Allow zygote to relabel sdk_sandbox_system_data_file
To perform sdk sandbox data isolation, the zygote gets the selinux label
of SDK sandbox storage (e.g. /data/misc_{ce,de}/<user-id>/sdksandbox)
before tmpfs is mounted onto /data/misc_{ce,de} (or other volumes). It
relabels it back once bind mounting of required sandbox data is done.
This change allows for the zygote to perform these operations.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: I28d1709ab4601f0fb1788435453ed19d023dc80b
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 193ab51..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -164,10 +164,19 @@
domain
-init
-installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
-} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };