From 3d98620ada80f5ca1d6395f2abe054b0aa82fa59 Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Wed, 3 Apr 2013 17:41:22 -0700
Subject: [PATCH] Add downloaded file policy.

Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366
---
 app.te        | 11 +++++++++++
 file.te       |  2 ++
 file_contexts |  2 ++
 3 files changed, 15 insertions(+)

diff --git a/app.te b/app.te
index 6188ef0bb..c216fbeac 100644
--- a/app.te
+++ b/app.te
@@ -27,6 +27,7 @@ allow platform_app apk_tmp_file:file rw_file_perms;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
+allow platform_app download_file:file rw_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -47,6 +48,11 @@ allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir
+allow media_app rootfs:file r_file_perms;
+# Allow platform apps to mark platform app data files as download files
+allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app download_file:dir relabelto;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -92,6 +98,7 @@ allow platformappdomain sdcard_type:file create_file_perms;
 # System data file accesses (e.g, shared objects from the lib directory)
 allow platformappdomain system_data_file:file { execute open };
 
+
 #
 # Untrusted apps.
 #
@@ -186,3 +193,7 @@ allow { appdomain isolated_app } backup_data_file:file { read write };
 allow { appdomain isolated_app } cache_backup_file:file { read write };
 # Backup ability using 'adb backup'
 allow { appdomain isolated_app } system_data_file:lnk_file getattr;
+
+# Allow all applications to read downloaded files
+allow appdomain download_file:file r_file_perms;
+file_type_auto_trans(appdomain, download_file, download_file)
diff --git a/file.te b/file.te
index a82945a5f..2f30e4c02 100644
--- a/file.te
+++ b/file.te
@@ -76,6 +76,8 @@ type security_file, file_type;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
+# Downloaded files
+type download_file, file_type;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 26a1863dc..87f816f67 100644
--- a/file_contexts
+++ b/file_contexts
@@ -183,6 +183,8 @@
 /data/data/com.android.settings/files/wallpaper	u:object_r:wallpaper_file:s0
 # Wallpaper file for other users
 /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
+# Downloaded files
+/data/data/com.android.providers.downloads/cache u:object_r:download_file:s0
 #############################
 # efs files
 #
-- 
GitLab