Root of /data belongs to init (re-landing) Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf

commit: aed0f76ee915de983fb22d49e6294b4df3343ac7 [log] [tgz]
author: Paul Crowley <paulcrowley@google.com> Thu Aug 01 15:57:47 2019 -0700
committer: Paul Crowley <paulcrowley@google.com> Mon Sep 09 14:42:01 2019 -0700
tree: 8a1a22b305f1bc5d588bdd489a358fcffc0da4ac
parent: 6e85cd91d0832ca6d5eb582233646d6e08c1e13d [diff] [blame]
diff --git a/private/traced.te b/private/traced.te
index 2d7d07f..42c6704 100644
--- a/private/traced.te
+++ b/private/traced.te

@@ -62,6 +62,7 @@
 neverallow traced {
   data_file_type
   -system_data_file
+  -system_data_root_file
   # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
commit	aed0f76ee915de983fb22d49e6294b4df3343ac7	[log] [tgz]
author	Paul Crowley <paulcrowley@google.com>	Thu Aug 01 15:57:47 2019 -0700
committer	Paul Crowley <paulcrowley@google.com>	Mon Sep 09 14:42:01 2019 -0700
tree	8a1a22b305f1bc5d588bdd489a358fcffc0da4ac
parent	6e85cd91d0832ca6d5eb582233646d6e08c1e13d [diff] [blame]