Restore system_app access to system-owned /data directories.
System UID apps want to be able to create/write to system-owned
/data directories outside of their own /data/data package directory,
such as /data/system/cache and /data/misc/keychain. Restore access
(which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when
system_app_data_file was introduced for the /data/data package
directories of system UID apps), but audit writes to system_data_file
so we can look at introducing separate types for these directories in
the future and ultimately remove access to the rest of the system-owned
data.
Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/system_app.te b/system_app.te
index 5d0eca7..05f1b6c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -13,6 +13,15 @@
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:file create_file_perms;
+# Read and write to other system-owned /data directories, such as
+# /data/system/cache and /data/misc/keychain.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+# Audit writes to these directories and files so we can identify
+# and possibly move these directories into their own type in the future.
+auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
+auditallow system_app system_data_file:file { create setattr append write link unlink rename };
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;