Test that /data is properly labeled

Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a

public/attributes

@@ -32,6 +32,7 @@ attribute data_file_type;
 expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
+expandattribute core_data_file_type false;
 # All types in /vendor
 attribute vendor_file_type;
 
@@ -130,6 +131,7 @@ attribute coredomain;
 
 # All socket devices owned by core domain components
 attribute coredomain_socket;
+expandattribute coredomain_socket false;
 
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations

public/domain.te

@@ -669,7 +669,6 @@ full_treble_only(`
 
 # On full TREBLE devices, socket communications between core components and vendor components are
 # not permitted.
-full_treble_only(`
   # Most general rules first, more specific rules below.
 
   # Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -677,6 +676,7 @@ full_treble_only(`
   # to obtain an already established socket via some public/official/stable API and then exchange
   # data with its peer over that socket. The wire format in this scenario is dicatated by the API
   # and thus does not break the core-vendor separation.
+full_treble_only(`
   neverallow_establish_socket_comms({
     coredomain
     -init
@@ -686,7 +686,9 @@ full_treble_only(`
     -coredomain
     -socket_between_core_and_vendor_violators
   });
+')
   # Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
@@ -702,26 +704,33 @@ full_treble_only(`
     -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
     -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
   });
+')
 
   # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
     -netdomain
     -socket_between_core_and_vendor_violators
   }, netd);
+')
 
   # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain # appdomain restrictions below
+    -data_between_core_and_vendor_violators # b/70393317
     -socket_between_core_and_vendor_violators
   } {
     coredomain_socket
     core_data_file_type
     unlabeled # used only by core domains
   }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
   neverallow {
     appdomain
     -coredomain
@@ -733,8 +742,10 @@ full_treble_only(`
     -pdx_endpoint_socket_type # used by VR layer
     -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
+')
 
   # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
   neverallow {
     coredomain
     -init

public/file.te

@@ -315,7 +315,7 @@ type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
@@ -324,7 +324,7 @@ type traced_producer_socket, file_type, coredomain_socket;
 type traced_consumer_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
 type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
 type zygote_socket, file_type, coredomain_socket;
 # UART (for GPS) control proc file
 type gps_control, file_type;

tests/sepolicy_tests.py

@@ -23,6 +23,10 @@ def TestDebugfsTypeViolations(pol):
 def TestVendorTypeViolations(pol):
     return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
 
+def TestCoreDataTypeViolations(pol):
+    return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/",
+            "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type")
+
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
 # This is used to allow multiple file_contexts files and tests to be
@@ -40,7 +44,9 @@ class MultipleOption(Option):
         else:
             Option.take_action(self, action, dest, opt, value, values, parser)
 
-Tests = ["TestDataTypeViolators"]
+Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
+        "TestDebugfsTypeViolations", "TestVendorTypeViolations",
+        "TestCoreDataTypeViolations"]
 
 if __name__ == '__main__':
     usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +93,8 @@ if __name__ == '__main__':
         results += TestDebugfsTypeViolations(pol)
     if options.test is None or "TestVendorTypeViolations" in options.test:
         results += TestVendorTypeViolations(pol)
+    if options.test is None or "TestCoreDataTypeViolations" in options.test:
+        results += TestCoreDataTypeViolations(pol)
 
     if len(results) > 0:
         sys.exit(results)