From 0afa024c281fc35562c147453b697044612c2d53 Mon Sep 17 00:00:00 2001
From: Maddie Stone <maddiestone@google.com>
Date: Tue, 1 May 2018 14:53:41 -0700
Subject: [PATCH] Only installd and init may relabel app_data_file.

Bug: 78517829
Test: build aosp_sailfish-userdebug
Change-Id: I5e1a97b9fb6fa9ff9fd49e1e664769ae70aeda37
---
 public/domain.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 1dc2a41df..2f3d8f1b4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1187,6 +1187,12 @@ neverallow {
   -installd # creation of sandbox
 } app_data_file:dir_file_class_set { create unlink };
 
+neverallow {
+  domain
+  -init
+  -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell
-- 
GitLab