Allow apps and SDK sandbox to access each others' open FDs An app may wish to pass an open FD for the SDK sandbox to consume, and vice versa. Neither party will be permitted to write to the other's open FD. Test: Manual Bug: 281843854 Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce

commit: d4d3c01fa3f710993e69a1df09a3c0614f970039 [log] [tgz]
author: Gavin Corkery <gavincorkery@google.com> Wed May 10 16:13:53 2023 +0000
committer: Gavin Corkery <gavincorkery@google.com> Fri May 12 11:35:07 2023 +0000
tree: 14b349d40a5c8e611df0ce2783a6bbab4bbeece0
parent: 2ae45c5766bfdce08ebfdb86493b1b8566e01211 [diff] [blame]
diff --git a/private/app.te b/private/app.te
index da60086..34cd2f0 100644
--- a/private/app.te
+++ b/private/app.te

@@ -267,6 +267,9 @@
 # Access via already open fds is ok even for mlstrustedsubject.
 allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
+# Access open fds from SDK sandbox
+allow appdomain sdk_sandbox_data_file:file { getattr read };
+
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
commit	d4d3c01fa3f710993e69a1df09a3c0614f970039	[log] [tgz]
author	Gavin Corkery <gavincorkery@google.com>	Wed May 10 16:13:53 2023 +0000
committer	Gavin Corkery <gavincorkery@google.com>	Fri May 12 11:35:07 2023 +0000
tree	14b349d40a5c8e611df0ce2783a6bbab4bbeece0
parent	2ae45c5766bfdce08ebfdb86493b1b8566e01211 [diff] [blame]