commit 59d28035a1e0779a81cde104ea9afffd2bb1a77f
author Stephen Smalley <sds@tycho.nsa.gov> Mon Mar 19 10:24:52 2012 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Mon Mar 19 10:24:52 2012 -0400
tree 9ced80c0a374c7b751396f65bd9cec4f5006c7c9
parent b660916b0a8ca9604bf9d425f5e385aa13393a1f

Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.

app.te

diff --git a/app.te b/app.te
index 6cc499a..fa16910 100644
--- a/app.te
+++ b/app.te
@@ -28,8 +28,7 @@
 allow trusted_app sdcard:dir create_dir_perms;
 allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
-# It would be better if this was labeled differently.
-allow trusted_app apk_data_file:file write;
+allow trusted_app apk_tmp_file:file rw_file_perms;
 
 #
 # An example of a specific domain for a specific app

file.te

diff --git a/file.te b/file.te
index dc9e768..a7318c4 100644
--- a/file.te
+++ b/file.te
@@ -29,7 +29,8 @@
 # /data/tombstones - core dumps
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/local - writable by shell

file_contexts

diff --git a/file_contexts b/file_contexts
index 79a3124..550fa9a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -106,6 +106,7 @@
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local(/.*)?	u:object_r:shell_data_file:s0
 # Misc data

installd.te

diff --git a/installd.te b/installd.te
index e4b0b18..466125e 100644
--- a/installd.te
+++ b/installd.te
@@ -12,6 +12,7 @@
 allow installd data_file_type:dir { relabelfrom relabelto };
 allow installd data_file_type:file { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;

system.te

diff --git a/system.te b/system.te
index 47e1eeb..8740c6b 100644
--- a/system.te
+++ b/system.te
@@ -130,6 +130,13 @@
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
+# Read /file_contexts.
+allow system rootfs:file r_file_perms;
+
+# Relabel apk files.
+allow system apk_tmp_file:file { relabelfrom relabelto };
+allow system apk_data_file:file { relabelfrom relabelto };
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;