From 367757d2ef0ee5c8edc47ce8203a0d3369774e9c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 17 Apr 2015 17:56:31 -0700
Subject: [PATCH] gatekeeperd: use more specific label for /data file

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
---
 file.te          | 1 +
 file_contexts    | 1 +
 gatekeeperd.te   | 8 ++------
 untrusted_app.te | 4 ++++
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/file.te b/file.te
index 2022b950b..7bd38434a 100644
--- a/file.te
+++ b/file.te
@@ -101,6 +101,7 @@ type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
+type gatekeeper_data_file, file_type, data_file_type;
 type keychain_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index eef0fd395..e36a6c384 100644
--- a/file_contexts
+++ b/file_contexts
@@ -229,6 +229,7 @@
 /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
 /data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)?     u:object_r:gatekeeper_data_file:s0
 /data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 5f27aa92a..39d9d210c 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -18,11 +18,7 @@ allow gatekeeperd system_server:binder call;
 allow gatekeeperd permission_service:service_manager find;
 
 # for SID file access
-allow gatekeeperd system_data_file:dir { add_name write};
-allow gatekeeperd system_data_file:file { write create open };
-
-# Apps using KeyStore API will request the SID from GateKeeper
-allow untrusted_app gatekeeper_service:service_manager find;
-binder_call(untrusted_app, gatekeeperd)
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/untrusted_app.te b/untrusted_app.te
index 5ad8c79bd..1b7aaeefd 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,6 +93,10 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
+# Apps using KeyStore API will request the SID from GateKeeper
+allow untrusted_app gatekeeper_service:service_manager find;
+binder_call(untrusted_app, gatekeeperd)
+
 ###
 ### neverallow rules
 ###
-- 
GitLab