Exempt app_data_file_type from neverallow rules.

We need to be able to access app data files from core domains such as
installd even for vendor apps. Those file types should not be
core_data_file_type, so we explicitly exempty app_data_file_type as
well as core_data_file_type from the relevant neverallows.

To prevent misuse of the attribute, add a test to check it is not
applied to anything in file_contexts. Exempt the existing violators in
system policy for now.

Test: Builds
Test: Adding a type with just "file_type, data_file_type, app_data_file_type" works
Test: New test successfully catches  violators.
Bug: 171795911
Change-Id: I07bf3ec3db615f8b7a33d8235da5e6d8e2508975

public/attributes

@@ -34,7 +34,8 @@ expandattribute data_file_type false;
 attribute core_data_file_type;
 expandattribute core_data_file_type false;
 
-# All types used for app private data files under /data/data.
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
 attribute app_data_file_type;
 expandattribute app_data_file_type false;
 

public/domain.te

@@ -783,6 +783,7 @@ full_treble_only(`
     dev_type
     -coredomain_socket
     -core_data_file_type
+    -app_data_file_type
     -unlabeled
   }:sock_file ~{ append getattr ioctl read write };
 ')
@@ -807,6 +808,7 @@ full_treble_only(`
   } {
     data_file_type
     -core_data_file_type
+    -app_data_file_type
   }:file_class_set ~{ append getattr ioctl read write map };
 ')
 full_treble_only(`
@@ -819,6 +821,7 @@ full_treble_only(`
     } {
       data_file_type
       -core_data_file_type
+      -app_data_file_type
       # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
       # neverallow. Currently only getattr and search are allowed.
       -vendor_data_file

tests/policy.py

@@ -52,9 +52,9 @@ class Policy:
     __policydbP = None
     __BUFSIZE = 2048
 
-    def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+    def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
         # Query policy for the types associated with Attr
-        TypesPol = self.QueryTypeAttribute(Attr, True)
+        TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
         # Search file_contexts to find types associated with input paths.
         TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
         violators = TypesFc.intersection(TypesPol)

tests/sepolicy_tests.py

@@ -61,6 +61,28 @@ def TestCoreDataTypeViolations(pol):
 def TestPropertyTypeViolations(pol):
     return pol.AssertPropertyOwnersAreExclusive()
 
+def TestAppDataTypeViolations(pol):
+    # Types with the app_data_file_type should only be used for app data files
+    # (/data/data/package.name etc) via seapp_contexts, and never applied
+    # explicitly to other files.
+    partitions = [
+        "/data/",
+        "/vendor/",
+        "/odm/",
+        "/product/",
+    ]
+    exceptions = [
+        # These are used for app data files for the corresponding user and
+        # assorted other files.
+        # TODO(b/172812577): Use different types for the different purposes
+        "shell_data_file",
+        "bluetooth_data_file",
+        "nfc_data_file",
+        "radio_data_file",
+    ]
+    return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
+                                            exceptions)
+
 
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
@@ -87,7 +109,8 @@ Tests = [
     "TestDebugfsTypeViolations",
     "TestVendorTypeViolations",
     "TestCoreDataTypeViolations",
-    "TestPropertyTypeViolations"
+    "TestPropertyTypeViolations",
+    "TestAppDataTypeViolations",
 ]
 
 if __name__ == '__main__':
@@ -143,6 +166,8 @@ if __name__ == '__main__':
         results += TestCoreDataTypeViolations(pol)
     if options.test is None or "TestPropertyTypeViolations" in options.test:
         results += TestPropertyTypeViolations(pol)
+    if options.test is None or "TestAppDataTypeViolations" in options.test:
+        results += TestAppDataTypeViolations(pol)
 
     if len(results) > 0:
         sys.exit(results)