diff options
author | Sandro Montanari <sandrom@google.com> | 2023-11-14 18:16:13 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-11-14 18:16:13 +0000 |
commit | 20d6a0ec30a6bcf4ed38eda3ac34ac6ed5aee8f2 (patch) | |
tree | 8c31b94fec888f8cb134672fb7333ca1bbc5b26f /prebuilts | |
parent | 2b00f73b12926079b41090b2ad963fde3296b81d (diff) | |
parent | 74ec7d834399fefb6e1b9fe6884c1775d144c838 (diff) | |
download | sepolicy-20d6a0ec30a6bcf4ed38eda3ac34ac6ed5aee8f2.tar.gz |
Prebuilt updates for aosp/2827450 am: 74ec7d8343android-u-rb-dp-10-gplandroid-u-rb-dp-10-gpl
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2828198
Change-Id: Idce3a100d6c6db0d90f21142baf1158185bd97e1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat (limited to 'prebuilts')
-rw-r--r-- | prebuilts/api/34.0/private/attributes | 3 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/sdk_sandbox_34.te | 84 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/sdk_sandbox_audit.te | 34 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/sdk_sandbox_current.te | 87 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/seapp_contexts | 12 |
5 files changed, 136 insertions, 84 deletions
diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes index 77143a3ca..fe50b0dfb 100644 --- a/prebuilts/api/34.0/private/attributes +++ b/prebuilts/api/34.0/private/attributes @@ -13,4 +13,5 @@ expandattribute system_and_vendor_property_type false; # All SDK sandbox domains attribute sdk_sandbox_all; - +# The SDK sandbox domains for the current SDK level. +attribute sdk_sandbox_current; diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te index d45da8888..bb150576b 100644 --- a/prebuilts/api/34.0/private/sdk_sandbox_34.te +++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te @@ -3,89 +3,7 @@ ### ### This file defines the security policy for the sdk sandbox processes ### for targetSdkVersion=34. -type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all; +type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; net_domain(sdk_sandbox_34) app_domain(sdk_sandbox_34) - -# Allow finding services. This is different from ephemeral_app policy. -# Adding services manually to the allowlist is preferred hence app_api_service is not used. -allow sdk_sandbox_34 { - activity_service - activity_task_service - appops_service - audio_service - audioserver_service - batteryproperties_service - batterystats_service - cameraserver_service - connectivity_service - connmetrics_service - deviceidle_service - display_service - dropbox_service - ephemeral_app_api_service - font_service - game_service - gpu_service - graphicsstats_service - hardware_properties_service - hint_service - imms_service - input_method_service - input_service - IProxyService_service - ipsec_service - launcherapps_service - legacy_permission_service - light_service - locale_service - media_communication_service - mediadrmserver_service - mediaextractor_service - mediametrics_service - media_projection_service - media_router_service - mediaserver_service - media_session_service - memtrackproxy_service - midi_service - netpolicy_service - netstats_service - network_management_service - notification_service - package_service - permission_checker_service - permission_service - permissionmgr_service - platform_compat_service - power_service - procstats_service - radio_service - registry_service - restrictions_service - rttmanager_service - search_service - selection_toolbar_service - sensor_privacy_service - sensorservice_service - servicediscovery_service - settings_service - speech_recognition_service - statusbar_service - storagestats_service - surfaceflinger_service - telecom_service - tethering_service - textclassification_service - textservices_service - texttospeech_service - thermal_service - translation_service - tv_iapp_service - tv_input_service - uimode_service - vcn_management_service - webviewupdate_service -}:service_manager find; - diff --git a/prebuilts/api/34.0/private/sdk_sandbox_audit.te b/prebuilts/api/34.0/private/sdk_sandbox_audit.te new file mode 100644 index 000000000..bb531ca44 --- /dev/null +++ b/prebuilts/api/34.0/private/sdk_sandbox_audit.te @@ -0,0 +1,34 @@ +### +### SDK Sandbox process. +### +### This file defines the audit sdk sandbox security policy for +### the set of restrictions proposed for the next SDK level. +### +### The sdk_sandbox_audit domain has the same rules as the +### sdk_sandbox_current domain and additional auditing rules +### for the accesses we are