/null
@@ -1,87 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes
-### for the current SDK level.
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_current {
-    activity_service
-    activity_task_service
-    appops_service
-    audio_service
-    audioserver_service
-    batteryproperties_service
-    batterystats_service
-    cameraserver_service
-    connectivity_service
-    connmetrics_service
-    deviceidle_service
-    display_service
-    dropbox_service
-    ephemeral_app_api_service
-    font_service
-    game_service
-    gpu_service
-    graphicsstats_service
-    hardware_properties_service
-    hint_service
-    imms_service
-    input_method_service
-    input_service
-    IProxyService_service
-    ipsec_service
-    launcherapps_service
-    legacy_permission_service
-    light_service
-    locale_service
-    media_communication_service
-    mediadrmserver_service
-    mediaextractor_service
-    mediametrics_service
-    media_projection_service
-    media_router_service
-    mediaserver_service
-    media_session_service
-    memtrackproxy_service
-    midi_service
-    netpolicy_service
-    netstats_service
-    network_management_service
-    notification_service
-    package_service
-    permission_checker_service
-    permission_service
-    permissionmgr_service
-    platform_compat_service
-    power_service
-    procstats_service
-    radio_service
-    registry_service
-    restrictions_service
-    rttmanager_service
-    search_service
-    selection_toolbar_service
-    sensor_privacy_service
-    sensorservice_service
-    servicediscovery_service
-    settings_service
-    speech_recognition_service
-    statusbar_service
-    storagestats_service
-    surfaceflinger_service
-    telecom_service
-    tethering_service
-    textclassification_service
-    textservices_service
-    texttospeech_service
-    thermal_service
-    translation_service
-    tv_iapp_service
-    tv_input_service
-    uimode_service
-    vcn_management_service
-    webviewupdate_service
-}:service_manager find;
-
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8f3cae9f8..4454bd73f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -13,7 +13,6 @@
 #       fromRunAs (boolean)
 #       isIsolatedComputeApp (boolean)
 #       isSdkSandboxNext (boolean)
-#       isSdkSandboxAudit (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -49,19 +48,9 @@
 # with user=_isolated. This selector should not be used unless it is intended
 # to provide isolated processes with relaxed security restrictions.
 #
-# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
-# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
-# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
-# as the current dessert release, with additional auditing rules for the accesses
-# we are considering forbidding in the upcoming release.
-#
 # isSdkSandboxNext=true means sdk sandbox processes will get
 # sdk_sandbox_next sepolicy applied to them.
 #
-# isSdkSandboxAudit=true means sdk sandbox processes will get
-# sdk_sandbox_audit sepolicy applied to them.
-# An unspecified isSdkSandboxAudit defaults to false.
-#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@@ -182,7 +171,6 @@ user=_isolated domain=isolated_app levelFrom=user
 user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
 user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
-user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 13299dc7c..0d7a4d108 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -214,7 +214,6 @@ key_map rules[] = {
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
-                { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
                 /*Outputs*/
                 { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },