From f1ea707a3df4a4b11332a246d89c37383bb427dc Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 27 May 2014 14:23:32 -0400
Subject: [PATCH] Restore system_app access to system-owned /data directories.

System UID apps want to be able to create/write to system-owned
/data directories outside of their own /data/data package directory,
such as /data/system/cache and /data/misc/keychain.  Restore access
(which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when
system_app_data_file was introduced for the /data/data package
directories of system UID apps), but audit writes to system_data_file
so we can look at introducing separate types for these directories in
the future and ultimately remove access to the rest of the system-owned
data.

Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 system_app.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/system_app.te b/system_app.te
index 5d0eca727..05f1b6c22 100644
--- a/system_app.te
+++ b/system_app.te
@@ -13,6 +13,15 @@ binder_service(system_app)
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:file create_file_perms;
 
+# Read and write to other system-owned /data directories, such as
+# /data/system/cache and /data/misc/keychain.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+# Audit writes to these directories and files so we can identify
+# and possibly move these directories into their own type in the future.
+auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
+auditallow system_app system_data_file:file { create setattr append write link unlink rename };
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 
-- 
GitLab