Get rid of separate platform_app_data_file type.

The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app.te

@@ -48,10 +48,6 @@ allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr ge
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
-# Read/write data files created by the platform apps if they
-# were passed to the app via binder or local IPC.  Do not allow open.
-allow appdomain platform_app_data_file:file { getattr read write };
-
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute execute_no_trans open };

drmserver.te

@@ -20,7 +20,6 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
 allow drmserver app_data_file:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
 r_dir_file(drmserver, efs_file)

file.te

@@ -76,7 +76,8 @@ type zoneinfo_data_file, file_type, data_file_type;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
-type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+typealias app_data_file alias platform_app_data_file;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default

installd.te

@@ -24,7 +24,6 @@ selinux_check_context(installd)
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(installd)
 # ASEC
-allow installd platform_app_data_file:lnk_file { create setattr };
 allow installd app_data_file:lnk_file { create setattr };
 allow installd asec_apk_file:file r_file_perms;
 allow installd bluetooth_data_file:lnk_file { create setattr };

media_app.te

@@ -18,7 +18,7 @@ allow media_app download_file:dir rw_dir_perms;
 allow media_app download_file:file create_file_perms;
 # Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
-allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
 
 # inherits from platformappdomain.te

mediaserver.te

@@ -22,7 +22,6 @@ allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
 allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;

platformappdomain.te

@@ -3,19 +3,14 @@
 # These rules are inherited by any domain that includes platform_app_domain().
 # Presently this consists of the four app domains corresponding to apps
 # signed by one of the four build keys: platform_app, shared_app, media_app,
-# release_app.  These app domains use platform_app_data_file rather
-# than app_data_file for their /data/data directories (as specified via
-# type= in seapp_contexts) and have greater permissions to specific
+# release_app.  These app domains have greater permissions to specific
 # directories owned by groups that are restricted to apps with
 # Android permissions that are signature|system.
 
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
 # Access to /data/media.
 allow platformappdomain media_rw_data_file:dir create_dir_perms;
 allow platformappdomain media_rw_data_file:file create_file_perms;
+
 # Write to /cache.
 allow platformappdomain cache_file:dir create_dir_perms;
 allow platformappdomain cache_file:file create_file_perms;

seapp_contexts

@@ -40,10 +40,10 @@ user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=_app domain=untrusted_app type=app_data_file
-user=_app seinfo=platform domain=platform_app type=platform_app_data_file
-user=_app seinfo=shared domain=shared_app type=platform_app_data_file
-user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=platform domain=platform_app type=app_data_file
+user=_app seinfo=shared domain=shared_app type=app_data_file
+user=_app seinfo=media domain=media_app type=app_data_file
 user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
-user=_app seinfo=release domain=release_app type=platform_app_data_file
+user=_app seinfo=release domain=release_app type=app_data_file
 user=_isolated domain=isolated_app
 user=shell domain=shell type=shell_data_file

surfaceflinger.te

@@ -42,7 +42,6 @@ allow surfaceflinger ctl_default_prop:property_service set;
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
-allow surfaceflinger platform_app_data_file:file { read write };
 allow surfaceflinger app_data_file:file { read write };
 
 # Use open file provided by bootanim.