| ### |
| ### sdk_sandbox_all |
| ### |
| ### This file defines the rules shared by all sdk_sandbox_all domains. |
| ### Apps are labeled based on mac_permissions.xml (maps signer and |
| ### optionally package name to seinfo value) and seapp_contexts (maps UID |
| ### and optionally seinfo value to domain for process and type for data |
| ### directory). The sdk_sandbox_all_all attribute is assigned to all default |
| ### seapp_contexts for any app with UID between FIRST_SDK_SANDBOX_UID (20000) |
| ### and LAST_SDK_SANDBOX_UID (29999) if the app has no specific seinfo |
| ### value as determined from mac_permissions.xml. |
| |
| allow sdk_sandbox_all system_linker_exec:file execute_no_trans; |
| |
| # Required to read CTS tests data from the shell_data_file location. |
| allow sdk_sandbox_all shell_data_file:file r_file_perms; |
| allow sdk_sandbox_all shell_data_file:dir r_dir_perms; |
| |
| # allow sdk sandbox to use UDP sockets provided by the system server but not |
| # modify them other than to connect |
| allow sdk_sandbox_all system_server:udp_socket { |
| connect getattr read recvfrom sendto write getopt setopt }; |
| |
| # allow sandbox to search in sdk system server directory |
| # additionally, for webview to work, getattr has been permitted |
| allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search }; |
| # allow sandbox to create files and dirs in sdk data directory |
| allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms; |
| allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms; |
| |
| # allow apps to pass open fds to the sdk sandbox |
| allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read }; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans }; |
| |
| # Receive or send uevent messages. |
| neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *; |
| |
| # Receive or send generic netlink messages |
| neverallow sdk_sandbox_all domain:netlink_socket *; |
| |
| # Too much leaky information in debugfs. It's a security |
| # best practice to ensure these files aren't readable. |
| neverallow sdk_sandbox_all debugfs:file read; |
| |
| # execute gpu_device |
| neverallow sdk_sandbox_all gpu_device:chr_file execute; |
| |
| # access files in /sys with the default sysfs label |
| neverallow sdk_sandbox_all sysfs:file *; |
| |
| # Avoid reads from generically labeled /proc files |
| # Create a more specific label if needed |
| neverallow sdk_sandbox_all proc:file { no_rw_file_perms no_x_file_perms }; |
| |
| # Directly access external storage |
| neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:file {open create}; |
| neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search; |
| |
| # Avoid reads to proc_net, it contains too much device wide information about |
| # ongoing connections. |
| neverallow sdk_sandbox_all proc_net:file no_rw_file_perms; |
| |
| # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file |
| neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms; |
| neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read }; |
| |
| # SDK sandbox processes don't have any access to external storage |
| neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms; |
| neverallow sdk_sandbox_all { media_rw_data_file }:file no_rw_file_perms; |
| |
| neverallow { sdk_sandbox_all } tmpfs:dir no_rw_file_perms; |
| |
| neverallow sdk_sandbox_all hal_drm_service:service_manager find; |
| |
| # Only certain system components should have access to sdk_sandbox_system_data_file |
| # sdk_sandbox only needs search. Restricted in follow up neverallow rule. |
| neverallow { |
| domain |
| -init |
| -installd |
| -system_server |
| -vold_prepare_subdirs |
| } sdk_sandbox_system_data_file:dir { relabelfrom }; |
| |
| neverallow { |
| domain |
| -init |
| -installd |
| -sdk_sandbox_all |
| -system_server |
| -vold_prepare_subdirs |
| -zygote |
| } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; |
| |
| # Only certain system components should have access to sdk_sandbox_all_system_data_file |
| # sdk_sandbox_all only needs search. Restricted in follow up neverallow rule. |
| neverallow { |
| domain |
| -init |
| -installd |
| -system_server |
| -vold_prepare_subdirs |
| } sdk_sandbox_system_data_file:dir { relabelfrom }; |
| |
| neverallow { |
| domain |
| -init |
| -installd |
| -sdk_sandbox_all |
| -system_server |
| -vold_prepare_subdirs |
| -zygote |
| } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; |
| |
| # sdk_sandbox_all only needs to traverse through the sdk_sandbox_all_system_data_file |
| neverallow sdk_sandbox_all sdk_sandbox_system_data_file:dir ~{ getattr search }; |
| |
| # Only dirs should be created at sdk_sandbox_all_system_data_file level |
| neverallow { domain -init } sdk_sandbox_system_data_file:file *; |
| |