commit f3722d5a715992c74b567efd71179955b41c9157
author Steven Moreland <smoreland@google.com> Mon May 22 23:45:40 2023 +0000
committer Steven Moreland <smoreland@google.com> Tue May 23 00:01:27 2023 +0000
tree a0df365a9592651fcbfbc557ff4bc175aa9f1c6d
parent b56bf68763bcb2a47fae192b57c8b67d9fcd25c3

strengthen app_data_file neverallows

There are more types of apps now.

Bug: 281877578
Test: boot
Change-Id: I1918de8610070f6fac0e933d75c656e4ee0cfbdd

private/sdk_sandbox_all.te

diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 8e46ca3..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -35,7 +35,7 @@
 ### neverallow rules
 ###
 
-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@@ -66,8 +66,9 @@
 neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;