From 59d28035a1e0779a81cde104ea9afffd2bb1a77f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 19 Mar 2012 10:24:52 -0400
Subject: [PATCH] Introduce a separate apk_tmp_file type for the vmdl.*\.tmp
 files.

---
 app.te        | 3 +--
 file.te       | 3 ++-
 file_contexts | 1 +
 installd.te   | 1 +
 system.te     | 7 +++++++
 5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index 6cc499aa3..fa16910a5 100644
--- a/app.te
+++ b/app.te
@@ -28,8 +28,7 @@ allow trusted_app shell_data_file:lnk_file read;
 allow trusted_app sdcard:dir create_dir_perms;
 allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
-# It would be better if this was labeled differently.
-allow trusted_app apk_data_file:file write;
+allow trusted_app apk_tmp_file:file rw_file_perms;
 
 #
 # An example of a specific domain for a specific app
diff --git a/file.te b/file.te
index dc9e76821..a7318c4ad 100644
--- a/file.te
+++ b/file.te
@@ -29,7 +29,8 @@ type anr_data_file, file_type, data_file_type;
 # /data/tombstones - core dumps
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 79a3124b1..550fa9a4e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -106,6 +106,7 @@
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local(/.*)?	u:object_r:shell_data_file:s0
 # Misc data
diff --git a/installd.te b/installd.te
index e4b0b1828..466125ef4 100644
--- a/installd.te
+++ b/installd.te
@@ -12,6 +12,7 @@ allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
 allow installd data_file_type:file { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;
diff --git a/system.te b/system.te
index 47e1eeba1..8740c6b0f 100644
--- a/system.te
+++ b/system.te
@@ -130,6 +130,13 @@ allow system qemu_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
+# Read /file_contexts.
+allow system rootfs:file r_file_perms;
+
+# Relabel apk files.
+allow system apk_tmp_file:file { relabelfrom relabelto };
+allow system apk_data_file:file { relabelfrom relabelto };
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;
-- 
GitLab