To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.
By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.
Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
We might want to change this in later android versions.
Bug: b/228159127
Bug: b/227745962
Test: Manual
Change-Id: I8f425cc9f2759a29bdd2e6218ad0a1c40750e4f5
Add some services ephemeral service has access to.
We will steadily restrict this list further based on
testing and requirements for rubidium.
Test: Manual
Bug: b/227745962
Bug: b/227581095
Change-Id: If7bcb8b8de62d408bd4af848b43abca853c93758
Thermal Service access needs to be provided to Sdk Sandbox
for Webview to record battery related metrics. We also
provide isolated process access to the file directory for sandbox
so that the renderer process can access it.
Bug: b/226558510
Test: Manual
Change-Id: I1ac14d4df7ab53e567a27086d0418ec612a7686f
