From 4df57822fce7e87b41edbe410a2554c6c39fc286 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 3 Aug 2018 09:01:42 -0700
Subject: [PATCH] Change priv-apps /home/home labels to privapp_data_file

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.

This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46352bd91cdc58f33d55378e5567dc1c, there should be no
noticeable effect from this change.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Merged-In: I9a476726bf01f4bcc7952d11fd57dba803a9fd8d
Change-Id: I23a26cd3906fc43cbd225c05c3a2abd3cab8bd06
---
 private/seapp_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8db46f065..6727c38f7 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -112,6 +112,6 @@ user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-- 
GitLab