Correctly label data types
Data outside /data/vendor must have the core_data_file_type
attribute.
Test: build (this is a build time test)
Bug: 34980020
Change-Id: I7edb172242ad9edca14f2fde6c4fb1f8ee888ae7
diff --git a/sepolicy/crash_collector.te b/sepolicy/crash_collector.te
index 3aa612b..ac89e1c 100644
--- a/sepolicy/crash_collector.te
+++ b/sepolicy/crash_collector.te
@@ -1,6 +1,6 @@
type crash_collector, domain, device_domain_deprecated;
type crash_collector_exec, exec_type, file_type;
-type crash_reports_data_file, file_type, data_file_type;
+type crash_reports_data_file, file_type, data_file_type, core_data_file_type;
# To start crash_collector via /proc/sys/core_pattern.
domain_auto_trans(kernel, crash_collector_exec, crash_collector)
diff --git a/sepolicy/dump_bq25892.te b/sepolicy/dump_bq25892.te
index 286de95..6f397c7 100644
--- a/sepolicy/dump_bq25892.te
+++ b/sepolicy/dump_bq25892.te
@@ -2,7 +2,7 @@
# which is used to debug information about the state of the charger chip
type dump_bq25892, domain, device_domain_deprecated;
type dump_bq25892_exec, exec_type, file_type;
-type fw_logs_data_file, file_type, data_file_type;
+type fw_logs_data_file, file_type, data_file_type, core_data_file_type;
init_daemon_domain(dump_bq25892)
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index de95310..4b47ea2 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -62,7 +62,7 @@
/dev/tlk_device u:object_r:tee_device:s0
# secure os storage
-/data/ss(/.*)? u:object_r:tee_data_file:s0
+/data/ss(/.*)? u:object_r:dragon_tee_data_file:s0
# tlk_daemon
/vendor/bin/tlk_daemon u:object_r:tee_exec:s0
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 6888483..5788c22 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,4 +1,7 @@
-allow tee tee_data_file:dir create_dir_perms;
+type dragon_tee_data_file, file_type, data_file_type, core_data_file_type;
+
+allow tee dragon_tee_data_file:dir create_dir_perms;
+allow tee dragon_tee_data_file:file create_file_perms;
allow tee self:capability { setuid setgid sys_rawio };
allow tee block_device:dir search;
allow tee rpmb_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/touch_fw_update.te b/sepolicy/touch_fw_update.te
index 2f62e04..5f5d775 100644
--- a/sepolicy/touch_fw_update.te
+++ b/sepolicy/touch_fw_update.te
@@ -1,7 +1,7 @@
# init runs /system/bin/touchfwup.sh
type touch_fw_update, domain, device_domain_deprecated;
type touch_fw_update_exec, exec_type, file_type;
-type touch_fw_update_log_file, file_type, data_file_type;
+type touch_fw_update_log_file, file_type, data_file_type, core_data_file_type;
init_daemon_domain(touch_fw_update)
