commit 17369bef4a216de221578575b34a10312b6b890b
author Eric Biggers <ebiggers@google.com> Wed May 11 05:33:07 2022 +0000
committer Eric Biggers <ebiggers@google.com> Thu May 12 00:19:29 2022 +0000
tree 99ba9e75b940af6c23533e2a0276b1bc890ecfcb
parent b10cffe76819906d8d158764de7f384956c20cad

Remove init's write access to /data/user and /data/media

As a follow-up to https://r.android.com/2078213, remove init's write
access to directories with type system_userdir_file or
media_userdir_file.  This has been made possible by moving the creation
of /data/user/0 and /data/media/obb to vold.

Bug: 156305599
Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 287503c..e77ba5d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -487,7 +487,7 @@
 allow system_server keychain_data_file:lnk_file create_file_perms;
 
 # Read the user parent directories like /data/user.  Don't allow write access,
-# as vold and init are responsible for creating and deleting the subdirectories.
+# as vold is responsible for creating and deleting the subdirectories.
 allow system_server system_userdir_file:dir r_dir_perms;
 
 # Manage /data/app.

private/vold.te

diff --git a/private/vold.te b/private/vold.te
index 22553ea..40c1a57 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -82,27 +82,13 @@
 # /data/user/$userId.  This is very important, as these directories need to be
 # encrypted with per-user keys, which only vold can do.  Encryption can only be
 # set up on empty directories, so creation and encryption must happen together.
-#
-# Exception: init creates /data/user/0 and /data/media/obb, so that needs to be
-# allowed for now.  (/data/media/obb isn't actually a per-user directory, but
-# it's located in /data/media so it constrains the sepolicy for that directory.)
 neverallow {
     domain
     -vold
 } {
-    vendor_userdir_file
-}:dir {
-    add_name
-    remove_name
-    write
-};
-neverallow {
-    domain
-    -vold
-    -init
-} {
-    system_userdir_file
     media_userdir_file
+    system_userdir_file
+    vendor_userdir_file
 }:dir {
     add_name
     remove_name

public/init.te

diff --git a/public/init.te b/public/init.te
index d7b89f1..8a07817 100644
--- a/public/init.te
+++ b/public/init.te
@@ -212,10 +212,11 @@
 allow init {
   file_type
   -app_data_file
+  -credstore_data_file
   -exec_type
   -iorapd_data_file
-  -credstore_data_file
   -keystore_data_file
+  -media_userdir_file
   -misc_logd_file
   -nativetest_data_file
   -privapp_data_file
@@ -223,6 +224,7 @@
   -system_app_data_file
   -system_dlkm_file_type
   -system_file_type
+  -system_userdir_file
   -vendor_file_type
   -vendor_userdir_file
   -vold_data_file