commit 206b6535f1b6793480062cb3d90f7e0af1004435
author Paul Crowley <paulcrowley@google.com> Thu Aug 01 15:57:47 2019 -0700
committer Paul Crowley <paulcrowley@google.com> Thu Aug 29 15:08:21 2019 -0700
tree 86920df683180a6e97df50f22c36cf50b63889e1
parent cacefc6a7807b56de6b5f34326b4bc48a6321158

Root of /data belongs to init

Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe

private/compat/29.0/29.0.cil

diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 86f8a8d..2079248 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1780,7 +1780,7 @@
 (typeattributeset system_block_device_29_0 (system_block_device))
 (typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
 (typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
-(typeattributeset system_data_file_29_0 (system_data_file))
+(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
 (typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
 (typeattributeset system_file_29_0 (system_file))
 (typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 8b25cfd..8849885 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -434,7 +434,8 @@
 # NOTE: When modifying existing label rules, changes may also need to
 # propagate to the "Expanded data files" section.
 #
-/data(/.*)?		u:object_r:system_data_file:s0
+/data		u:object_r:system_data_root_file:s0
+/data/(.*)?		u:object_r:system_data_file:s0
 /data/system/packages\.list u:object_r:packages_list_file:s0
 /data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0

private/perfetto.te

diff --git a/private/perfetto.te b/private/perfetto.te
index 419c4b9..e95defa 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -69,6 +69,7 @@
 neverallow perfetto {
   data_file_type
   -system_data_file
+  -system_data_root_file
   # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
   # neverallow. Currently only getattr and search are allowed.
   -vendor_data_file

private/traced.te

diff --git a/private/traced.te b/private/traced.te
index 2d7d07f..42c6704 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -62,6 +62,7 @@
 neverallow traced {
   data_file_type
   -system_data_file
+  -system_data_root_file
   # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file

private/traced_probes.te

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 8746c34..97a7e6e 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -101,6 +101,7 @@
   -apk_data_file
   -dalvikcache_data_file
   -system_data_file
+  -system_data_root_file
   -system_app_data_file
   -backup_data_file
   -bootstat_data_file

private/vendor_init.te

diff --git a/private/vendor_init.te b/private/vendor_init.te
index 50efc22..6a68f1f 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -2,3 +2,6 @@
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit vendor_init sysfs:dir write;
+
+# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
+allow vendor_init system_data_root_file:dir rw_dir_perms;