am a211ee2d: am d7e5ef7e: am 91a4f8d4: Label app data directories for system...

am a211ee2d: am d7e5ef7e: am 91a4f8d4: Label app data directories for system UID apps with a different type.

* commit 'a211ee2d':
  Label app data directories for system UID apps with a different type.

app.te

@@ -109,6 +109,11 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app system_app_data_file:file { read write getattr };
+
 # Access SDcard.
 allow appdomain sdcard_type:dir create_dir_perms;
 allow appdomain sdcard_type:file create_file_perms;

file.te

@@ -81,6 +81,8 @@ type zoneinfo_data_file, file_type, data_file_type;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type;
 # Compatibility with type name used in Android 4.3 and 4.4.
 typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;

installd.te

@@ -34,8 +34,10 @@ allow installd shell_data_file:lnk_file { create setattr };
 # restorecon /data/data
 allow installd unlabeled:dir relabelfrom;
 allow installd unlabeled:notdevfile_class_set relabelfrom;
-allow installd system_data_file:dir { relabelfrom relabelto };
-allow installd system_data_file:notdevfile_class_set { relabelfrom relabelto };
+allow installd system_data_file:dir relabelfrom;
+allow installd system_data_file:notdevfile_class_set relabelfrom;
+allow installd system_app_data_file:dir { relabelfrom relabelto };
+allow installd system_app_data_file:notdevfile_class_set { relabelfrom relabelto };
 allow installd bluetooth_data_file:dir { relabelfrom relabelto };
 allow installd bluetooth_data_file:notdevfile_class_set { relabelfrom relabelto };
 allow installd nfc_data_file:dir { relabelfrom relabelto };

seapp_contexts

@@ -35,7 +35,7 @@
 # level may be used to specify a fixed level for any UID. 
 #
 isSystemServer=true domain=system_server
-user=system domain=system_app type=system_data_file
+user=system domain=system_app type=system_app_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file

system_app.te

@@ -9,10 +9,9 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
 
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:file create_file_perms;
 
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;