From 4a057c9459c50244580a0dd39cd9e444c85619c7 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 8 Jun 2017 10:34:58 -0700
Subject: [PATCH] Files on /data must have the data_file_type attr

This will be enforced by build-time and CTS tests.

Test: build policy
Change-Id: Ie852fa59670969a2352a97be357d37e420fb180e
---
 public/attributes  |  1 +
 public/file.te     | 18 +++++++++---------
 public/recovery.te | 12 ++++++++++--
 vendor/file.te     |  2 +-
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/public/attributes b/public/attributes
index 2b28cf020..268f1386b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -29,6 +29,7 @@ attribute exec_type;
 
 # All types used for /data files.
 attribute data_file_type;
+expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
 # All types in /vendor
diff --git a/public/file.te b/public/file.te
index bf8223a5e..56533189c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -218,13 +218,13 @@ type app_data_file, file_type, data_file_type, core_data_file_type;
 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
 # Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
+type cache_file, file_type, data_file_type, mlstrustedobject;
 # Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
+type cache_backup_file, file_type, data_file_type, mlstrustedobject;
 # type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
+type cache_private_backup_file, file_type, data_file_type;
 # Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
+type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
@@ -252,7 +252,7 @@ type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 
 # Socket types
 type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, coredomain_socket;
 type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
 type dumpstate_socket, file_type, coredomain_socket;
 type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -262,22 +262,22 @@ type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
 type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
 type mdns_socket, file_type, coredomain_socket;
 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type;
+type misc_logd_file, coredomain_socket, file_type, data_file_type;
 type mtpd_socket, file_type, coredomain_socket;
 type netd_socket, file_type, coredomain_socket;
 type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
 type vold_socket, file_type, coredomain_socket;
 type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type;
+type wpa_socket, file_type, data_file_type;
 type zygote_socket, file_type, coredomain_socket;
 # UART (for GPS) control proc file
 type gps_control, file_type;
diff --git a/public/recovery.te b/public/recovery.te
index 99d792cbe..f70524191 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -145,5 +145,13 @@ recovery_only(`
 # domains, including recovery.
 #
 # TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
+neverallow recovery {
+   data_file_type
+   -cache_file
+   -cache_recovery_file
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+   data_file_type
+   -cache_file
+   -cache_recovery_file
+}:dir no_w_dir_perms;
diff --git a/vendor/file.te b/vendor/file.te
index aeafb4aa6..3350b1e0b 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
 # Socket types
-type hostapd_socket, file_type;
+type hostapd_socket, file_type, data_file_type;
-- 
GitLab