am 7fd03e9c: Merge "remove shell_data_file from unconfined."

* commit '7fd03e9c83cf60d8864bb2a0d6090fb85de2aed6': remove shell_data_file from unconfined.
2014-06-09 19:32:08 +00:00 · 2014-06-09 19:32:08 +00:00 · 3e7eddf70e
commit 3e7eddf70e
parent a8890f9381 7fd03e9c83
2 changed files with 22 additions and 2 deletions
--- a/init.te
+++ b/init.te
@ -54,6 +54,10 @@ allow init watchdogd:process transition;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };

+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
 # setexec is for services with seclabel options.
 # setfscreate is for labeling directories and socket files.
--- a/unconfined.te
+++ b/unconfined.te
@ -49,13 +49,29 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;