From 8bb308016f9eda71178d62b9b0e51fd4454bddb6 Mon Sep 17 00:00:00 2001
From: Robert Craig <rpcraig@tycho.ncsc.mil>
Date: Wed, 3 Apr 2013 14:21:46 -0400
Subject: [PATCH] Add new domains for private apps.

/data/app-private is used when making an
app purchase or forward locking. Provide a
new label for the directory as well as the
tmp files that appear under it.

Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 app.te        | 6 ++++--
 file.te       | 3 +++
 file_contexts | 2 ++
 system.te     | 4 ++--
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index eaca76c7d..223fc938d 100644
--- a/app.te
+++ b/app.te
@@ -20,8 +20,10 @@ allow platform_app cache_file:file create_file_perms;
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
-# Populate /data/app/vmdl*.tmp file created by system server.
-allow platform_app apk_tmp_file:file rw_file_perms;
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
diff --git a/file.te b/file.te
index a82945a5f..5ec92cc8c 100644
--- a/file.te
+++ b/file.te
@@ -36,6 +36,9 @@ type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
 type apk_data_file, file_type, data_file_type;
 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 3fde10925..2f8c988fa 100644
--- a/file_contexts
+++ b/file_contexts
@@ -159,6 +159,8 @@
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
 /data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
+/data/app-private(/.*)?		u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 # Misc data
diff --git a/system.te b/system.te
index 4fc4283b0..650a7472e 100644
--- a/system.te
+++ b/system.te
@@ -151,8 +151,8 @@ allow system data_file_type:notdevfile_class_set create_file_perms;
 allow system rootfs:file r_file_perms;
 
 # Relabel apk files.
-allow system apk_tmp_file:file { relabelfrom relabelto };
-allow system apk_data_file:file { relabelfrom relabelto };
+allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
+allow system { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
 
 # Relabel wallpaper.
 allow system system_data_file:file relabelfrom;
-- 
GitLab