label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34

commit: d25ccabd24339938b6b3bb93cb3cb96b4aa55958 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Wed Feb 07 16:29:06 2018 -0800
committer: Jeffrey Vander Stoep <jeffv@google.com> Thu Feb 08 17:21:25 2018 +0000
tree: f60d688f2fbc6a91785e2d07496b1ed5b8442371
parent: 8c87c2ad6559956fce5860d771b74046cde54714 [diff] [blame]
diff --git a/private/traced.te b/private/traced.te
index bb7a091..531ecc2 100644
--- a/private/traced.te
+++ b/private/traced.te

@@ -27,8 +27,15 @@
 
 # Disallows access to /data files, still allowing to write to file descriptors
 # passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+  data_file_type
+  -system_data_file
+  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+  # subsequent neverallow. Currently only getattr and search are allowed.
+  -vendor_data_file
+  -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
 neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
commit	d25ccabd24339938b6b3bb93cb3cb96b4aa55958	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Wed Feb 07 16:29:06 2018 -0800
committer	Jeffrey Vander Stoep <jeffv@google.com>	Thu Feb 08 17:21:25 2018 +0000
tree	f60d688f2fbc6a91785e2d07496b1ed5b8442371
parent	8c87c2ad6559956fce5860d771b74046cde54714 [diff] [blame]