From 23c9d91b46352bd91cdc58f33d55378e5567dc1c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 2 Aug 2018 15:54:23 -0700
Subject: [PATCH] Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.
This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.
This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
For now, this newly introduced label has no usage, so this change
is essentially a no-op.
Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
filesystem upgrade.
Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
---
private/app_neverallows.te | 1 +
private/compat/26.0/26.0.cil | 2 +-
private/compat/27.0/27.0.cil | 2 +-
private/compat/28.0/28.0.cil | 2 +-
private/dexoptanalyzer.te | 6 +++---
private/domain.te | 12 ++++++------
private/ephemeral_app.te | 4 ++--
private/isolated_app.te | 4 ++--
private/mls | 12 ++++++------
private/priv_app.te | 2 +-
private/storaged.te | 2 +-
private/surfaceflinger.te | 2 +-
private/system_server.te | 29 ++++++++++++++++++++++++++---
private/untrusted_app_all.te | 2 +-
private/webview_zygote.te | 1 +
public/app.te | 4 ++--
public/dex2oat.te | 4 ++--
public/domain.te | 3 ++-
public/drmserver.te | 2 +-
public/file.te | 2 ++
public/init.te | 9 +++++++--
public/installd.te | 2 ++
public/kernel.te | 2 +-
public/logd.te | 2 +-
public/logpersist.te | 2 +-
public/mediaextractor.te | 2 +-
public/mediametrics.te | 2 +-
public/mediaserver.te | 8 ++++----
public/netd.te | 2 +-
public/perfprofd.te | 4 ++--
public/profman.te | 6 +++---
public/recovery_persist.te | 2 +-
public/recovery_refresh.te | 2 +-
public/vendor_init.te | 2 +-
public/vold.te | 8 ++++----
35 files changed, 94 insertions(+), 59 deletions(-)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 640775520..31551acc4 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,6 +100,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
-sdcard_type
file_type
-app_data_file # The apps sandbox itself
+ -privapp_data_file
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index f53a194dd..c8b7a1f5a 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -31,7 +31,7 @@
(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_26_0 (app_fuse_file))
(typeattributeset app_fusefs_26_0 (app_fusefs))
(typeattributeset appops_service_26_0 (appops_service))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index e3ca2d045..d0cb9b7bb 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -737,7 +737,7 @@
(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file))
+(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_27_0 (app_fuse_file))
(typeattributeset app_fusefs_27_0 (app_fusefs))
(typeattributeset appops_service_27_0 (appops_service))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d733132ec..a784b444d 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -872,7 +872,7 @@
(typeattributeset apk_private_data_file_28_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_28_0 (apk_tmp_file))
-(typeattributeset app_data_file_28_0 (app_data_file))
+(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_28_0 (app_fuse_file))
(typeattributeset app_fusefs_28_0 (app_fusefs))
(typeattributeset appops_service_28_0 (appops_service))
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index dfc81b850..7d01ef5b8 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -19,12 +19,12 @@ allow dexoptanalyzer installd:fd use;
# Allow reading secondary dex files that were reported by the app to the
# package manager.
-allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
-dontaudit dexoptanalyzer app_data_file:dir audit_access;
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/domain.te b/private/domain.te
index f7f5d66da..1ae31aea1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -128,7 +128,7 @@ neverallow {
domain
-appdomain
-installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
@@ -145,7 +145,7 @@ neverallow {
-runas
-system_server
-vold
-} app_data_file:dir *;
+} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. init and installd are exempted for
