diff --git a/app.te b/app.te
index b89d4e15c975b412b48e1e25e6518e36b8bbf043..438e01f466255b4617e6f36507eb7e924ee15afc 100644
--- a/app.te
+++ b/app.te
@@ -110,6 +110,10 @@ allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
diff --git a/dex2oat.te b/dex2oat.te
index df3cc424543913a41c1428371e1b0a8ed27113b1..58fcef8e4f3c1ced4a174ddafda78a6e72b6859a 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, mlstrustedsubject, domain_deprecated;
+type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
@@ -15,7 +15,7 @@ allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
allow dex2oat apk_tmp_file:file read;
-allow dex2oat app_data_file:file {read write lock};
+allow dex2oat user_profile_data_file:file {read lock};
##################
# A/B OTA Dexopt #
diff --git a/domain.te b/domain.te
index e24036b5ecff3bc15b980686c1be172188675501..9d377e50a6604b1f0d3bb3f8746e92d83412d189 100644
--- a/domain.te
+++ b/domain.te
@@ -551,3 +551,11 @@ neverallow {
-ueventd
-vold
} fuse_device:chr_file *;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
diff --git a/file.te b/file.te
index 685cfe0845c28a828c8ffe5c461496f506238e7c..ff60c0435beb34c4614a1ae3392b4e82b95813da 100644
--- a/file.te
+++ b/file.te
@@ -85,6 +85,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 9222324da4aba4ff8b7e772ad0a40e871b5759b4..ed8e30e6cb56087be5d9922921bd6632672530d7 100644
--- a/file_contexts
+++ b/file_contexts
@@ -203,6 +203,7 @@
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -289,6 +290,10 @@
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/installd.te b/installd.te
index f685a4883fa8849976c77f486adbce392380fcb5..688a7e6c07f4fc6b748d9c57b7fd729aa91afafb 100644
--- a/installd.te
+++ b/installd.te
@@ -66,6 +66,9 @@ allow installd resourcecache_data_file:file create_file_perms;
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
@@ -109,6 +112,10 @@ allow installd {
autoplay_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/profman.te b/profman.te
new file mode 100644
index 0000000000000000000000000000000000000000..ac34e8923972a4a7723d99cdd61bec16838bdcae
--- /dev/null
+++ b/profman.te
@@ -0,0 +1,9 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { read write lock };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/untrusted_app.te b/untrusted_app.te
index 30364b035214c7ffe018e797ef76b63709dddffe..189f3c50980908435862ddd312681d6553a9a5b5 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -171,6 +171,7 @@ neverallow untrusted_app {
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
diff --git a/vold.te b/vold.te
index 9a1ccfe3a008ad0966674affc9d1338a5c87a357..fb3673c00fc739af0c5f12dcc769d82d6aa8e749 100644
--- a/vold.te
+++ b/vold.te
@@ -185,6 +185,9 @@ allow vold sysfs_zram_uevent:file rw_file_perms;
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;