Merge ephemeral data and apk files into app
The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.
Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3e58ccf..b4a2181 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -14,14 +14,6 @@
net_domain(ephemeral_app)
app_domain(ephemeral_app)
-# App sandbox file accesses.
-allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
-allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
-allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
@@ -36,7 +28,7 @@
###
# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/file_contexts b/private/file_contexts
index aa495ec..0bf16c8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -304,10 +304,6 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
-/data/app-ephemeral(/.*)? u:object_r:ephemeral_apk_data_file:s0
-/data/app-ephemeral/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)? u:object_r:ephemeral_apk_tmp_file:s0
-/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 6747848..dde1c71 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -14,10 +14,10 @@
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
@@ -56,8 +56,4 @@
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
-# Access to ephemeral APKs
-allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
-allow platform_app ephemeral_apk_data_file:file r_file_perms;
-
read_runtime_log_tags(platform_app)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 85980e9..0a30829 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -94,6 +94,6 @@
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all
+user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b5cab2c..b5a3af9 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -79,7 +79,6 @@
nfc_data_file
radio_data_file
shell_data_file
- ephemeral_data_file
}:file { rwx_file_perms };
neverallow webview_zygote {