Merge "Allow apps and SDK sandbox to access each others' open FDs"
diff --git a/private/app.te b/private/app.te
index da60086..34cd2f0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -267,6 +267,9 @@
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 1f84eca..7ad8feb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -35,9 +35,6 @@
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
-# Read SDK sandbox data files
-allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
-
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 9a3f05f..6e7ba50 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
###
### neverallow rules
###
@@ -64,7 +67,7 @@
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;