Merge "Add neverallow rules to protect SDK's private data" into udc-dev am: b7146a9e58

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/22907484

Change-Id: I245c4c12dff2028abfe1c7a3002c3a3b5e7b4e47
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

prebuilts/api/34.0/private/sdk_sandbox.te

@@ -297,6 +297,26 @@ neverallow {
     -zygote
 } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
 
+# Only certain domains should be able to open and write to the SDK's data directory.
+neverallow {
+    domain
+    -artd
+    -init
+    -installd
+    -sdk_sandbox
+    -vold_prepare_subdirs
+} sdk_sandbox_data_file:dir ~{read getattr search};
+
+# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
+neverallow {
+    domain
+    -artd
+    -init
+    -installd
+    -sdk_sandbox
+    -vold_prepare_subdirs
+} sdk_sandbox_data_file:file ~{append read write getattr lock map};
+
 # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
 neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
 

private/sdk_sandbox.te

@@ -297,6 +297,26 @@ neverallow {
     -zygote
 } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
 
+# Only certain domains should be able to open and write to the SDK's data directory.
+neverallow {
+    domain
+    -artd
+    -init
+    -installd
+    -sdk_sandbox
+    -vold_prepare_subdirs
+} sdk_sandbox_data_file:dir ~{read getattr search};
+
+# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
+neverallow {
+    domain
+    -artd
+    -init
+    -installd
+    -sdk_sandbox
+    -vold_prepare_subdirs
+} sdk_sandbox_data_file:file ~{append read write getattr lock map};
+
 # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
 neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };