From d4d3c01fa3f710993e69a1df09a3c0614f970039 Mon Sep 17 00:00:00 2001
From: Gavin Corkery <gavincorkery@google.com>
Date: Wed, 10 May 2023 16:13:53 +0000
Subject: [PATCH] Allow apps and SDK sandbox to access each others' open FDs

An app may wish to pass an open FD for the SDK sandbox
to consume, and vice versa. Neither party will be
permitted to write to the other's open FD.

Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
---
 private/app.te               | 3 +++
 private/mediaprovider_app.te | 3 ---
 private/sdk_sandbox_all.te   | 5 ++++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/private/app.te b/private/app.te
index da60086f3..34cd2f0d7 100644
--- a/private/app.te
+++ b/private/app.te
@@ -267,6 +267,9 @@ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_
 # Access via already open fds is ok even for mlstrustedsubject.
 allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
 
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 1f84eca1f..7ad8febf3 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find;
 # Talk to regular app services
 allow mediaprovider_app app_api_service:service_manager find;
 
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
 # Talk to the GPU service
 binder_call(mediaprovider_app, gpuservice)
 
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 9a3f05f75..6e7ba5025 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@ allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
 allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
 
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
 ###
 ### neverallow rules
 ###
@@ -64,7 +67,7 @@ neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
 neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;