Revert "Move allow rules of sdk_sandbox to apex policy"
Revert "Add seamendc tests for sdk_sandbox in apex sepolicy" Revert submission 2182195-seamendc Reason for revert: 243971667 Reverted Changes: I59fda23d9:Add seamendc tests for sdk_sandbox in apex sepolic... I4c4800418:Move allow rules of sdk_sandbox to apex policy Change-Id: Icc3fff21aae23f24f37dbae6276699c56842f9a1
This commit is contained in:
Sandro Montanari
parent
3bb7bb2e70
commit
38f009ba13
@ -1,93 +1,8 @@
|
||||
; This file is required for sepolicy amend (go/seamendc).
|
||||
; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
|
||||
; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
|
||||
; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
|
||||
; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
|
||||
; successfully.
|
||||
(sid amend)
|
||||
(sidorder (amend))
|
||||
(sid apex)
|
||||
(sidorder (apex))
|
||||
|
||||
(classorder (file service_manager))
|
||||
(classorder (file))
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
|
||||
(type shell)
|
||||
(type sepolicy_test_file)
|
||||
(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
|
||||
(class service_manager (add find list ))
|
||||
|
||||
(type activity_service)
|
||||
(type activity_task_service)
|
||||
(type appops_service)
|
||||
(type audioserver_service)
|
||||
(type audio_service)
|
||||
(type batteryproperties_service)
|
||||
(type batterystats_service)
|
||||
(type connectivity_service)
|
||||
(type connmetrics_service)
|
||||
(type deviceidle_service)
|
||||
(type display_service)
|
||||
(type dropbox_service)
|
||||
(type font_service)
|
||||
(type game_service)
|
||||
(type gpu_service)
|
||||
(type graphicsstats_service)
|
||||
(type hardware_properties_service)
|
||||
(type hint_service)
|
||||
(type imms_service)
|
||||
(type input_method_service)
|
||||
(type input_service)
|
||||
(type IProxyService_service)
|
||||
(type ipsec_service)
|
||||
(type launcherapps_service)
|
||||
(type legacy_permission_service)
|
||||
(type light_service)
|
||||
(type locale_service)
|
||||
(type media_communication_service)
|
||||
(type mediaextractor_service)
|
||||
(type mediametrics_service)
|
||||
(type media_projection_service)
|
||||
(type media_router_service)
|
||||
(type mediaserver_service)
|
||||
(type media_session_service)
|
||||
(type memtrackproxy_service)
|
||||
(type midi_service)
|
||||
(type netpolicy_service)
|
||||
(type netstats_service)
|
||||
(type network_management_service)
|
||||
(type notification_service)
|
||||
(type package_service)
|
||||
(type permission_checker_service)
|
||||
(type permissionmgr_service)
|
||||
(type permission_service)
|
||||
(type platform_compat_service)
|
||||
(type power_service)
|
||||
(type procstats_service)
|
||||
(type registry_service)
|
||||
(type restrictions_service)
|
||||
(type rttmanager_service)
|
||||
(type sdk_sandbox)
|
||||
(type search_service)
|
||||
(type selection_toolbar_service)
|
||||
(type sensor_privacy_service)
|
||||
(type sensorservice_service)
|
||||
(type servicediscovery_service)
|
||||
(type settings_service)
|
||||
(type speech_recognition_service)
|
||||
(type statusbar_service)
|
||||
(type storagestats_service)
|
||||
(type surfaceflinger_service)
|
||||
(type system_linker_exec)
|
||||
(type telecom_service)
|
||||
(type tethering_service)
|
||||
(type textclassification_service)
|
||||
(type textservices_service)
|
||||
(type texttospeech_service)
|
||||
(type thermal_service)
|
||||
(type translation_service)
|
||||
(type tv_iapp_service)
|
||||
(type tv_input_service)
|
||||
(type uimode_service)
|
||||
(type vcn_management_service)
|
||||
(type webviewupdate_service)
|
||||
(class file (ioctl read getattr lock map open watch watch_reads))
|
||||
|
||||
@ -1,77 +0,0 @@
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
|
||||
allow sdk_sandbox activity_service:service_manager find;
|
||||
allow sdk_sandbox activity_task_service:service_manager find;
|
||||
allow sdk_sandbox appops_service:service_manager find;
|
||||
allow sdk_sandbox audio_service:service_manager find;
|
||||
allow sdk_sandbox audioserver_service:service_manager find;
|
||||
allow sdk_sandbox batteryproperties_service:service_manager find;
|
||||
allow sdk_sandbox batterystats_service:service_manager find;
|
||||
allow sdk_sandbox connectivity_service:service_manager find;
|
||||
allow sdk_sandbox connmetrics_service:service_manager find;
