Merge "Revert "Introduce sdk_sandbox_audit SELinux domain"" into android14-tests-dev am: 3195af1315 am: b6219ce976
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2829793
Change-Id: Ibf77e5ff8ae7e9d159e7446b5ad6860506d2619a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/private/attributes b/private/attributes
index fe50b0d..77143a3 100644
--- a/private/attributes
+++ b/private/attributes
@@ -13,5 +13,4 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-# The SDK sandbox domains for the current SDK level.
-attribute sdk_sandbox_current;
+
diff --git a/private/sdk_sandbox_34.te b/private/sdk_sandbox_34.te
index bb15057..d45da88 100644
--- a/private/sdk_sandbox_34.te
+++ b/private/sdk_sandbox_34.te
@@ -3,7 +3,89 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_34 {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/private/sdk_sandbox_audit.te b/private/sdk_sandbox_audit.te
deleted file mode 100644
index bb531ca..0000000
--- a/private/sdk_sandbox_audit.te
+++ /dev/null
@@ -1,34 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the audit sdk sandbox security policy for
-### the set of restrictions proposed for the next SDK level.
-###
-### The sdk_sandbox_audit domain has the same rules as the
-### sdk_sandbox_current domain and additional auditing rules
-### for the accesses we are considering forbidding in the upcoming
-### sdk_sandbox_next domain.
-type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
-
-net_domain(sdk_sandbox_audit)
-app_domain(sdk_sandbox_audit)
-
-# Auditallow rules for accesses that are currently allowed but we
-# might remove in the future.
-
-auditallow sdk_sandbox_audit {
- cameraserver_service
- ephemeral_app_api_service
- mediadrmserver_service
- radio_service
-}:service_manager find;
-
-auditallow sdk_sandbox_audit {
- property_type
- -system_property_type
-}:file rw_file_perms;
-
-auditallow sdk_sandbox_audit {
- property_type
- -system_property_type
-}:dir rw_dir_perms;
diff --git a/private/sdk_sandbox_current.te b/private/sdk_sandbox_current.te
deleted file mode 100644
index 55e5bc1..0000000
--- a/private/sdk_sandbox_current.te
+++ /dev/null
@@ -1,87 +0,0 @@
-###
-### SDK Sandbox process.
-###
-### This file defines the security policy for the sdk sandbox processes
-### for the current SDK level.
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_current {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8f3cae9..4454bd7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -13,7 +13,6 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
-# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -49,19 +48,9 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
-# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
-# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
-# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
-# as the current dessert release, with additional auditing rules for the accesses
-# we are considering forbidding in the upcoming release.
-#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
#
-# isSdkSandboxAudit=true means sdk sandbox processes will get
-# sdk_sandbox_audit sepolicy applied to them.
-# An unspecified isSdkSandboxAudit defaults to false.
-#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -182,7 +171,6 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
-user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 13299dc..0d7a4d1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -214,7 +214,6 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
- { .name = "isSdkSandboxAudit", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
