Merge "Allow zygote to relabel sdk_sandbox_system_data_file" am: 26750b9a0c

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2101653

Change-Id: I0762945569e84d4a9cb6f98553c4e641812955c7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

prebuilts/api/33.0/private/sdk_sandbox.te

@@ -94,6 +94,14 @@ neverallow sdk_sandbox hal_drm_service:service_manager find;
 
 # Only certain system components should have access to sdk_sandbox_system_data_file
 # sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
 neverallow {
     domain
     -init
@@ -101,7 +109,8 @@ neverallow {
     -sdk_sandbox
     -system_server
     -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
 
 # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
 neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };

prebuilts/api/33.0/private/zygote.te

@@ -62,9 +62,10 @@ allow zygote apex_art_data_file:file { r_file_perms execute };
 # Bind mount on /data/data and mounted volumes
 allow zygote { system_data_file mnt_expand_file }:dir mounton;
 
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
 
 # Zygote opens /mnt/expand to mount CE DE storage on each vol
 allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@ allow zygote {
   app_data_file_type
   system_data_file
   mnt_expand_file
+  sdk_sandbox_system_data_file
 }:dir getattr;
 
 # Allow zygote to create JIT memory.

private/sdk_sandbox.te

@@ -160,6 +160,14 @@ neverallow sdk_sandbox hal_drm_service:service_manager find;
 
 # Only certain system components should have access to sdk_sandbox_system_data_file
 # sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
 neverallow {
     domain
     -init
@@ -167,7 +175,8 @@ neverallow {
     -sdk_sandbox
     -system_server
     -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
 
 # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
 neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };

private/zygote.te

@@ -98,12 +98,13 @@ allow zygote tmpfs:dir { create_dir_perms mounton };
 # when setting up app data isolation.
 allow zygote tmpfs:lnk_file create;
 
-# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
 # standard labels.  Note: it seems that not all dirs are actually relabeled yet,
 # but it works anyway since all domains can search tmpfs:dir.
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_userdir_file:dir relabelto;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
 
 # Read if sdcardfs is supported
 allow zygote proc_filesystems:file r_file_perms;