gatekeeperd: use more specific label for /data file

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
diff --git a/file.te b/file.te
index 2022b95..7bd3843 100644
--- a/file.te
+++ b/file.te
@@ -101,6 +101,7 @@
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
+type gatekeeper_data_file, file_type, data_file_type;
 type keychain_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index eef0fd3..e36a6c3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -229,6 +229,7 @@
 /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
 /data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)?     u:object_r:gatekeeper_data_file:s0
 /data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 5f27aa9..39d9d21 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -18,11 +18,7 @@
 allow gatekeeperd permission_service:service_manager find;
 
 # for SID file access
-allow gatekeeperd system_data_file:dir { add_name write};
-allow gatekeeperd system_data_file:file { write create open };
-
-# Apps using KeyStore API will request the SID from GateKeeper
-allow untrusted_app gatekeeper_service:service_manager find;
-binder_call(untrusted_app, gatekeeperd)
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/untrusted_app.te b/untrusted_app.te
index 5ad8c79..1b7aaee 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,6 +93,10 @@
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
+# Apps using KeyStore API will request the SID from GateKeeper
+allow untrusted_app gatekeeper_service:service_manager find;
+binder_call(untrusted_app, gatekeeperd)
+
 ###
 ### neverallow rules
 ###