# restorecon and package install/uninstall.
@@ -154,7 +154,7 @@ neverallow {
-appdomain
-init
-installd
-} app_data_file:dir ~r_dir_perms;
+} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
@@ -163,16 +163,16 @@ neverallow {
-mediaserver # b/80300620
userdebug_or_eng(`-perfprofd')
-vold # b/80418809
-} app_data_file:file_class_set open;
+} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-installd # creation of sandbox
-} app_data_file:dir_file_class_set { create unlink };
+} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-init
-installd
-} app_data_file:dir_file_class_set { relabelfrom relabelto };
+} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 75a631765..f28d28f04 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -21,7 +21,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow ephemeral_app app_data_file:file {r_file_perms execute};
+allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
# services
allow ephemeral_app audioserver_service:service_manager find;
@@ -50,7 +50,7 @@ allow ephemeral_app system_server:udp_socket {
### neverallow rules
###
-neverallow ephemeral_app app_data_file:file execute_no_trans;
+neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index a6276b38c..26cb12277 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -61,7 +61,7 @@ unix_socket_connect(isolated_app, traced_producer, traced)
neverallow isolated_app tun_device:chr_file open;
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
+neverallow isolated_app { app_data_file privapp_data_file }:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/mls b/private/mls
index 3b8ee3f47..2eb621ddf 100644
--- a/private/mls
+++ b/private/mls
@@ -55,9 +55,9 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@@ -66,18 +66,18 @@ mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/priv_app.te b/private/priv_app.te
index a95276982..0afd721ad 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -19,7 +19,7 @@ allow priv_app self:process ptrace;
# Some apps ship with shared libraries that they write out
# to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file execute;
+allow priv_app { app_data_file privapp_data_file }:file execute;
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
diff --git a/private/storaged.te b/private/storaged.te
index 0916adf95..f5f073513 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -29,7 +29,7 @@ allow storaged shell:fifo_file write;
# Needed for GMScore to call dumpsys storaged
allow storaged priv_app:fd use;
-allow storaged app_data_file:file write;
+allow storaged { privapp_data_file app_data_file }:file write;
allow storaged permission_service:service_manager find;
# Binder permissions
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index d9d7dea6e..a5ebfb0e0 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -55,7 +55,7 @@ set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
-allow surfaceflinger app_data_file:file { read write };
+allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
# Allow writing surface traces to /data/misc/wmtrace.
userdebug_or_eng(`
diff --git a/private/system_server.te b/private/system_server.te
index 01da37740..895024040 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -446,7 +446,16 @@ allow system_server zoneinfo_data_file:file create_file_perms;
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+allow system_server {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:dir { getattr read search };
+
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -459,7 +468,15 @@ allow system_server system_app_data_file:file create_file_perms;
# Receive and use open app data files passed over binder IPC.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+allow system_server {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:file { getattr read write append };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
@@ -821,7 +838,13 @@ neverallow system_server sdcard_type:file rw_file_perms;
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+neverallow system_server {
+ bluetooth_data_file
+ nfc_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 07d9d4d19..65be583a7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 55b268a30..ea0141266 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -95,6 +95,7 @@ neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
neverallow webview_zygote {
app_data_file
+ privapp_data_file
system_app_data_file
bluetooth_data_file
nfc_data_file
diff --git a/public/app.te b/public/app.te
index 169e61995..64bb839c1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,8 +66,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:notdevfile_class_set create_file_perms;
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 608ba7987..75a3018be 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -33,7 +33,7 @@ allow dex2oat user_profile_data_file:file { getattr read lock };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
##################
# A/B OTA Dexopt #
@@ -63,4 +63,4 @@ allow dex2oat ota_data_file:file { create w_file_perms setattr };
# Neverallow #
##############
-neverallow dex2oat app_data_file:notdevfile_class_set open;
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/domain.te b/public/domain.te
index 6c0a92a4a..f6ee4edf5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -777,6 +777,7 @@ full_treble_only(`
unlabeled # used only by core domains
core_data_file_type
-app_data_file
+ -privapp_data_file
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
@@ -1195,7 +1196,7 @@ neverallow {
-appdomain
-installd
-uncrypt # TODO: see if we can remove
-} app_data_file:lnk_file read;
+} { app_data_file privapp_data_file }:lnk_file read;
neverallow {
domain
diff --git a/public/drmserver.te b/public/drmserver.te
index f752c13ee..1a675beba 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,7 +21,7 @@ allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/public/file.te b/public/file.te
index 2f14b5b12..79e36d418 100644
--- a/public/file.te
+++ b/public/file.te
@@ -283,6 +283,8 @@ type method_trace_data_file, file_type, data_file_type, core_data_file_type, mls
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type;
+# /data/data subdirectories - priv-app sandboxes
+type privapp_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/public/init.te b/public/init.te
index 1a5a651f8..43e858c50 100644
--- a/public/init.te
+++ b/public/init.te
@@ -145,6 +145,7 @@ allow init {
-exec_type
-misc_logd_file
-nativetest_data_file
+ -privapp_data_file
-system_app_data_file
-system_file
-vendor_file_type
@@ -157,6 +158,7 @@ allow init {
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -privapp_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -171,6 +173,7 @@ allow init {
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -privapp_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
@@ -186,6 +189,7 @@ allow init {
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -privapp_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -200,6 +204,7 @@ allow init {
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -privapp_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -211,7 +216,7 @@ allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
