Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d2ffd35cc04061dc49159d5ef31198f22dfb9bc5^! / . / private / file.te
commitd2ffd35cc04061dc49159d5ef31198f22dfb9bc5[log] [tgz]
authorMohammad Samiul Islam <samiul@google.com>Wed May 11 21:43:54 2022 +0100
committerSamiul Islam <samiul@google.com>Thu May 19 16:01:15 2022 +0100
tree84ffc84a7a3af2dbb2fbbaebb98eb7c42d9ffc06
parent945c072d12820d72bb9f8a89e04584fa4a31d667 [diff] [blame]
Create a separate label for sandbox root directory

Currently, app process can freely execute path at
`/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system
file. They can't read or write, but use 403/404
error to figure out if an app is installed or not.

By changing the selinux label of the parent directory:
`/data/misc_ce/0/sdksandbox`, we can restrict app process from executing
inside the directory and avoid the privacy leak.

Sandbox process should only have "search" permission on the new label so
that it can pass through it to its data directory located in
`/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error
Test: manual test to verify webview still works
Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed

diff --git a/private/file.te b/private/file.te
index 1afa50f..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te

@@ -19,6 +19,8 @@
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
 type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;