Annotate processes that violate shared data ban
Vendor processes should not directly access data owned by core
processes.
Bug: 34980020
Test: build
Change-Id: If05f1870e98da3146ccb87dc89dd34389f1e80cd
diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te
index 08f6d2a..ea91603 100644
--- a/sepolicy/hal_dumpstate_impl.te
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -7,18 +7,19 @@
# Execute dump scripts
allow hal_dumpstate_impl vendor_shell_exec:file rx_file_perms;
allow hal_dumpstate_impl vendor_toolbox_exec:file rx_file_perms;
-# system file execution
-#allow hal_dumpstate_impl system_data_file:dir r_dir_perms;
# smlog_dump
allow hal_dumpstate_impl smlog_dump_exec:file rx_file_perms;
userdebug_or_eng(`
allow hal_dumpstate_impl smlog_dump_file:dir create_dir_perms;
allow hal_dumpstate_impl smlog_dump_file:file create_file_perms;
-allow hal_dumpstate_impl radio_data_file:dir r_dir_perms;
allow hal_dumpstate_impl netmgr_data_file:dir r_dir_perms;
-allow hal_dumpstate_impl radio_data_file:file r_file_perms;
allow hal_dumpstate_impl netmgr_data_file:file r_file_perms;
+# TODO(b/36654253): Remove data_between_core_and_vendor_violators once
+# dumpstate HAL no longer directly accesses /data owned by the radio app.
+typeattribute hal_dumpstate_impl data_between_core_and_vendor_violators;
+allow hal_dumpstate_impl radio_data_file:dir r_dir_perms;
+allow hal_dumpstate_impl radio_data_file:file r_file_perms;
')
allow hal_dumpstate_impl uio_device:chr_file rw_file_perms;
diff --git a/sepolicy/init_radio.te b/sepolicy/init_radio.te
index bbb8a10..ca35191 100644
--- a/sepolicy/init_radio.te
+++ b/sepolicy/init_radio.te
@@ -11,6 +11,9 @@
allow init_radio firmware_file:file r_file_perms;
allow init_radio self:capability chown;
+# TODO(b/68015003): Remove data_between_core_and_vendor_violators once
+# init_radio no longer directly accesses /data owned by the radio app.
+typeattribute init_radio data_between_core_and_vendor_violators;
allow init_radio radio_data_file:dir create_dir_perms;
allow init_radio radio_data_file:file create_file_perms;
allow init_radio radio_data_file:file w_file_perms;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index dc63cf5..fed8897 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -21,6 +21,10 @@
allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };
+
+# TODO(b/36682246): Remove data_between_core_and_vendor_violators once
+# netmgrd no longer directly accesses /data owned by the frameworks.
+typeattribute netmgrd data_between_core_and_vendor_violators;
# read /data/misc/net
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 9e93720..0793357 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -32,6 +32,9 @@
# rild needs 'lock' for /vendor/qcril.db
allow rild vendor_file:file { lock };
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# rild no longer directly accesses the radio app's data type.
+typeattribute rild data_between_core_and_vendor_violators;
# allow rild to access radio data file
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
