From bfb26e7b0761121039dea36ad34b6c5054babcfa Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Wed, 3 Apr 2013 17:41:22 -0700
Subject: [PATCH] Add downloaded file policy.

Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366
---
 app.te        | 11 +++++++++++
 file.te       |  2 ++
 file_contexts |  2 ++
 3 files changed, 15 insertions(+)

diff --git a/app.te b/app.te
index e8d272d27..eaede558d 100644
--- a/app.te
+++ b/app.te
@@ -27,6 +27,7 @@ allow platform_app apk_private_data_file:dir search;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
+allow platform_app download_file:file rw_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -45,6 +46,11 @@ allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir
+allow media_app rootfs:file r_file_perms;
+# Allow platform apps to mark platform app data files as download files
+allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app download_file:dir relabelto;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -83,6 +89,7 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
 
+
 #
 # Untrusted apps.
 #
@@ -180,3 +187,7 @@ allow { appdomain isolated_app } backup_data_file:file { read write };
 allow { appdomain isolated_app } cache_backup_file:file { read write };
 # Backup ability using 'adb backup'
 allow { appdomain isolated_app } system_data_file:lnk_file getattr;
+
+# Allow all applications to read downloaded files
+allow appdomain download_file:file r_file_perms;
+file_type_auto_trans(appdomain, download_file, download_file)
diff --git a/file.te b/file.te
index 5ec92cc8c..29b21061c 100644
--- a/file.te
+++ b/file.te
@@ -79,6 +79,8 @@ type security_file, file_type;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
+# Downloaded files
+type download_file, file_type;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index ccbb99ad0..3d885b112 100644
--- a/file_contexts
+++ b/file_contexts
@@ -186,6 +186,8 @@
 /data/data/com.android.settings/files/wallpaper	u:object_r:wallpaper_file:s0
 # Wallpaper file for other users
 /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
+# Downloaded files
+/data/data/com.android.providers.downloads/cache u:object_r:download_file:s0
 #############################
 # efs files
 #
-- 
GitLab