Define a type for /data/dalvik-cache/profiles.

I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles
subdirectory to /data/dalvik-cache with files that must be
app-writable.  As a result, we have denials such as:
W/Profiler( 3328): type=1400 audit(0.0:199): avc:  denied  { write } for  name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null)
W/auditd  (  286): type=1307 audit(0.0:199):  cwd="/"
W/auditd  (  286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0

We do not want to allow untrusted app domains to write to the
existing type on other /data/dalvik-cache files as that could be used
for code injection into another app domain, the zygote or the system_server.
So define a new type for this subdirectory.  The restorecon_recursive /data
in init.rc will fix the labeling on devices that already have a profiles
directory created.  For correct labeling on first creation, we also need
a separate change to installd under the same change id.

Bug: 13927667
Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app.te

@@ -120,6 +120,9 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
 
+# /data/dalvik-cache/profiles
+allow appdomain dalvikcache_profiles_data_file:file write;
+
 # For legacy unlabeled userdata on existing devices.
 # See discussion of Unlabeled files in domain.te for more information.
 allow appdomain unlabeled:file x_file_perms;

domain.te

@@ -100,6 +100,8 @@ allow domain apk_data_file:file r_file_perms;
 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };
 allow domain dalvikcache_data_file:file r_file_perms;
+allow domain dalvikcache_profiles_data_file:dir { search getattr };
+allow domain dalvikcache_profiles_data_file:file r_file_perms;
 
 # Read already opened /cache files.
 allow domain cache_file:dir r_dir_perms;

file.te

@@ -52,6 +52,8 @@ type apk_private_data_file, file_type, data_file_type;
 type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
+# /data/dalvik-cache/profiles
+type dalvikcache_profiles_data_file, file_type, data_file_type;
 # /data/local - writable by shell
 type shell_data_file, file_type, data_file_type;
 # /data/gps

file_contexts

@@ -168,6 +168,7 @@
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
 /data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0

installd.te

@@ -9,6 +9,8 @@ allow installd self:capability { chown dac_override fowner fsetid setgid setuid
 allow installd system_data_file:file create_file_perms;
 allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_profiles_data_file:dir create_dir_perms;
+allow installd dalvikcache_profiles_data_file:file create_file_perms;
 allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
 allow installd data_file_type:{ file_class_set } { getattr unlink };