Remove init's write access to /data/user and /data/media As a follow-up to https://r.android.com/2078213, remove init's write access to directories with type system_userdir_file or media_userdir_file. This has been made possible by moving the creation of /data/user/0 and /data/media/obb to vold. Bug: 156305599 Change-Id: Ib9f43f2b111518833efe08e8cacd727c75b80266

commit: 17369bef4a216de221578575b34a10312b6b890b [log] [tgz]
author: Eric Biggers <ebiggers@google.com> Wed May 11 05:33:07 2022 +0000
committer: Eric Biggers <ebiggers@google.com> Thu May 12 00:19:29 2022 +0000
tree: 99ba9e75b940af6c23533e2a0276b1bc890ecfcb
parent: b10cffe76819906d8d158764de7f384956c20cad [diff] [blame]
diff --git a/private/vold.te b/private/vold.te
index 22553ea..40c1a57 100644
--- a/private/vold.te
+++ b/private/vold.te

@@ -82,27 +82,13 @@
 # /data/user/$userId.  This is very important, as these directories need to be
 # encrypted with per-user keys, which only vold can do.  Encryption can only be
 # set up on empty directories, so creation and encryption must happen together.
-#
-# Exception: init creates /data/user/0 and /data/media/obb, so that needs to be
-# allowed for now.  (/data/media/obb isn't actually a per-user directory, but
-# it's located in /data/media so it constrains the sepolicy for that directory.)
 neverallow {
     domain
     -vold
 } {
-    vendor_userdir_file
-}:dir {
-    add_name
-    remove_name
-    write
-};
-neverallow {
-    domain
-    -vold
-    -init
-} {
-    system_userdir_file
     media_userdir_file
+    system_userdir_file
+    vendor_userdir_file
 }:dir {
     add_name
     remove_name
commit	17369bef4a216de221578575b34a10312b6b890b	[log] [tgz]
author	Eric Biggers <ebiggers@google.com>	Wed May 11 05:33:07 2022 +0000
committer	Eric Biggers <ebiggers@google.com>	Thu May 12 00:19:29 2022 +0000
tree	99ba9e75b940af6c23533e2a0276b1bc890ecfcb
parent	b10cffe76819906d8d158764de7f384956c20cad [diff] [blame]