From 564d5e393cb8eacb4cf41cb732918139645a2216 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Mon, 22 Jan 2018 14:18:31 -0800
Subject: [PATCH] Disallow vendor_init from accessing core_data_file_type

Now that the vendor_init mechanism is in place, this SELinux
restriction will disallow vendor init scripts from touching core data
files as intended with Treble.

Bug: 62875318
Test: None
Change-Id: Ifa50486c48551ba095d2ed8cc6570fc5040c172d
---
 public/vendor_init.te | 94 ++++---------------------------------------
 1 file changed, 7 insertions(+), 87 deletions(-)

diff --git a/public/vendor_init.te b/public/vendor_init.te
index b1efe1d7f..c56b45cc6 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@ allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
-  -system_file
-  -system_ndebug_socket
-  -unlabeled
-  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
-  file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
   -runtime_event_log_tags_file
-  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
+  -core_data_file_type
+  -exec_type
   -system_file
   -vendor_file_type
-  -exec_type
-  -vold_data_file
-  -keystore_data_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;
-- 
GitLab