From 6139de50fdb212d28fe406525dce5246f4a4da36 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 19 Feb 2014 10:54:41 -0500
Subject: [PATCH] Add support for and use new path= specifier in
 seapp_contexts.

Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.

After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.

Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.

Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 seapp_contexts      | 5 ++++-
 tools/check_seapp.c | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/seapp_contexts b/seapp_contexts
index 2049b8aa7..6c0a9a3e0 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -3,6 +3,7 @@
 #	user (string)
 #	seinfo (string)
 #	name (string)
+#	path (string)
 #	sebool (string)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
@@ -19,7 +20,8 @@
 #	  (4) Longer user= prefix before shorter user= prefix. 
 #	  (5) Specified seinfo= string before unspecified seinfo= string.
 #	  (6) Specified name= string before unspecified name= string.
-#	  (7) Specified sebool= string before unspecified sebool= string.
+#	  (7) Specified path= string before unspecified path= string.
+#	  (8) Specified sebool= string before unspecified sebool= string.
 #
 # Outputs:
 #	domain (string)
@@ -41,6 +43,7 @@ user=_app domain=untrusted_app type=app_data_file levelFrom=none
 user=_app seinfo=platform domain=platform_app type=platform_app_data_file
 user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
 user=_app seinfo=release domain=release_app type=platform_app_data_file
 user=_isolated domain=isolated_app
 user=shell domain=shell type=shell_data_file
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 19e2ab28b..e5108e3f7 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -160,6 +160,7 @@ key_map rules[] = {
                 { .name = "user",           .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "seinfo",         .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "name",           .type = dt_string, .dir = dir_in,  .data = NULL },
+                { .name = "path",           .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "sebool",         .type = dt_string, .dir = dir_in,  .data = NULL },
                 /*Outputs*/
                 { .name = "domain",         .type = dt_string, .dir = dir_out, .data = NULL },
-- 
GitLab