From f9c3257fbaa16dbbffe3493b103d0b16ada1c0b5 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 12 Mar 2014 13:39:38 -0400
Subject: [PATCH] Get rid of separate download_file type.

This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/

Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te          | 4 ----
 file.te         | 3 +--
 file_contexts   | 2 --
 installd.te     | 2 --
 media_app.te    | 7 -------
 platform_app.te | 2 --
 seapp_contexts  | 1 -
 7 files changed, 1 insertion(+), 20 deletions(-)

diff --git a/app.te b/app.te
index 11e5f3366..06ede7263 100644
--- a/app.te
+++ b/app.te
@@ -98,10 +98,6 @@ allow appdomain cache_backup_file:file { read write getattr };
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file getattr;
 
-# Allow all applications to read downloaded files
-allow appdomain download_file:dir search;
-allow appdomain download_file:file r_file_perms;
-
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow appdomain media_rw_data_file:file { read getattr };
 
diff --git a/file.te b/file.te
index 3d85bcf72..6b7eda838 100644
--- a/file.te
+++ b/file.te
@@ -78,6 +78,7 @@ typealias audio_data_file alias audio_firmware_file;
 type app_data_file, file_type, data_file_type;
 # Compatibility with type name used in Android 4.3 and 4.4.
 typealias app_data_file alias platform_app_data_file;
+typealias app_data_file alias download_file;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default
@@ -101,8 +102,6 @@ type security_file, file_type;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
-# Downloaded files
-type download_file, file_type;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index fe9a94239..8751e7bd2 100644
--- a/file_contexts
+++ b/file_contexts
@@ -197,8 +197,6 @@
 
 # Wallpaper file for other users
 /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
-# Downloaded files
-/data/data/com.android.providers.downloads/cache u:object_r:download_file:s0
 #############################
 # efs files
 #
diff --git a/installd.te b/installd.te
index b9c212572..92bfe2f3d 100644
--- a/installd.te
+++ b/installd.te
@@ -16,8 +16,6 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd download_file:dir { r_dir_perms write remove_name };
-allow installd download_file:file { r_file_perms unlink };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/media_app.te b/media_app.te
index cebf79ce4..5075cdfb2 100644
--- a/media_app.te
+++ b/media_app.te
@@ -13,12 +13,5 @@ allow media_app mtp_device:chr_file rw_file_perms;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
-# Create download files.
-allow media_app download_file:dir rw_dir_perms;
-allow media_app download_file:file create_file_perms;
-# Allow platform apps to mark platform app data files as download files
-relabelto_domain(media_app)
-allow media_app app_data_file:dir relabelfrom;
-allow media_app download_file:dir relabelto;
 
 # inherits from platformappdomain.te
diff --git a/platform_app.te b/platform_app.te
index ea49c00c2..ba8ed4b21 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -21,7 +21,5 @@ allow platform_app apk_private_data_file:dir search;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
-# Access download files.
-allow platform_app download_file:file rw_file_perms;
 
 # inherits from platformappdomain.te
diff --git a/seapp_contexts b/seapp_contexts
index 05f048692..eaa0c16d7 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -43,7 +43,6 @@ user=_app domain=untrusted_app type=app_data_file
 user=_app seinfo=platform domain=platform_app type=app_data_file
 user=_app seinfo=shared domain=shared_app type=app_data_file
 user=_app seinfo=media domain=media_app type=app_data_file
-user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
 user=_app seinfo=release domain=release_app type=app_data_file
 user=_isolated domain=isolated_app
 user=shell domain=shell type=shell_data_file
-- 
GitLab