Merge "Get rid of separate platform_app_data_file type."

app.te

@@ -48,10 +48,6 @@ allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr ge
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
-# Read/write data files created by the platform apps if they
-# were passed to the app via binder or local IPC.  Do not allow open.
-allow appdomain platform_app_data_file:file { getattr read write };
-
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute execute_no_trans open };

drmserver.te

@@ -20,7 +20,6 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
 allow drmserver app_data_file:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
 r_dir_file(drmserver, efs_file)

file.te

@@ -76,7 +76,8 @@ type zoneinfo_data_file, file_type, data_file_type;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
-type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+typealias app_data_file alias platform_app_data_file;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default

installd.te

@@ -24,7 +24,6 @@ selinux_check_context(installd)
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(installd)
 # ASEC
-allow installd platform_app_data_file:lnk_file { create setattr };
 allow installd app_data_file:lnk_file { create setattr };
 allow installd asec_apk_file:file r_file_perms;
 allow installd bluetooth_data_file:lnk_file { create setattr };

media_app.te

@@ -18,7 +18,7 @@ allow media_app download_file:dir rw_dir_perms;
 allow media_app download_file:file create_file_perms;
 # Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
-allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
 
 # inherits from platformappdomain.te

mediaserver.te

@@ -22,7 +22,6 @@ allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
 allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;

platformappdomain.te

@@ -3,19 +3,14 @@
 # These rules are inherited by any domain that includes platform_app_domain().
 # Presently this consists of the four app domains corresponding to apps
 # signed by one of the four build keys: platform_app, shared_app, media_app,
-# release_app.  These app domains use platform_app_data_file rather
-# than app_data_file for their /data/data directories (as specified via
-# type= in seapp_contexts) and have greater permissions to specific
+# release_app.  These app domains have greater permissions to specific
 # directories owned by groups that are restricted to apps with
 # Android permissions that are signature|system.
 
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
 # Access to /data/media.
 allow platformappdomain media_rw_data_file:dir create_dir_perms;
 allow platformappdomain media_rw_data_file:file create_file_perms;
+
 # Write to /cache.
 allow platformappdomain cache_file:dir create_dir_perms;
 allow platformappdomain cache_file:file create_file_perms;

seapp_contexts

@@ -40,10 +40,10 @@ user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=_app domain=untrusted_app type=app_data_file
-user=_app seinfo=platform domain=platform_app type=platform_app_data_file
-user=_app seinfo=shared domain=shared_app type=platform_app_data_file
-user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=platform domain=platform_app type=app_data_file
+user=_app seinfo=shared domain=shared_app type=app_data_file
+user=_app seinfo=media domain=media_app type=app_data_file
 user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
-user=_app seinfo=release domain=release_app type=platform_app_data_file
+user=_app seinfo=release domain=release_app type=app_data_file
 user=_isolated domain=isolated_app
 user=shell domain=shell type=shell_data_file

surfaceflinger.te

@@ -42,7 +42,6 @@ allow surfaceflinger ctl_default_prop:property_service set;
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
-allow surfaceflinger platform_app_data_file:file { read write };
 allow surfaceflinger app_data_file:file { read write };
 
 # Use open file provided by bootanim.