From 5d1755194a841ab727467a30757fd1606cef905b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 12 Sep 2018 12:30:32 -0700
Subject: [PATCH] Change priv-apps /data/data labels to privapp_data_file

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

Commit 23c9d91b46352bd91cdc58f33d55378e5567dc1c introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.

This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b46352bd91cdc58f33d55378e5567dc1c, there should be no
noticeable effect from this change.

This change was originally submitted as
4df57822fce7e87b41edbe410a2554c6c39fc286. However, it was reverted in
cdc6649acc43d3a38753e22790f372290c1189c1 due to a different labeling
bug. That bug has been fixed, and we can reapply this change.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.
Bug: 112357170
---
 private/seapp_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/seapp_contexts b/private/seapp_contexts
index c21d49f2a..418150e71 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -112,7 +112,7 @@ user=_isolated domain=isolated_app levelFrom=all
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-- 
GitLab