Create a separate label for sandbox root directory

Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.

By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.

Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Ignore-AOSP-First: Test is missing in AOSP. Will cherry-pick to AOSP
                   once merged here.
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed

prebuilts/api/33.0/private/file.te

@@ -19,6 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 

prebuilts/api/33.0/private/file_contexts

@@ -691,6 +691,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+
 # App data snapshots (managed by installd).
 /data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
 /data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0

prebuilts/api/33.0/private/installd.te

@@ -48,3 +48,6 @@ allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
 
 allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

prebuilts/api/33.0/private/sdk_sandbox.te

@@ -105,7 +105,10 @@ can_profile_perf(sdk_sandbox)
 allow sdk_sandbox system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
 
@@ -154,3 +157,20 @@ neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
 
 neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -sdk_sandbox
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;

prebuilts/api/33.0/private/system_server.te

@@ -72,6 +72,9 @@ allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

prebuilts/api/33.0/private/vold_prepare_subdirs.te

@@ -12,6 +12,7 @@ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
+  sdk_sandbox_system_data_file
   system_data_file
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
     rollback_data_file
     storaged_data_file
     sdk_sandbox_data_file
+    sdk_sandbox_system_data_file
     system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };

private/file.te

@@ -19,6 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
 

private/file_contexts

@@ -691,6 +691,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox       u:object_r:sdk_sandbox_system_data_file:s0
+
 # App data snapshots (managed by installd).
 /data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
 /data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0

private/installd.te

@@ -48,3 +48,6 @@ allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
 
 allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

private/sdk_sandbox.te

@@ -105,7 +105,10 @@ can_profile_perf(sdk_sandbox)
 allow sdk_sandbox system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
 allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
 allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
 
@@ -154,3 +157,20 @@ neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
 
 neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+    domain
+    -init
+    -installd
+    -sdk_sandbox
+    -system_server
+    -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;

private/system_server.te

@@ -72,6 +72,9 @@ allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

private/vold_prepare_subdirs.te

@@ -12,6 +12,7 @@ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
+  sdk_sandbox_system_data_file
   system_data_file
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
     rollback_data_file
     storaged_data_file
     sdk_sandbox_data_file
+    sdk_sandbox_system_data_file
     system_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };