From f6cbbe255bc57a241f35c35629705e8f63bdd77a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 19 Mar 2012 10:29:36 -0400
Subject: [PATCH] Introduce a separate wallpaper_file type for the wallpaper
 file.

---
 app.te        | 3 +++
 file.te       | 2 ++
 file_contexts | 2 ++
 system.te     | 8 ++++++++
 4 files changed, 15 insertions(+)

diff --git a/app.te b/app.te
index fa16910a5..99c8e6a52 100644
--- a/app.te
+++ b/app.te
@@ -96,6 +96,9 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { read write };
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.
diff --git a/file.te b/file.te
index a7318c4ad..7d7f5fc9e 100644
--- a/file.te
+++ b/file.te
@@ -52,6 +52,8 @@ type app_data_file, file_type, data_file_type;
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type;
 
 # Socket types
 type bluetooth_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 550fa9a4e..9c8325a2b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -118,6 +118,8 @@
 /data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
 # App sandboxes
 /data/data/.*		u:object_r:app_data_file:s0
+# Wallpaper file.
+/data/data/com.android.settings/files/wallpaper	u:object_r:wallpaper_file:s0
 #############################
 # efs files
 #
diff --git a/system.te b/system.te
index 8740c6b0f..7f299c92e 100644
--- a/system.te
+++ b/system.te
@@ -15,6 +15,9 @@ binder_transfer(system_app, appdomain)
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
 
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
@@ -137,6 +140,11 @@ allow system rootfs:file r_file_perms;
 allow system apk_tmp_file:file { relabelfrom relabelto };
 allow system apk_data_file:file { relabelfrom relabelto };
 
+# Relabel wallpaper.
+allow system system_data_file:file relabelfrom;
+allow system wallpaper_file:file relabelto;
+allow system wallpaper_file:file r_file_perms;
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;
-- 
GitLab