From ee49c0e36a6c35253dcf708f5843443cbc3c03f6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 7 Jun 2014 10:00:59 -0700
Subject: [PATCH] remove shell_data_file from unconfined.

Domains which want to access /data/local/tmp must do so by
creating their own SELinux domain.

Bug: 15164984
Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
---
 init.te       |  4 ++++
 unconfined.te | 20 ++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/init.te b/init.te
index 8cdc3bcb5..8421fa3d6 100644
--- a/init.te
+++ b/init.te
@@ -54,6 +54,10 @@ allow init watchdogd:process transition;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
 
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
 # setexec is for services with seclabel options.
 # setfscreate is for labeling directories and socket files.
diff --git a/unconfined.te b/unconfined.te
index 123d16f95..4dc30dbf4 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -49,13 +49,29 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-- 
GitLab