From 87529b3f4bad820b3a607d7b579f99291651c353 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 2 Nov 2017 14:46:44 -0700
Subject: [PATCH] Ban sharing data between platform and vendor processes

Annotate processes that violate the ban including fingerprint and
widevine HALs.

Bug: 34980020
Test: build
Change-Id: I4afa03841e1648d4624e66bbd5ed21d09d357547
Merged-In: I4afa03841e1648d4624e66bbd5ed21d09d357547
(cherry picked from commit 458d1f6a6e5274565976cc93675ce09ef926ed5f)
---
 sepolicy/private/ramoops.te         | 2 +-
 sepolicy/public/file.te             | 2 +-
 sepolicy/vendor/hal_drm_widevine.te | 4 ++++
 sepolicy/vendor/tee.te              | 4 +++-
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/sepolicy/private/ramoops.te b/sepolicy/private/ramoops.te
index 57161d95..f7f4aafa 100644
--- a/sepolicy/private/ramoops.te
+++ b/sepolicy/private/ramoops.te
@@ -1,5 +1,5 @@
 type ramoops, domain, coredomain;
-type ramoops_data_file, file_type, data_file_type;
+type ramoops_data_file, file_type, data_file_type, core_data_file_type;
 type ramoops_exec, exec_type, file_type;
 
 init_daemon_domain(ramoops);
diff --git a/sepolicy/public/file.te b/sepolicy/public/file.te
index ad98df70..1224e34a 100644
--- a/sepolicy/public/file.te
+++ b/sepolicy/public/file.te
@@ -1,2 +1,2 @@
-type elabel_data_file, file_type, data_file_type;
+type elabel_data_file, file_type, data_file_type, core_data_file_type;
 type sysfs_pstore, sysfs_type, fs_type;
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index faf47b31..629ba5e9 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -15,3 +15,7 @@ allow hal_drm { appdomain -isolated_app }:fd use;
 # by the HWC HAL.
 allow hal_drm_widevine qdisplay_service:service_manager { find };
 binder_call(hal_drm_widevine, hal_graphics_composer)
+
+# TODO(b/36601695): Remove data_between_core_and_vendor violators once
+# hal_drm no longer directly accesses media_data_file.
+typeattribute hal_drm_widevine data_between_core_and_vendor_violators;
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
index 0ddf90ff..98ae1436 100644
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -16,8 +16,10 @@ allow tee persist_drm_file:file create_file_perms;
 allow tee persist_data_file:dir create_dir_perms;
 allow tee persist_data_file:file create_file_perms;
 
+# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
+# tee no longer directly accesses /data owned by the frameworks.
+typeattribute tee data_between_core_and_vendor_violators;
 allow tee system_data_file:dir r_dir_perms;
-
 allow tee fingerprintd_data_file:dir rw_dir_perms;
 allow tee fingerprintd_data_file:file create_file_perms;