isolated_app: allow access to pre-opened sdcard FDs
Allow isolated apps to read/write/append/lock already open sdcard
file descriptors passed to it by normal app processes. isolated_apps are
used by processes like Google drive when handling untrusted content.
Addresses the following denial:
audit(0.0:1508): avc: denied { read } for
path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310
scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0
tclass=file permissive=0
This partially reverts the tightening added in
ce4b5eeaeed88fbaca88eac2f7fd5f7a85d7ba0e.
Add a TODO to consider removing isolated_apps ability to write or append
to files on the sdcard. This limits the damage that can occur should the
isolated_app process be compromised.
Bug: 32896414
Test: Policy compiles. Rule add only, so no possibility of breakage.
Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f
(cherry picked from commit c121735f42e73f4c46004ef09b85cdb8359a517a)
1 file changed