|
||||
allow sdk_sandbox deviceidle_service:service_manager find;
|
||||
allow sdk_sandbox display_service:service_manager find;
|
||||
allow sdk_sandbox dropbox_service:service_manager find;
|
||||
allow sdk_sandbox font_service:service_manager find;
|
||||
allow sdk_sandbox game_service:service_manager find;
|
||||
allow sdk_sandbox gpu_service:service_manager find;
|
||||
allow sdk_sandbox graphicsstats_service:service_manager find;
|
||||
allow sdk_sandbox hardware_properties_service:service_manager find;
|
||||
allow sdk_sandbox hint_service:service_manager find;
|
||||
allow sdk_sandbox imms_service:service_manager find;
|
||||
allow sdk_sandbox input_method_service:service_manager find;
|
||||
allow sdk_sandbox input_service:service_manager find;
|
||||
allow sdk_sandbox IProxyService_service:service_manager find;
|
||||
allow sdk_sandbox ipsec_service:service_manager find;
|
||||
allow sdk_sandbox launcherapps_service:service_manager find;
|
||||
allow sdk_sandbox legacy_permission_service:service_manager find;
|
||||
allow sdk_sandbox light_service:service_manager find;
|
||||
allow sdk_sandbox locale_service:service_manager find;
|
||||
allow sdk_sandbox media_communication_service:service_manager find;
|
||||
allow sdk_sandbox mediaextractor_service:service_manager find;
|
||||
allow sdk_sandbox mediametrics_service:service_manager find;
|
||||
allow sdk_sandbox media_projection_service:service_manager find;
|
||||
allow sdk_sandbox media_router_service:service_manager find;
|
||||
allow sdk_sandbox mediaserver_service:service_manager find;
|
||||
allow sdk_sandbox media_session_service:service_manager find;
|
||||
allow sdk_sandbox memtrackproxy_service:service_manager find;
|
||||
allow sdk_sandbox midi_service:service_manager find;
|
||||
allow sdk_sandbox netpolicy_service:service_manager find;
|
||||
allow sdk_sandbox netstats_service:service_manager find;
|
||||
allow sdk_sandbox network_management_service:service_manager find;
|
||||
allow sdk_sandbox notification_service:service_manager find;
|
||||
allow sdk_sandbox package_service:service_manager find;
|
||||
allow sdk_sandbox permission_checker_service:service_manager find;
|
||||
allow sdk_sandbox permission_service:service_manager find;
|
||||
allow sdk_sandbox permissionmgr_service:service_manager find;
|
||||
allow sdk_sandbox platform_compat_service:service_manager find;
|
||||
allow sdk_sandbox power_service:service_manager find;
|
||||
allow sdk_sandbox procstats_service:service_manager find;
|
||||
allow sdk_sandbox registry_service:service_manager find;
|
||||
allow sdk_sandbox restrictions_service:service_manager find;
|
||||
allow sdk_sandbox rttmanager_service:service_manager find;
|
||||
allow sdk_sandbox search_service:service_manager find;
|
||||
allow sdk_sandbox selection_toolbar_service:service_manager find;
|
||||
allow sdk_sandbox sensor_privacy_service:service_manager find;
|
||||
allow sdk_sandbox sensorservice_service:service_manager find;
|
||||
allow sdk_sandbox servicediscovery_service:service_manager find;
|
||||
allow sdk_sandbox settings_service:service_manager find;
|
||||
allow sdk_sandbox speech_recognition_service:service_manager find;
|
||||
allow sdk_sandbox statusbar_service:service_manager find;
|
||||
allow sdk_sandbox storagestats_service:service_manager find;
|
||||
allow sdk_sandbox surfaceflinger_service:service_manager find;
|
||||
allow sdk_sandbox telecom_service:service_manager find;
|
||||
allow sdk_sandbox tethering_service:service_manager find;
|
||||
allow sdk_sandbox textclassification_service:service_manager find;
|
||||
allow sdk_sandbox textservices_service:service_manager find;
|
||||
allow sdk_sandbox texttospeech_service:service_manager find;
|
||||
allow sdk_sandbox thermal_service:service_manager find;
|
||||
allow sdk_sandbox translation_service:service_manager find;
|
||||
allow sdk_sandbox tv_iapp_service:service_manager find;
|
||||
allow sdk_sandbox tv_input_service:service_manager find;
|
||||
allow sdk_sandbox uimode_service:service_manager find;
|
||||
allow sdk_sandbox vcn_management_service:service_manager find;
|
||||
allow sdk_sandbox webviewupdate_service:service_manager find;
|
||||
|
||||
allow sdk_sandbox system_linker_exec:file execute_no_trans;
|
||||
@ -10,6 +10,84 @@ typeattribute sdk_sandbox coredomain;
|
||||
net_domain(sdk_sandbox)
|
||||
app_domain(sdk_sandbox)