# does init really need to relabel app data?
-userdebug_or_eng(`auditallow init app_data_file:dir_file_class_set relabelto;')
+userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
@@ -508,7 +513,7 @@ neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
-neverallow init app_data_file:lnk_file read;
+neverallow init { app_data_file privapp_data_file }:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
diff --git a/public/installd.te b/public/installd.te
index 6aba962dd..8d7301bcd 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -103,6 +103,7 @@ allow installd {
radio_data_file
shell_data_file
app_data_file
+ privapp_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
@@ -112,6 +113,7 @@ allow installd {
radio_data_file
shell_data_file
app_data_file
+ privapp_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Similar for the files under /data/misc/profiles/
diff --git a/public/kernel.te b/public/kernel.te
index cf913ba68..af02c7e49 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -62,7 +62,7 @@ allow kernel mediaprovider:fd use;
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
allow kernel vold:fd use;
-allow kernel app_data_file:file read;
+allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;
# Allow reading loop device in update_engine_unittests. (b/28319454)
diff --git a/public/logd.te b/public/logd.te
index 2ef257f38..b5112b0b4 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -58,7 +58,7 @@ neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
neverallow logd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
diff --git a/public/logpersist.te b/public/logpersist.te
index 7536cb84d..c7cab80c8 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -13,7 +13,7 @@ neverallow logpersist dev_type:blk_file { read write };
neverallow logpersist domain:process ptrace;
# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index b0554626f..ec9c6345a 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -25,7 +25,7 @@ crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
allow mediaextractor sdcardfs:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor app_data_file:file { getattr read };
+allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
# Read resources from open apk files passed over Binder
allow mediaextractor apk_data_file:file { read getattr };
diff --git a/public/mediametrics.te b/public/mediametrics.te
index ada90cca3..1c8f5b80b 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -15,7 +15,7 @@ r_dir_file(mediametrics, cgroup)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
-allow mediametrics app_data_file:file write;
+allow mediametrics { app_data_file privapp_data_file }:file write;
# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 9e00fbbf8..b9b08dd17 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -28,10 +28,10 @@ binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
# TODO(b/80190017, b/80300620): remove direct access to private app data
-userdebug_or_eng(`auditallow mediaserver app_data_file:dir search;')
-allow mediaserver app_data_file:dir search;
-userdebug_or_eng(`auditallow mediaserver app_data_file:file open;')
-allow mediaserver app_data_file:file rw_file_perms;
+userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:dir search;')
+allow mediaserver { app_data_file privapp_data_file }:dir search;
+userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:file open;')
+allow mediaserver { app_data_file privapp_data_file }:file rw_file_perms;
allow mediaserver sdcard_type:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
diff --git a/public/netd.te b/public/netd.te
index 7657eaf9d..1315398c0 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -128,7 +128,7 @@ neverallow netd { domain }:process ptrace;
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
# only system_server and dumpstate may find netd service
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f067af5d4..70becb202 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -21,8 +21,8 @@ userdebug_or_eng(`
allow perfprofd system_file:file rx_file_perms;
# perfprofd reads a config file from /data/data/com.google.android.gms/files
- allow perfprofd app_data_file:file r_file_perms;
- allow perfprofd app_data_file:dir search;
+ allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
+ allow perfprofd { privapp_data_file app_data_file }:dir search;
allow perfprofd self:global_capability_class_set { dac_override };
# perfprofd opens a file for writing in /data/misc/perfprofd
diff --git a/public/profman.te b/public/profman.te
index 4296d1b17..3f0348658 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -19,11 +19,11 @@ allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
-allow profman app_data_file:dir { getattr read search };
+allow profman { privapp_data_file app_data_file }:file { getattr read write lock };
+allow profman { privapp_data_file app_data_file }:dir { getattr read search };
###
### neverallow rules
###
-neverallow profman app_data_file:notdevfile_class_set open;
+neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index 091d3001a..67f852a15 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -23,5 +23,5 @@ neverallow recovery_persist domain:process ptrace;
neverallow recovery_persist system_file:dir_file_class_set write;
# Write to files in /data/data
-neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index 602ed51d7..0c76afdc0 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -21,4 +21,4 @@ neverallow recovery_refresh domain:process ptrace;
neverallow recovery_refresh system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 941303c4a..f55b3e818 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -216,7 +216,7 @@ neverallow { domain -init } vendor_init:process transition;
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init app_data_file:lnk_file read;
+neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };
diff --git a/public/vold.te b/public/vold.te
index 1aa616b3a..5cf489c73 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -82,10 +82,10 @@ allow vold tmpfs:dir mounton;
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# TODO(b/80418809): remove direct access to private app data
-userdebug_or_eng(`auditallow vold app_data_file:dir search;')
-allow vold app_data_file:dir search;
-userdebug_or_eng(`auditallow vold app_data_file:file rw_file_perms;')
-allow vold app_data_file:file rw_file_perms;
+userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
+allow vold { app_data_file privapp_data_file }:dir search;
+userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
+allow vold { app_data_file privapp_data_file }:file rw_file_perms;
allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
--
GitLab