Allow apps and SDK sandbox to access each others' open FDs

An app may wish to pass an open FD for the SDK sandbox
to consume, and vice versa. Neither party will be
permitted to write to the other's open FD.

Ignore-AOSP-First: Cherrypick
Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
Merged-In: I73f79b6566ed3e3d8491db6bed011047d5a650ce

prebuilts/api/34.0/private/app.te

@@ -262,6 +262,9 @@ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_
 # Access via already open fds is ok even for mlstrustedsubject.
 allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
 

prebuilts/api/34.0/private/mediaprovider_app.te

@@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find;
 # Talk to regular app services
 allow mediaprovider_app app_api_service:service_manager find;
 
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
 # Talk to the GPU service
 binder_call(mediaprovider_app, gpuservice)
 

prebuilts/api/34.0/private/sdk_sandbox_all.te

@@ -28,6 +28,9 @@ allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
 allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
 
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
 ###
 ### neverallow rules
 ###
@@ -64,7 +67,7 @@ neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
 neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;

private/app.te

@@ -262,6 +262,9 @@ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_
 # Access via already open fds is ok even for mlstrustedsubject.
 allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
 

private/mediaprovider_app.te

@@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find;
 # Talk to regular app services
 allow mediaprovider_app app_api_service:service_manager find;
 
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
 # Talk to the GPU service
 binder_call(mediaprovider_app, gpuservice)
 

private/sdk_sandbox_all.te

@@ -28,6 +28,9 @@ allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
 allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
 
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
 ###
 ### neverallow rules
 ###
@@ -64,7 +67,7 @@ neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
 neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;