From 598a75c11de60a4fe8b1cf652c67f40ae8a85577 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 16 Nov 2018 00:59:23 -0800
Subject: [PATCH] Further protect app private data files

Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc84b2bb154b1b68a11db543a5352d533 has never triggered.

Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d
---
 private/domain.te |  5 +----
 public/init.te    | 12 +++++++++---
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index c03da55ee..850635b64 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -48,7 +48,6 @@ neverallow {
   -adbd
   -appdomain
   -dexoptanalyzer
-  -init
   -installd
   userdebug_or_eng(`-perfprofd')
   -profman
@@ -56,12 +55,11 @@ neverallow {
   -system_server
 } { privapp_data_file app_data_file }:dir *;
 
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
   domain
   -appdomain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
@@ -80,7 +78,6 @@ neverallow {
 
 neverallow {
   domain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
diff --git a/public/init.te b/public/init.te
index c06e53853..770922a1b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -223,9 +223,15 @@ allow init {
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-# does init really need to relabel app data?
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+allow init {
+  file_type
+  -system_file_type
+  -vendor_file_type
+  -exec_type
+  -app_data_file
+  -privapp_data_file
+}:dir_file_class_set relabelto;
+
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;