Add canary restrictions for sdk_sandbox

Mugdha Lakhani · Mugdha Lakhani · commit d44c51e017ae · 2023-05-12T20:06:31.000Z
Add sdk_sandbox_next and apply it if a new input selector,
isSdkSandboxNext, is applied. This is set to true by libselinux
if a flag is set in the seInfo passed to it.

This enables some testers to test out the set of restrictions
we're planning for the next SDK version.
sdk_sandbox_next is not the final set of restrictions of the next SDK
version.

Bug: b/270148964
Test: atest PackageManagerLocalTest SdkSandboxDataIsolationHostTest
SdkSandboxRestrictionsTest
Change-Id: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
Merged-In: Ie8bad9c1b8f8eb032d13e1822689c78ad3d2c68a
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_next.te b/prebuilts/api/34.0/private/sdk_sandbox_next.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+    activity_service
+    activity_task_service
+    appops_service
+    audio_service
+    audioserver_service
+    batteryproperties_service
+    batterystats_service
+    connectivity_service
+    connmetrics_service
+    deviceidle_service
+    display_service
+    dropbox_service
+    font_service
+    game_service
+    gpu_service
+    graphicsstats_service
+    hardware_properties_service
+    hint_service
+    imms_service
+    input_method_service
+    input_service
+    IProxyService_service
+    ipsec_service
+    launcherapps_service
+    legacy_permission_service
+    light_service
+    locale_service
+    media_communication_service
+    mediaextractor_service
+    mediametrics_service
+    media_projection_service
+    media_router_service
+    mediaserver_service
+    media_session_service
+    memtrackproxy_service
+    midi_service
+    netpolicy_service
+    netstats_service
+    network_management_service
+    notification_service
+    package_service
+    permission_checker_service
+    permission_service
+    permissionmgr_service
+    platform_compat_service
+    power_service
+    procstats_service
+    registry_service
+    restrictions_service
+    rttmanager_service
+    search_service
+    selection_toolbar_service
+    sensor_privacy_service
+    sensorservice_service
+    servicediscovery_service
+    settings_service
+    speech_recognition_service
+    statusbar_service
+    storagestats_service
+    surfaceflinger_service
+    telecom_service
+    tethering_service
+    textclassification_service
+    textservices_service
+    texttospeech_service
+    thermal_service
+    translation_service
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
@@ -12,6 +12,7 @@
 #       minTargetSdkVersion (unsigned integer)
 #       fromRunAs (boolean)
 #       isIsolatedComputeApp (boolean)
+#       isSdkSandboxNext (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
 # with user=_isolated. This selector should not be used unless it is intended
 # to provide isolated processes with relaxed security restrictions.
 #
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@@ -64,6 +68,7 @@
 #              defaults to 0 if unspecified.
 #       (8) fromRunAs=true before fromRunAs=false.
 #       (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+#       (10) isSdkSandboxNext=true before isSdkSandboxNext=false
 # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
 # longer prefix is more specific than a shorter prefix.)
 # Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@ user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_isolated domain=isolated_app levelFrom=user
 user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for targetSdkVersion=34.
+type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
+
+net_domain(sdk_sandbox_next)
+app_domain(sdk_sandbox_next)
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_next {
+    activity_service
+    activity_task_service
+    appops_service
+    audio_service
+    audioserver_service
+    batteryproperties_service
+    batterystats_service
+    connectivity_service
+    connmetrics_service
+    deviceidle_service
+    display_service
+    dropbox_service
+    font_service
+    game_service
+    gpu_service
+    graphicsstats_service
+    hardware_properties_service
+    hint_service
+    imms_service
+    input_method_service
+    input_service
+    IProxyService_service
+    ipsec_service
+    launcherapps_service
+    legacy_permission_service
+    light_service
+    locale_service
+    media_communication_service
+    mediaextractor_service
+    mediametrics_service
+    media_projection_service
+    media_router_service
+    mediaserver_service
+    media_session_service
+    memtrackproxy_service
+    midi_service
+    netpolicy_service
+    netstats_service
+    network_management_service
+    notification_service
+    package_service
+    permission_checker_service
+    permission_service
+    permissionmgr_service
+    platform_compat_service
+    power_service
+    procstats_service
+    registry_service
+    restrictions_service
+    rttmanager_service
+    search_service
+    selection_toolbar_service
+    sensor_privacy_service
+    sensorservice_service
+    servicediscovery_service
+    settings_service
+    speech_recognition_service
+    statusbar_service
+    storagestats_service
+    surfaceflinger_service
+    telecom_service
+    tethering_service
+    textclassification_service
+    textservices_service
+    texttospeech_service
+    thermal_service
+    translation_service
+    tv_iapp_service
+    tv_input_service
+    uimode_service
+    vcn_management_service
+    webviewupdate_service
+}:service_manager find;
+
diff --git a/private/seapp_contexts b/private/seapp_contexts
@@ -12,6 +12,7 @@
 #       minTargetSdkVersion (unsigned integer)
 #       fromRunAs (boolean)
 #       isIsolatedComputeApp (boolean)
+#       isSdkSandboxNext (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -47,6 +48,9 @@
 # with user=_isolated. This selector should not be used unless it is intended
 # to provide isolated processes with relaxed security restrictions.
 #
+# isSdkSandboxNext=true means sdk sandbox processes will get
+# sdk_sandbox_next sepolicy applied to them.
+#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@@ -64,6 +68,7 @@
 #              defaults to 0 if unspecified.
 #       (8) fromRunAs=true before fromRunAs=false.
 #       (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
+#       (10) isSdkSandboxNext=true before isSdkSandboxNext=false
 # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
 # longer prefix is more specific than a shorter prefix.)
 # Apps are checked against entries in precedence order until the first match,
@@ -165,6 +170,7 @@ user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_isolated domain=isolated_app levelFrom=user
 user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
@@ -214,6 +214,7 @@ key_map rules[] = {
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "isSdkSandboxNext", .dir = dir_in, .fn_validate = validate_bool },
                 /*Outputs*/
                 { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },
                 { .name = "type",           .dir = dir_out, .fn_validate = validate_type  },
