Add support for and use new path= specifier in seapp_contexts.

Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.

After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.

Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.

Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 4 insertions, 1 deletions

diff --git a/seapp_contexts b/seapp_contexts
index 2049b8a..6c0a9a3 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -3,6 +3,7 @@
 #	user (string)
 #	seinfo (string)
 #	name (string)
+#	path (string)
 #	sebool (string)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
@@ -19,7 +20,8 @@
 #	  (4) Longer user= prefix before shorter user= prefix. 
 #	  (5) Specified seinfo= string before unspecified seinfo= string.
 #	  (6) Specified name= string before unspecified name= string.
-#	  (7) Specified sebool= string before unspecified sebool= string.
+#	  (7) Specified path= string before unspecified path= string.
+#	  (8) Specified sebool= string before unspecified sebool= string.
 #
 # Outputs:
 #	domain (string)
@@ -41,6 +43,7 @@ user=_app domain=untrusted_app type=app_data_file levelFrom=none
 user=_app seinfo=platform domain=platform_app type=platform_app_data_file
 user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
 user=_app seinfo=release domain=release_app type=platform_app_data_file
 user=_isolated domain=isolated_app
 user=shell domain=shell type=shell_data_file