From 21b2b203f447de27f8b0ca5d4cd7e1180b1ed648 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 30 Jan 2018 13:54:42 -0800
Subject: Correctly label data types

Data outside /data/vendor must have the core_data_file_type
attribute.

Test: build (this is a build time test)
Bug: 34980020
Change-Id: I7edb172242ad9edca14f2fde6c4fb1f8ee888ae7
---
 sepolicy/crash_collector.te | 2 +-
 sepolicy/dump_bq25892.te    | 2 +-
 sepolicy/file_contexts      | 2 +-
 sepolicy/tee.te             | 5 ++++-
 sepolicy/touch_fw_update.te | 2 +-
 5 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/sepolicy/crash_collector.te b/sepolicy/crash_collector.te
index 3aa612b..ac89e1c 100644
--- a/sepolicy/crash_collector.te
+++ b/sepolicy/crash_collector.te
@@ -1,6 +1,6 @@
 type crash_collector, domain, device_domain_deprecated;
 type crash_collector_exec, exec_type, file_type;
-type crash_reports_data_file, file_type, data_file_type;
+type crash_reports_data_file, file_type, data_file_type, core_data_file_type;
 
 # To start crash_collector via /proc/sys/core_pattern.
 domain_auto_trans(kernel, crash_collector_exec, crash_collector)
diff --git a/sepolicy/dump_bq25892.te b/sepolicy/dump_bq25892.te
index 286de95..6f397c7 100644
--- a/sepolicy/dump_bq25892.te
+++ b/sepolicy/dump_bq25892.te
@@ -2,7 +2,7 @@
 # which is used to debug information about the state of the charger chip
 type dump_bq25892, domain, device_domain_deprecated;
 type dump_bq25892_exec, exec_type, file_type;
-type fw_logs_data_file, file_type, data_file_type;
+type fw_logs_data_file, file_type, data_file_type, core_data_file_type;
 
 init_daemon_domain(dump_bq25892)
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index de95310..4b47ea2 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -62,7 +62,7 @@
 /dev/tlk_device                                 u:object_r:tee_device:s0
 
 # secure os storage
-/data/ss(/.*)?                                  u:object_r:tee_data_file:s0
+/data/ss(/.*)?                                  u:object_r:dragon_tee_data_file:s0
 
 # tlk_daemon
 /vendor/bin/tlk_daemon                          u:object_r:tee_exec:s0
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 6888483..5788c22 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,4 +1,7 @@
-allow tee tee_data_file:dir create_dir_perms;
+type dragon_tee_data_file, file_type, data_file_type, core_data_file_type;
+
+allow tee dragon_tee_data_file:dir create_dir_perms;
+allow tee dragon_tee_data_file:file create_file_perms;
 allow tee self:capability { setuid setgid sys_rawio };
 allow tee block_device:dir search;
 allow tee rpmb_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/touch_fw_update.te b/sepolicy/touch_fw_update.te
index 2f62e04..5f5d775 100644
--- a/sepolicy/touch_fw_update.te
+++ b/sepolicy/touch_fw_update.te
@@ -1,7 +1,7 @@
 # init runs /system/bin/touchfwup.sh
 type touch_fw_update, domain, device_domain_deprecated;
 type touch_fw_update_exec, exec_type, file_type;
-type touch_fw_update_log_file, file_type, data_file_type;
+type touch_fw_update_log_file, file_type, data_file_type, core_data_file_type;
 
 init_daemon_domain(touch_fw_update)
 
-- 
cgit v1.2.3