Merge "Get rid of separate platform_app_data_file type."
diff --git a/app.te b/app.te
index 3081f53..11e5f33 100644
--- a/app.te
+++ b/app.te
@@ -48,10 +48,6 @@
allow appdomain app_data_file:dir create_dir_perms;
allow appdomain app_data_file:notdevfile_class_set create_file_perms;
-# Read/write data files created by the platform apps if they
-# were passed to the app via binder or local IPC. Do not allow open.
-allow appdomain platform_app_data_file:file { getattr read write };
-
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open };
diff --git a/drmserver.te b/drmserver.te
index a11700c..b419111 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -20,7 +20,6 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
allow drmserver app_data_file:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/file.te b/file.te
index f1bcafd..3d85bcf 100644
--- a/file.te
+++ b/file.te
@@ -76,7 +76,8 @@
typealias audio_data_file alias audio_firmware_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
-type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+typealias app_data_file alias platform_app_data_file;
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
# Type for /cache/.*\.{data|restore} and default
diff --git a/installd.te b/installd.te
index 7c72158..b9c2125 100644
--- a/installd.te
+++ b/installd.te
@@ -24,7 +24,6 @@
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(installd)
# ASEC
-allow installd platform_app_data_file:lnk_file { create setattr };
allow installd app_data_file:lnk_file { create setattr };
allow installd asec_apk_file:file r_file_perms;
allow installd bluetooth_data_file:lnk_file { create setattr };
diff --git a/media_app.te b/media_app.te
index 099e0a6..cebf79c 100644
--- a/media_app.te
+++ b/media_app.te
@@ -18,7 +18,7 @@
allow media_app download_file:file create_file_perms;
# Allow platform apps to mark platform app data files as download files
relabelto_domain(media_app)
-allow media_app platform_app_data_file:dir relabelfrom;
+allow media_app app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
# inherits from platformappdomain.te
diff --git a/mediaserver.te b/mediaserver.te
index 1019fc7..faec50d 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -22,7 +22,6 @@
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver app_data_file:dir search;
allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver platform_app_data_file:file { getattr read };
allow mediaserver sdcard_type:file write;
allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
diff --git a/platformappdomain.te b/platformappdomain.te
index 701a636..5ba8601 100644
--- a/platformappdomain.te
+++ b/platformappdomain.te
@@ -3,19 +3,14 @@
# These rules are inherited by any domain that includes platform_app_domain().
# Presently this consists of the four app domains corresponding to apps
# signed by one of the four build keys: platform_app, shared_app, media_app,
-# release_app. These app domains use platform_app_data_file rather
-# than app_data_file for their /data/data directories (as specified via
-# type= in seapp_contexts) and have greater permissions to specific
+# release_app. These app domains have greater permissions to specific
# directories owned by groups that are restricted to apps with
# Android permissions that are signature|system.
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
# Access to /data/media.
allow platformappdomain media_rw_data_file:dir create_dir_perms;
allow platformappdomain media_rw_data_file:file create_file_perms;
+
# Write to /cache.
allow platformappdomain cache_file:dir create_dir_perms;
allow platformappdomain cache_file:file create_file_perms;
diff --git a/seapp_contexts b/seapp_contexts
index 0a78095..05f0486 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -40,10 +40,10 @@
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file
-user=_app seinfo=platform domain=platform_app type=platform_app_data_file
-user=_app seinfo=shared domain=shared_app type=platform_app_data_file
-user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=platform domain=platform_app type=app_data_file
+user=_app seinfo=shared domain=shared_app type=app_data_file
+user=_app seinfo=media domain=media_app type=app_data_file
user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
-user=_app seinfo=release domain=release_app type=platform_app_data_file
+user=_app seinfo=release domain=release_app type=app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 1268247..cb67855 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -42,7 +42,6 @@
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
-allow surfaceflinger platform_app_data_file:file { read write };
allow surfaceflinger app_data_file:file { read write };
# Use open file provided by bootanim.