1*e4a36f41SAndroid Build Coastguard Worker### 2*e4a36f41SAndroid Build Coastguard Worker### SDK Sandbox process. 3*e4a36f41SAndroid Build Coastguard Worker### 4*e4a36f41SAndroid Build Coastguard Worker### This file defines the audit sdk sandbox security policy for 5*e4a36f41SAndroid Build Coastguard Worker### the set of restrictions proposed for the next SDK level. 6*e4a36f41SAndroid Build Coastguard Worker### 7*e4a36f41SAndroid Build Coastguard Worker### The sdk_sandbox_audit domain has the same rules as the 8*e4a36f41SAndroid Build Coastguard Worker### sdk_sandbox_current domain and additional auditing rules 9*e4a36f41SAndroid Build Coastguard Worker### for the accesses we are considering forbidding in the upcoming 10*e4a36f41SAndroid Build Coastguard Worker### sdk_sandbox_next domain. 11*e4a36f41SAndroid Build Coastguard Workertype sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Workernet_domain(sdk_sandbox_audit) 14*e4a36f41SAndroid Build Coastguard Workerapp_domain(sdk_sandbox_audit) 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Auditallow rules for accesses that are currently allowed but we 17*e4a36f41SAndroid Build Coastguard Worker# might remove in the future. 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Workerauditallow sdk_sandbox_audit { 20*e4a36f41SAndroid Build Coastguard Worker cameraserver_service 21*e4a36f41SAndroid Build Coastguard Worker ephemeral_app_api_service 22*e4a36f41SAndroid Build Coastguard Worker mediadrmserver_service 23*e4a36f41SAndroid Build Coastguard Worker radio_service 24*e4a36f41SAndroid Build Coastguard Worker}:service_manager find; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Workerauditallow sdk_sandbox_audit { 27*e4a36f41SAndroid Build Coastguard Worker property_type 28*e4a36f41SAndroid Build Coastguard Worker -system_property_type 29*e4a36f41SAndroid Build Coastguard Worker}:file rw_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Workerauditallow sdk_sandbox_audit { 32*e4a36f41SAndroid Build Coastguard Worker property_type 33*e4a36f41SAndroid Build Coastguard Worker -system_property_type 34*e4a36f41SAndroid Build Coastguard Worker}:dir rw_dir_perms; 35