considering forbidding in the upcoming +### sdk_sandbox_next domain. +type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; + +net_domain(sdk_sandbox_audit) +app_domain(sdk_sandbox_audit) + +# Auditallow rules for accesses that are currently allowed but we +# might remove in the future. + +auditallow sdk_sandbox_audit { + cameraserver_service + ephemeral_app_api_service + mediadrmserver_service + radio_service +}:service_manager find; + +auditallow sdk_sandbox_audit { + property_type + -system_property_type +}:file rw_file_perms; + +auditallow sdk_sandbox_audit { + property_type + -system_property_type +}:dir rw_dir_perms; diff --git a/prebuilts/api/34.0/private/sdk_sandbox_current.te b/prebuilts/api/34.0/private/sdk_sandbox_current.te new file mode 100644 index 000000000..55e5bc135 --- /dev/null +++ b/prebuilts/api/34.0/private/sdk_sandbox_current.te @@ -0,0 +1,87 @@ +### +### SDK Sandbox process. +### +### This file defines the security policy for the sdk sandbox processes +### for the current SDK level. + +# Allow finding services. This is different from ephemeral_app policy. +# Adding services manually to the allowlist is preferred hence app_api_service is not used. +allow sdk_sandbox_current { + activity_service + activity_task_service + appops_service + audio_service + audioserver_service + batteryproperties_service + batterystats_service + cameraserver_service + connectivity_service + connmetrics_service + deviceidle_service + display_service + dropbox_service + ephemeral_app_api_service + font_service + game_service + gpu_service + graphicsstats_service + hardware_properties_service + hint_service + imms_service + input_method_service + input_service + IProxyService_service + ipsec_service + launcherapps_service + legacy_permission_service + light_service + locale_service + media_communication_service + mediadrmserver_service + mediaextractor_service + mediametrics_service + media_projection_service + media_router_service + mediaserver_service + media_session_service + memtrackproxy_service + midi_service + netpolicy_service + netstats_service + network_management_service + notification_service + package_service + permission_checker_service + permission_service + permissionmgr_service + platform_compat_service + power_service + procstats_service + radio_service + registry_service + restrictions_service + rttmanager_service + search_service + selection_toolbar_service + sensor_privacy_service + sensorservice_service + servicediscovery_service + settings_service + speech_recognition_service + statusbar_service + storagestats_service + surfaceflinger_service + telecom_service + tethering_service + textclassification_service + textservices_service + texttospeech_service + thermal_service + translation_service + tv_iapp_service + tv_input_service + uimode_service + vcn_management_service + webviewupdate_service +}:service_manager find; + diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts index 4454bd73f..8f3cae9f8 100644 --- a/prebuilts/api/34.0/private/seapp_contexts +++ b/prebuilts/api/34.0/private/seapp_contexts @@ -13,6 +13,7 @@ # fromRunAs (boolean) # isIsolatedComputeApp (boolean) # isSdkSandboxNext (boolean) +# isSdkSandboxAudit (boolean) # # All specified input selectors in an entry must match (i.e. logical AND). # An unspecified string or boolean selector with no default will match any @@ -48,9 +49,19 @@ # with user=_isolated. This selector should not be used unless it is intended # to provide isolated processes with relaxed security restrictions. # +# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the +# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed +# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions +# as the current dessert release, with additional auditing rules for the accesses +# we are considering forbidding in the upcoming release. +# # isSdkSandboxNext=true means sdk sandbox processes will get # sdk_sandbox_next sepolicy applied to them. # +# isSdkSandboxAudit=true means sdk sandbox processes will get +# sdk_sandbox_audit sepolicy applied to them. +# An unspecified isSdkSandboxAudit defaults to false. +# # Precedence: entries are compared using the following rules, in the order shown # (see external/selinux/libselinux/src/android/android_platform.c, # seapp_context_cmp()). @@ -171,6 +182,7 @@ user=_isolated domain=isolated_app levelFrom=user user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all +user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user |