Further protect app private data files
Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc84b2bb154b1b68a11db543a5352d533 has never triggered.
Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
diff --git a/private/domain.te b/private/domain.te
index c03da55..850635b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -48,7 +48,6 @@
-adbd
-appdomain
-dexoptanalyzer
- -init
-installd
userdebug_or_eng(`-perfprofd')
-profman
@@ -56,12 +55,11 @@
-system_server
} { privapp_data_file app_data_file }:dir *;
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
- -init
-installd
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -80,7 +78,6 @@
neverallow {
domain
- -init
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
diff --git a/public/init.te b/public/init.te
index c06e538..770922a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -223,9 +223,15 @@
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-# does init really need to relabel app data?
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+ -app_data_file
+ -privapp_data_file
+}:dir_file_class_set relabelto;
+
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;