Merge "Further protect app private data files"

6567cc26 · Treehugger Robot · Gerrit Code Review · a194d375 · 598a75c1 · 6567cc26
Commit 6567cc26 authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/domain.te
+++ b/private/domain.te
@@ -48,7 +48,6 @@ neverallow {
  -adbd
  -appdomain
  -dexoptanalyzer
-  -init
  -installd
  userdebug_or_eng(`-perfprofd')
  -profman
@@ -56,12 +55,11 @@ neverallow {
  -system_server
 } { privapp_data_file app_data_file }:dir *;
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
  domain
  -appdomain
-  -init
  -installd
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -80,7 +78,6 @@ neverallow {
 neverallow {
  domain
-  -init
  -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

--- a/public/init.te
+++ b/public/init.te
@@ -223,9 +223,15 @@ allow init {
 allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init {
-# does init really need to relabel app data?
+  file_type
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+  -system_file_type
+  -vendor_file_type
+  -exec_type
+  -app_data_file
+  -privapp_data_file
+}:dir_file_class_set relabelto;
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;