label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.
Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
No new denials.
Change-Id: I65f904bb28952d4776aab947515947e14befbe34
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9dd2ee7..fb4a9e6 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -634,7 +634,9 @@
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 06f4c91..2272903 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1351,7 +1351,9 @@
(typeattributeset system_app_data_file_27_0 (system_app_data_file))
(typeattributeset system_app_service_27_0 (system_app_service))
(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0 (system_data_file))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 25d0d9d..321cfbe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -425,6 +425,9 @@
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 389fdf4..9ac5d87 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -53,7 +53,15 @@
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
-neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
diff --git a/private/traced.te b/private/traced.te
index bb7a091..531ecc2 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -27,8 +27,15 @@
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 15c51d4..26e0051 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -44,7 +44,14 @@
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510e..af1f442 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;