Add neverallow rules to protect SDK's private data
SDK's data should not be accessible directly by other domains, including
system server. Added neverallow to ensure that.
Bug: b/279885689
Test: make and boot device
Change-Id: If6a6b4d43f297ec2aa27434dd26f6c88d0d8bcf2
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 4806e6d..9d6abcb 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -297,6 +297,26 @@
-zygote
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+# Only certain domains should be able to open and write to the SDK's data directory.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:dir ~{read getattr search};
+
+# Most domains shouldn't be able to open files in the SDK's data directory, unless given an open FD.
+neverallow {
+ domain
+ -artd
+ -init
+ -installd
+ -sdk_sandbox
+ -vold_prepare_subdirs
+} sdk_sandbox_data_file:file ~{append read write getattr lock map};
+
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };