From 563016314cb6ade6d42975360daafb56da3ed0e6 Mon Sep 17 00:00:00 2001
From: Sanjana Sunil <sanjanasunil@google.com>
Date: Fri, 20 May 2022 11:24:32 +0000
Subject: [PATCH] Allow zygote to relabel sdk_sandbox_system_data_file

To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
---
 prebuilts/api/33.0/private/sdk_sandbox.te | 11 ++++++++++-
 prebuilts/api/33.0/private/zygote.te      |  4 +++-
 private/sdk_sandbox.te                    | 11 ++++++++++-
 private/zygote.te                         |  3 ++-
 4 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index 5fde49515..7ca323f8b 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -94,6 +94,14 @@ neverallow sdk_sandbox hal_drm_service:service_manager find;
 
 # Only certain system components should have access to sdk_sandbox_system_data_file
 # sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
 neverallow {
     domain
     -init
@@ -101,7 +109,8 @@ neverallow {
     -sdk_sandbox
     -system_server
     -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
 
 # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
 neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index c5ba18076..41245c278 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -62,9 +62,10 @@ allow zygote apex_art_data_file:file { r_file_perms execute };
 # Bind mount on /data/data and mounted volumes
 allow zygote { system_data_file mnt_expand_file }:dir mounton;
 
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
 
 # Zygote opens /mnt/expand to mount CE DE storage on each vol
 allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@ allow zygote {
   app_data_file_type
   system_data_file
   mnt_expand_file
+  sdk_sandbox_system_data_file
 }:dir getattr;
 
 # Allow zygote to create JIT memory.
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 193ab5194..20d3adf33 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -160,6 +160,14 @@ neverallow sdk_sandbox hal_drm_service:service_manager find;
 
 # Only certain system components should have access to sdk_sandbox_system_data_file
 # sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
 neverallow {
     domain
     -init
@@ -167,7 +175,8 @@ neverallow {
     -sdk_sandbox
     -system_server
     -vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+    -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
 
 # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
 neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/private/zygote.te b/private/zygote.te
index ab97f5bf9..baffcc4a3 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -98,12 +98,13 @@ allow zygote tmpfs:dir { create_dir_perms mounton };
 # when setting up app data isolation.
 allow zygote tmpfs:lnk_file create;
 
-# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
 # standard labels.  Note: it seems that not all dirs are actually relabeled yet,
 # but it works anyway since all domains can search tmpfs:dir.
 allow zygote tmpfs:{ dir lnk_file } relabelfrom;
 allow zygote system_userdir_file:dir relabelto;
 allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
 
 # Read if sdcardfs is supported
 allow zygote proc_filesystems:file r_file_perms;