Allow apps and SDK sandbox to access each others' open FDs
An app may wish to pass an open FD for the SDK sandbox
to consume, and vice versa. Neither party will be
permitted to write to the other's open FD.
Test: Manual
Bug: 281843854
Change-Id: I73f79b6566ed3e3d8491db6bed011047d5a650ce
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 9a3f05f..6e7ba50 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -28,6 +28,9 @@
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
+# allow apps to pass open fds to the sdk sandbox
+allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
+
###
### neverallow rules
###
@@ -64,7 +67,7 @@
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;