private/sdk_sandbox_all.te - LeafOS-Project/android_system_sepolicy - Gitiles

 ###
 ### sdk_sandbox_all
 ###
 ### This file defines the rules shared by all sdk_sandbox_all domains.
 ### Apps are labeled based on mac_permissions.xml (maps signer and
 ### optionally package name to seinfo value) and seapp_contexts (maps UID
 ### and optionally seinfo value to domain for process and type for data
 ### directory).  The sdk_sandbox_all_all attribute is assigned to all default
 ### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
 ### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
 ### value as determined from mac_permissions.xml.

 allow sdk_sandbox_all system_linker_exec:file execute_no_trans;

 # Required to read CTS tests data from the shell_data_file location.
 allow sdk_sandbox_all shell_data_file:file r_file_perms;
 allow sdk_sandbox_all shell_data_file:dir r_dir_perms;

 # allow sdk sandbox to use UDP sockets provided by the system server but not
 # modify them other than to connect
 allow sdk_sandbox_all system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };

 # allow sandbox to search in sdk system server directory
 # additionally, for webview to work, getattr has been permitted
 allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
 # allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;

 # allow apps to pass open fds to the sdk sandbox
 allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };

 ###
 ### neverallow rules
 ###

 neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };

 # Receive or send uevent messages.
 neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;

 # Receive or send generic netlink messages
 neverallow sdk_sandbox_all domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow sdk_sandbox_all debugfs_type:file read;

 # execute gpu_device
 neverallow sdk_sandbox_all gpu_device:chr_file execute;

 # access files in /sys with the default sysfs label
 neverallow sdk_sandbox_all sysfs:file *;

 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
 neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };

 # Directly access external storage
 neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
 neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;

 # Avoid reads to proc_net, it contains too much device wide information about
 # ongoing connections.
 neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;

 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
 # TODO(b/280514080): shell_data_file shouldn't be allowed here
 neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
 neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };

 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
 neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;

 neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;

 neverallow sdk_sandbox_all hal_drm_service:service_manager find;

 # Only certain system components should have access to sdk_sandbox_system_data_file
 # sdk_sandbox only needs search. Restricted in follow up neverallow rule.
 neverallow {
     domain
     -init
     -installd
     -system_server
     -vold_prepare_subdirs
 } sdk_sandbox_system_data_file:dir { relabelfrom };

 neverallow {
     domain
     -init
     -installd
     -sdk_sandbox_all
     -system_server
     -vold_prepare_subdirs
     -zygote
 } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };

 # Only certain system components should have access to sdk_sandbox_all_system_data_file
 # sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
 neverallow {
     domain
     -init
     -installd
     -system_server
     -vold_prepare_subdirs
 } sdk_sandbox_system_data_file:dir { relabelfrom };

 neverallow {
     domain
     -init
     -installd
     -sdk_sandbox_all
     -system_server
     -vold_prepare_subdirs
     -zygote
 } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };

 # sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
 neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };

 # Only dirs should be created at sdk_sandbox_all_system_data_file level
 neverallow { domain -init } sdk_sandbox_system_data_file:file *;
	###
	### sdk_sandbox_all
	###
	### This file defines the rules shared by all sdk_sandbox_all domains.
	### Apps are labeled based on mac_permissions.xml (maps signer and
	### optionally package name to seinfo value) and seapp_contexts (maps UID
	### and optionally seinfo value to domain for process and type for data
	### directory). The sdk_sandbox_all_all attribute is assigned to all default
	### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000)
	### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo
	### value as determined from mac_permissions.xml.

	allow sdk_sandbox_all system_linker_exec:file execute_no_trans;

	# Required to read CTS tests data from the shell_data_file location.
	allow sdk_sandbox_all shell_data_file:file r_file_perms;
	allow sdk_sandbox_all shell_data_file:dir r_dir_perms;

	# allow sdk sandbox to use UDP sockets provided by the system server but not
	# modify them other than to connect
	allow sdk_sandbox_all system_server:udp_socket {
	connect getattr read recvfrom sendto write getopt setopt };

	# allow sandbox to search in sdk system server directory
	# additionally, for webview to work, getattr has been permitted
	allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
	# allow sandbox to create files and dirs in sdk data directory
	allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
	allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;

	# allow apps to pass open fds to the sdk sandbox
	allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };

	###
	### neverallow rules
	###

	neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };

	# Receive or send uevent messages.
	neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;

	# Receive or send generic netlink messages
	neverallow sdk_sandbox_all domain:netlink_socket *;

	# Too much leaky information in debugfs. It's a security
	# best practice to ensure these files aren't readable.
	neverallow sdk_sandbox_all debugfs_type:file read;

	# execute gpu_device
	neverallow sdk_sandbox_all gpu_device:chr_file execute;

	# access files in /sys with the default sysfs label
	neverallow sdk_sandbox_all sysfs:file *;

	# Avoid reads from generically labeled /proc files
	# Create a more specific label if needed
	neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms };

	# Directly access external storage
	neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create};
	neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;

	# Avoid reads to proc_net, it contains too much device wide information about
	# ongoing connections.
	neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;

	# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
	# TODO(b/280514080): shell_data_file shouldn't be allowed here
	neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
	neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };

	# SDK sandbox processes don't have any access to external storage
	neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
	neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms;

	neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms;

	neverallow sdk_sandbox_all hal_drm_service:service_manager find;

	# Only certain system components should have access to sdk_sandbox_system_data_file
	# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
	neverallow {
	domain
	-init
	-installd
	-system_server
	-vold_prepare_subdirs
	} sdk_sandbox_system_data_file:dir { relabelfrom };

	neverallow {
	domain
	-init
	-installd
	-sdk_sandbox_all
	-system_server
	-vold_prepare_subdirs
	-zygote
	} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };

	# Only certain system components should have access to sdk_sandbox_all_system_data_file
	# sdk_sandbox_all only needs search. Restricted in follow up neverallow rule.
	neverallow {
	domain
	-init
	-installd
	-system_server
	-vold_prepare_subdirs
	} sdk_sandbox_system_data_file:dir { relabelfrom };

	neverallow {
	domain
	-init
	-installd
	-sdk_sandbox_all
	-system_server
	-vold_prepare_subdirs
	-zygote
	} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };

	# sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file
	neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search };

	# Only dirs should be created at sdk_sandbox_all_system_data_file level
	neverallow { domain -init } sdk_sandbox_system_data_file:file *;