|
||||
|
||||
# Allow finding services. This is different from ephemeral_app policy.
|
||||
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
|
||||
|
||||
allow sdk_sandbox activity_service:service_manager find;
|
||||
allow sdk_sandbox activity_task_service:service_manager find;
|
||||
allow sdk_sandbox appops_service:service_manager find;
|
||||
allow sdk_sandbox audio_service:service_manager find;
|
||||
allow sdk_sandbox audioserver_service:service_manager find;
|
||||
allow sdk_sandbox batteryproperties_service:service_manager find;
|
||||
allow sdk_sandbox batterystats_service:service_manager find;
|
||||
allow sdk_sandbox connectivity_service:service_manager find;
|
||||
allow sdk_sandbox connmetrics_service:service_manager find;
|
||||
allow sdk_sandbox deviceidle_service:service_manager find;
|
||||
allow sdk_sandbox display_service:service_manager find;
|
||||
allow sdk_sandbox dropbox_service:service_manager find;
|
||||
allow sdk_sandbox font_service:service_manager find;
|
||||
allow sdk_sandbox game_service:service_manager find;
|
||||
allow sdk_sandbox gpu_service:service_manager find;
|
||||
allow sdk_sandbox graphicsstats_service:service_manager find;
|
||||
allow sdk_sandbox hardware_properties_service:service_manager find;
|
||||
allow sdk_sandbox hint_service:service_manager find;
|
||||
allow sdk_sandbox imms_service:service_manager find;
|
||||
allow sdk_sandbox input_method_service:service_manager find;
|
||||
allow sdk_sandbox input_service:service_manager find;
|
||||
allow sdk_sandbox IProxyService_service:service_manager find;
|
||||
allow sdk_sandbox ipsec_service:service_manager find;
|
||||
allow sdk_sandbox launcherapps_service:service_manager find;
|
||||
allow sdk_sandbox legacy_permission_service:service_manager find;
|
||||
allow sdk_sandbox light_service:service_manager find;
|
||||
allow sdk_sandbox locale_service:service_manager find;
|
||||
allow sdk_sandbox media_communication_service:service_manager find;
|
||||
allow sdk_sandbox mediaextractor_service:service_manager find;
|
||||
allow sdk_sandbox mediametrics_service:service_manager find;
|
||||
allow sdk_sandbox media_projection_service:service_manager find;
|
||||
allow sdk_sandbox media_router_service:service_manager find;
|
||||
allow sdk_sandbox mediaserver_service:service_manager find;
|
||||
allow sdk_sandbox media_session_service:service_manager find;
|
||||
allow sdk_sandbox memtrackproxy_service:service_manager find;
|
||||
allow sdk_sandbox midi_service:service_manager find;
|
||||
allow sdk_sandbox netpolicy_service:service_manager find;
|
||||
allow sdk_sandbox netstats_service:service_manager find;
|
||||
allow sdk_sandbox network_management_service:service_manager find;
|
||||
allow sdk_sandbox notification_service:service_manager find;
|
||||
allow sdk_sandbox package_service:service_manager find;
|
||||
allow sdk_sandbox permission_checker_service:service_manager find;
|
||||
allow sdk_sandbox permission_service:service_manager find;
|
||||
allow sdk_sandbox permissionmgr_service:service_manager find;
|
||||
allow sdk_sandbox platform_compat_service:service_manager find;
|
||||
allow sdk_sandbox power_service:service_manager find;
|
||||
allow sdk_sandbox procstats_service:service_manager find;
|
||||
allow sdk_sandbox registry_service:service_manager find;
|
||||
allow sdk_sandbox restrictions_service:service_manager find;
|
||||
allow sdk_sandbox rttmanager_service:service_manager find;
|
||||
allow sdk_sandbox search_service:service_manager find;
|
||||
allow sdk_sandbox selection_toolbar_service:service_manager find;
|
||||
allow sdk_sandbox sensor_privacy_service:service_manager find;
|
||||
allow sdk_sandbox sensorservice_service:service_manager find;
|
||||
allow sdk_sandbox servicediscovery_service:service_manager find;
|
||||
allow sdk_sandbox settings_service:service_manager find;
|
||||
allow sdk_sandbox speech_recognition_service:service_manager find;
|
||||
allow sdk_sandbox statusbar_service:service_manager find;
|
||||
allow sdk_sandbox storagestats_service:service_manager find;
|
||||
allow sdk_sandbox surfaceflinger_service:service_manager find;
|
||||
allow sdk_sandbox telecom_service:service_manager find;
|
||||
allow sdk_sandbox tethering_service:service_manager find;
|
||||
allow sdk_sandbox textclassification_service:service_manager find;
|
||||
allow sdk_sandbox textservices_service:service_manager find;
|
||||
allow sdk_sandbox texttospeech_service:service_manager find;
|
||||
allow sdk_sandbox thermal_service:service_manager find;
|
||||
allow sdk_sandbox translation_service:service_manager find;
|
||||
allow sdk_sandbox tv_iapp_service:service_manager find;
|
||||
allow sdk_sandbox tv_input_service:service_manager find;
|
||||
allow sdk_sandbox uimode_service:service_manager find;
|
||||
allow sdk_sandbox vcn_management_service:service_manager find;
|
||||
allow sdk_sandbox webviewupdate_service:service_manager find;
|
||||
|
||||
allow sdk_sandbox system_linker_exec:file execute_no_trans;
|
||||
|
||||
# Write app-specific trace data to the Perfetto traced damon. This requires
|
||||
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
||||
perfetto_producer(sdk_sandbox)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user