Disallow vendor_init from accessing core_data_file_type

Now that the vendor_init mechanism is in place, this SELinux restriction will disallow vendor init scripts from touching core data files as intended with Treble. Bug: 62875318 Test: None Change-Id: Ifa50486c48551ba095d2ed8cc6570fc5040c172d

Disallow vendor_init from accessing core_data_file_type
Now that the vendor_init mechanism is in place, this SELinux restriction will disallow vendor init scripts from touching core data files as intended with Treble. Bug: 62875318 Test: None Change-Id: Ifa50486c48551ba095d2ed8cc6570fc5040c172d
564d5e39 · Tom Cherry · cf391269 · 564d5e39
Commit 564d5e39 authored 7 years ago by Tom Cherry
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@ allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 allow vendor_init {
  file_type
-  -app_data_file
+  -core_data_file_type
-  -bluetooth_data_file
-  -dalvikcache_data_file
  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
  -system_file
-  -system_ndebug_socket
  -unlabeled
  -vendor_file_type
-  -vold_data_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-  -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
 allow vendor_init {
  file_type
-  -app_data_file
+  -core_data_file_type
-  -bluetooth_data_file
-  -dalvikcache_data_file
  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
-  -system_file
-  -system_ndebug_socket
-  -unlabeled
-  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-allow vendor_init {
-  file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
  -runtime_event_log_tags_file
-  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
  -system_file
-  -system_ndebug_socket
  -unlabeled
  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 allow vendor_init {
  file_type
-  -app_data_file
+  -core_data_file_type
-  -bluetooth_data_file
-  -dalvikcache_data_file
  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
  -system_file
-  -system_ndebug_socket
  -unlabeled
  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow vendor_init {
  file_type
-  -app_data_file
+  -core_data_file_type
-  -bluetooth_data_file
-  -dalvikcache_data_file
  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
  -system_file
-  -system_ndebug_socket
  -unlabeled
  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 allow vendor_init {
  file_type
+  -core_data_file_type
+  -exec_type
  -system_file
  -vendor_file_type
-  -exec_type
-  -vold_data_file
-  -keystore_data_file
 }:dir_file_class_set relabelto;
 allow vendor_init dev_type:dir create_dir_perms;