From 4c40d7344ce20872a4cabf2117b90f31d29d1ad2 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Wed, 25 Jan 2017 14:55:56 -0800
Subject: [PATCH] Merge ephemeral data and apk files into app

The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28
---
 private/ephemeral_app.te  | 10 +---------
 private/file_contexts     |  4 ----
 private/platform_app.te   | 10 +++-------
 private/seapp_contexts    |  2 +-
 private/webview_zygote.te |  1 -
 public/adbd.te            |  4 ++--
 public/dex2oat.te         |  4 ++--
 public/domain.te          |  1 -
 public/drmserver.te       |  2 +-
 public/file.te            |  4 ----
 public/installd.te        | 12 +++++-------
 public/system_server.te   | 12 +++---------
 12 files changed, 18 insertions(+), 48 deletions(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3e58ccf98..b4a21814b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -14,14 +14,6 @@
 net_domain(ephemeral_app)
 app_domain(ephemeral_app)
 
-# App sandbox file accesses.
-allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
-allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
-allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 
@@ -36,7 +28,7 @@ allow ephemeral_app app_api_service:service_manager find;
 ###
 
 # Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/file_contexts b/private/file_contexts
index aa495ec56..0bf16c8ce 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -304,10 +304,6 @@
 /data/app/vmdl[^/]+\.tmp/oat(/.*)?           u:object_r:dalvikcache_data_file:s0
 /data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
 /data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
-/data/app-ephemeral(/.*)?             u:object_r:ephemeral_apk_data_file:s0
-/data/app-ephemeral/[^/]+/oat(/.*)?   u:object_r:dalvikcache_data_file:s0
-/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)?           u:object_r:ephemeral_apk_tmp_file:s0
-/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)?           u:object_r:dalvikcache_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 674784846..dde1c7181 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -14,10 +14,10 @@ bluetooth_domain(platform_app)
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
 # created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
 allow platform_app apk_private_data_file:dir search;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
@@ -56,8 +56,4 @@ allow platform_app vr_manager_service:service_manager find;
 allow platform_app preloads_data_file:file r_file_perms;
 allow platform_app preloads_data_file:dir r_dir_perms;
 
-# Access to ephemeral APKs
-allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
-allow platform_app ephemeral_apk_data_file:file r_file_perms;
-
 read_runtime_log_tags(platform_app)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 85980e9e4..0a30829bd 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -94,6 +94,6 @@ user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isEphemeralApp=true domain=ephemeral_app type=ephemeral_data_file levelFrom=all
+user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
 user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b5cab2c0c..b5a3af9c9 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -79,7 +79,6 @@ neverallow webview_zygote {
     nfc_data_file
     radio_data_file
     shell_data_file
-    ephemeral_data_file
 }:file { rwx_file_perms };
 
 neverallow webview_zygote {
diff --git a/public/adbd.te b/public/adbd.te
index f0df8b158..e3b0ebbe6 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -82,8 +82,8 @@ userdebug_or_eng(`
 ')
 
 # ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd { app_data_file ephemeral_data_file }:dir search;
-allow adbd { app_data_file ephemeral_data_file }:sock_file write;
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
 allow adbd appdomain:unix_stream_socket connectto;
 
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
diff --git a/public/dex2oat.te b/public/dex2oat.te
index f4a7418c3..e5472960f 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -2,7 +2,7 @@
 type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;
 
-r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
+r_dir_file(dex2oat, apk_data_file)
 
 allow dex2oat tmpfs:file { read getattr };
 
@@ -19,7 +19,7 @@ allow dex2oat installd:fd use;
 allow dex2oat asec_apk_file:file read;
 allow dex2oat unlabeled:file read;
 allow dex2oat oemfs:file read;
-allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read;
+allow dex2oat apk_tmp_file:file read;
 allow dex2oat user_profile_data_file:file { getattr read lock };
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
diff --git a/public/domain.te b/public/domain.te
index 868901728..8bdd54804 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -309,7 +309,6 @@ neverallow {
   -dalvikcache_data_file
   -system_data_file # shared libs in apks
   -apk_data_file
-  -ephemeral_apk_data_file
 }:file no_x_file_perms;
 
 neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
diff --git a/public/drmserver.te b/public/drmserver.te
index 453ce1213..825e828bf 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,7 +21,7 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file ephemeral_data_file}:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
 r_dir_file(drmserver, efs_file)
 
diff --git a/public/file.te b/public/file.te
index c48e04ede..e56279820 100644
--- a/public/file.te
+++ b/public/file.te
@@ -103,9 +103,6 @@ type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/app-private - forward-locked apps
 type apk_private_data_file, file_type, data_file_type;
 type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/app-ephemeral - ephemeral apps
-type ephemeral_apk_data_file, file_type, data_file_type;
-type ephemeral_apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/ota
@@ -181,7 +178,6 @@ type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
 
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
-type ephemeral_data_file, file_type, data_file_type;
 # /data/data subdirectory for system UID apps.
 type system_app_data_file, file_type, data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/public/installd.te b/public/installd.te
index 08255a4c0..08c438d6f 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -9,13 +9,13 @@ allow installd dalvikcache_data_file:dir relabelto;
 allow installd dalvikcache_data_file:file { relabelto link };
 
 # Allow movement of APK files between volumes
-allow installd {apk_data_file ephemeral_apk_data_file}:dir { create_dir_perms relabelfrom };
-allow installd {apk_data_file ephemeral_apk_data_file}:file { create_file_perms relabelfrom link };
-allow installd {apk_data_file ephemeral_apk_data_file}:lnk_file { create r_file_perms unlink };
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
 
 allow installd asec_apk_file:file r_file_perms;
-allow installd {apk_tmp_file ephemeral_apk_tmp_file}:file { r_file_perms unlink };
-allow installd {apk_tmp_file ephemeral_apk_tmp_file}:dir { relabelfrom create_dir_perms };
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
@@ -88,7 +88,6 @@ allow installd {
     radio_data_file
     shell_data_file
     app_data_file
-    ephemeral_data_file
 }:dir { create_dir_perms relabelfrom relabelto };
 
 allow installd {
@@ -98,7 +97,6 @@ allow installd {
     radio_data_file
     shell_data_file
     app_data_file
-    ephemeral_data_file
 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
 
 # Similar for the files under /data/misc/profiles/
diff --git a/public/system_server.te b/public/system_server.te
index 24262832a..78784b71f 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -272,12 +272,6 @@ allow system_server apk_private_data_file:file create_file_perms;
 allow system_server apk_private_tmp_file:dir create_dir_perms;
 allow system_server apk_private_tmp_file:file create_file_perms;
 
-# Manage /data/app-ephemeral
-allow system_server ephemeral_apk_data_file:dir create_dir_perms;
-allow system_server ephemeral_apk_data_file:file create_file_perms;
-allow system_server ephemeral_apk_tmp_file:dir create_dir_perms;
-allow system_server ephemeral_apk_tmp_file:file create_file_perms;
-
 # Manage files within asec containers.
 allow system_server asec_apk_file:dir create_dir_perms;
 allow system_server asec_apk_file:file create_file_perms;
@@ -326,7 +320,7 @@ allow system_server zoneinfo_data_file:file create_file_perms;
 
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file ephemeral_data_file }:dir { getattr read search };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
 # Also permit for unlabeled /data/data subdirectories and
 # for unlabeled asec containers on upgrades from 4.2.
 allow system_server unlabeled:dir r_dir_perms;
@@ -349,8 +343,8 @@ allow system_server media_rw_data_file:dir { search getattr open read };
 allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file ephemeral_apk_data_file}:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
 
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;