Further protect app private data files

Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125fc8 has never triggered.

Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d

private/domain.te

@@ -48,7 +48,6 @@ neverallow {
   -adbd
   -appdomain
   -dexoptanalyzer
-  -init
   -installd
   userdebug_or_eng(`-perfprofd')
   -profman
@@ -56,12 +55,11 @@ neverallow {
   -system_server
 } { privapp_data_file app_data_file }:dir *;
 
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
 # restorecon and package install/uninstall.
 neverallow {
   domain
   -appdomain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
 
@@ -80,7 +78,6 @@ neverallow {
 
 neverallow {
   domain
-  -init
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 

public/init.te

@@ -223,9 +223,15 @@ allow init {
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init {
-# does init really need to relabel app data?
+  file_type
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+  -system_file_type
+  -vendor_file_type
+  -exec_type
+  -app_data_file
+  -privapp_data_file
+}:dir_file_class_set relabelto;
+
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;