Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.

59d28035 · Stephen Smalley · b660916b · 59d28035 · 59d28035 · 59d28035
Commit 59d28035 authored 13 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -28,8 +28,7 @@ allow trusted_app shell_data_file:lnk_file read;
 allow trusted_app sdcard:dir create_dir_perms;
 allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
-# It would be better if this was labeled differently.
+allow trusted_app apk_tmp_file:file rw_file_perms;
-allow trusted_app apk_data_file:file write;
 #
 # An example of a specific domain for a specific app

--- a/file.te
+++ b/file.te
@@ -29,7 +29,8 @@ type anr_data_file, file_type, data_file_type;
 # /data/tombstones - core dumps
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/local - writable by shell

--- a/file_contexts
+++ b/file_contexts
@@ -106,6 +106,7 @@
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local(/.*)?	u:object_r:shell_data_file:s0
 # Misc data

--- a/installd.te
+++ b/installd.te
@@ -12,6 +12,7 @@ allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
 allow installd data_file_type:file { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;

--- a/system.te
+++ b/system.te
@@ -130,6 +130,13 @@ allow system qemu_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
+# Read /file_contexts.
+allow system rootfs:file r_file_perms;
+# Relabel apk files.
+allow system apk_tmp_file:file { relabelfrom relabelto };
+allow system apk_data_file:file { relabelfrom relabelto };
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;