private/sdk_sandbox_audit.te - LeafOS-Project/android_system_sepolicy - Gitiles

 ###
 ### SDK Sandbox process.
 ###
 ### This file defines the audit sdk sandbox security policy for
 ### the set of restrictions proposed for the next SDK level.
 ###
 ### The sdk_sandbox_audit domain has the same rules as the
 ### sdk_sandbox_current domain and additional auditing rules
 ### for the accesses we are considering forbidding in the upcoming
 ### sdk_sandbox_next domain.
 type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;

 net_domain(sdk_sandbox_audit)
 app_domain(sdk_sandbox_audit)

 # Auditallow rules for accesses that are currently allowed but we
 # might remove in the future.

 auditallow sdk_sandbox_audit {
     cameraserver_service
     ephemeral_app_api_service
     mediadrmserver_service
     radio_service
 }:service_manager find;

 auditallow sdk_sandbox_audit {
     property_type
     -system_property_type
 }:file rw_file_perms;

 auditallow sdk_sandbox_audit {
     property_type
     -system_property_type
 }:dir rw_dir_perms;
	###
	### SDK Sandbox process.
	###
	### This file defines the audit sdk sandbox security policy for
	### the set of restrictions proposed for the next SDK level.
	###
	### The sdk_sandbox_audit domain has the same rules as the
	### sdk_sandbox_current domain and additional auditing rules
	### for the accesses we are considering forbidding in the upcoming
	### sdk_sandbox_next domain.
	type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;

	net_domain(sdk_sandbox_audit)
	app_domain(sdk_sandbox_audit)

	# Auditallow rules for accesses that are currently allowed but we
	# might remove in the future.

	auditallow sdk_sandbox_audit {
	cameraserver_service
	ephemeral_app_api_service
	mediadrmserver_service
	radio_service
	}:service_manager find;

	auditallow sdk_sandbox_audit {
	property_type
	-system_property_type
	}:file rw_file_perms;

	auditallow sdk_sandbox_audit {
	property_type
	-system_property_type
	}:dir rw_dir_perms;