Skip to content
Snippets Groups Projects
Commit bfb26e7b authored by Geremy Condra's avatar Geremy Condra Committed by repo sync
Browse files

Add downloaded file policy. 

Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366
parent d381b97e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app.te
+ 11
0
View file @ bfb26e7b
...@@ -27,6 +27,7 @@ allow platform_app apk_private_data_file:dir search; ...@@ -27,6 +27,7 @@ allow platform_app apk_private_data_file:dir search;
# ASEC # ASEC
allow platform_app asec_apk_file:dir create_dir_perms; allow platform_app asec_apk_file:dir create_dir_perms;
allow platform_app asec_apk_file:file create_file_perms; allow platform_app asec_apk_file:file create_file_perms;
allow platform_app download_file:file rw_file_perms;
# Apps signed with the media key. # Apps signed with the media key.
type media_app, domain; type media_app, domain;
...@@ -45,6 +46,11 @@ allow media_app unlabeled:dir getattr; ...@@ -45,6 +46,11 @@ allow media_app unlabeled:dir getattr;
# Stat /cache/backup # Stat /cache/backup
allow media_app cache_backup_file:file getattr; allow media_app cache_backup_file:file getattr;
allow media_app cache_backup_file:dir getattr; allow media_app cache_backup_file:dir getattr;
# Read files in the rootdir
allow media_app rootfs:file r_file_perms;
# Allow platform apps to mark platform app data files as download files
allow media_app platform_app_data_file:dir relabelfrom;
allow media_app download_file:dir relabelto;
# Apps signed with the shared key. # Apps signed with the shared key.
type shared_app, domain; type shared_app, domain;
...@@ -83,6 +89,7 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_ ...@@ -83,6 +89,7 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
allow platformappdomain sdcard_type:dir create_dir_perms; allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms; allow platformappdomain sdcard_type:file create_file_perms;
# #
# Untrusted apps. # Untrusted apps.
# #
...@@ -180,3 +187,7 @@ allow { appdomain isolated_app } backup_data_file:file { read write }; ...@@ -180,3 +187,7 @@ allow { appdomain isolated_app } backup_data_file:file { read write };
allow { appdomain isolated_app } cache_backup_file:file { read write }; allow { appdomain isolated_app } cache_backup_file:file { read write };
# Backup ability using 'adb backup' # Backup ability using 'adb backup'
allow { appdomain isolated_app } system_data_file:lnk_file getattr; allow { appdomain isolated_app } system_data_file:lnk_file getattr;
# Allow all applications to read downloaded files
allow appdomain download_file:file r_file_perms;
file_type_auto_trans(appdomain, download_file, download_file)
file.te
+ 2
0
View file @ bfb26e7b
...@@ -79,6 +79,8 @@ type security_file, file_type; ...@@ -79,6 +79,8 @@ type security_file, file_type;
# vary per device, so this type is used in per # vary per device, so this type is used in per
# device policy # device policy
type bluetooth_efs_file, file_type; type bluetooth_efs_file, file_type;
# Downloaded files
type download_file, file_type;
# Socket types # Socket types
type adbd_socket, file_type; type adbd_socket, file_type;
......
file_contexts
+ 2
0
View file @ bfb26e7b
...@@ -186,6 +186,8 @@ ...@@ -186,6 +186,8 @@
/data/data/com.android.settings/files/wallpaper u:object_r:wallpaper_file:s0 /data/data/com.android.settings/files/wallpaper u:object_r:wallpaper_file:s0
# Wallpaper file for other users # Wallpaper file for other users
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0 /data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
# Downloaded files
/data/data/com.android.providers.downloads/cache u:object_r:download_file:s0
############################# #############################
# efs files # efs files
# #
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment