gatekeeperd: use more specific label for /data file Use a more specific label for /data/misc/gatekeeper Rearrange some other rules. Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5

commit: 367757d2ef0ee5c8edc47ce8203a0d3369774e9c [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Apr 17 17:56:31 2015 -0700
committer: Nick Kralevich <nnk@google.com> Fri Apr 17 17:56:31 2015 -0700
tree: e6b2261fe6846c348c9e468905b0170c38a67705
parent: 6db824a7d909df2235ab6893a07aa9859ec99570 [diff]
diff --git a/file.te b/file.te
index 2022b95..7bd3843 100644
--- a/file.te
+++ b/file.te

@@ -101,6 +101,7 @@
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
+type gatekeeper_data_file, file_type, data_file_type;
 type keychain_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;

diff --git a/file_contexts b/file_contexts
index eef0fd3..e36a6c3 100644
--- a/file_contexts
+++ b/file_contexts

@@ -229,6 +229,7 @@
 /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
 /data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)?     u:object_r:gatekeeper_data_file:s0
 /data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0

diff --git a/gatekeeperd.te b/gatekeeperd.te
index 5f27aa9..39d9d21 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te

@@ -18,11 +18,7 @@
 allow gatekeeperd permission_service:service_manager find;
 
 # for SID file access
-allow gatekeeperd system_data_file:dir { add_name write};
-allow gatekeeperd system_data_file:file { write create open };
-
-# Apps using KeyStore API will request the SID from GateKeeper
-allow untrusted_app gatekeeper_service:service_manager find;
-binder_call(untrusted_app, gatekeeperd)
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;

diff --git a/untrusted_app.te b/untrusted_app.te
index 5ad8c79..1b7aaee 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -93,6 +93,10 @@
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
+# Apps using KeyStore API will request the SID from GateKeeper
+allow untrusted_app gatekeeper_service:service_manager find;
+binder_call(untrusted_app, gatekeeperd)
+
 ###
 ### neverallow rules
 ###
commit	367757d2ef0ee5c8edc47ce8203a0d3369774e9c	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Apr 17 17:56:31 2015 -0700
committer	Nick Kralevich <nnk@google.com>	Fri Apr 17 17:56:31 2015 -0700
tree	e6b2261fe6846c348c9e468905b0170c38a67705
parent	6db824a7d909df2235ab6893a07aa9859ec99570 [diff]