Allow zygote to relabel sdk_sandbox_system_data_file
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 193ab51..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -164,10 +164,19 @@
domain
-init
-installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
diff --git a/private/zygote.te b/private/zygote.te
index ab97f5b..baffcc4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -98,12 +98,13 @@
# when setting up app data isolation.
allow zygote tmpfs:lnk_file create;
-# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
# standard labels. Note: it seems that not all dirs are actually relabeled yet,
# but it works anyway since all domains can search tmpfs:dir.
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_userdir_file:dir relabelto;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;