SEPolicy for Staged Installs.

Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac

private/apexd.te

@@ -46,6 +46,10 @@ allow apexd apex_mnt_dir:lnk_file create_file_perms;
 allow apexd apk_tmp_file:file relabelfrom;
 allow apexd apex_data_file:file relabelto;
 
+# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 

private/compat/26.0/26.0.ignore.cil

@@ -142,6 +142,7 @@
     secure_element_service
     server_configurable_flags_data_file
     slice_service
+    staging_data_file
     stats
     stats_data_file
     stats_exec

private/compat/27.0/27.0.ignore.cil

@@ -141,6 +141,7 @@
     statsdw_socket
     storaged_data_file
     super_block_device
+    staging_data_file
     system_boot_reason_prop
     system_lmk_prop
     system_suspend_hwservice

private/compat/28.0/28.0.ignore.cil

@@ -75,10 +75,11 @@
     rss_hwm_reset_exec
     runtime_service
     sensor_privacy_service
+    server_configurable_flags_data_file
     super_block_device
     system_lmk_prop
     system_suspend_hwservice
-    server_configurable_flags_data_file
+    staging_data_file
     time_prop
     timedetector_service
     timezonedetector_service

private/domain.te

@@ -138,6 +138,17 @@ neverallow {
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server } staging_data_file:file
+  { append create unlink relabelfrom rename setattr write no_x_file_perms };
+
 neverallow {
     domain
     -appdomain # for oemfs

private/file_contexts

@@ -429,6 +429,7 @@
 /data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0
 /data/preloads/demo(/.*)?	u:object_r:preloads_media_file:s0
 /data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/staging(/.*)?		u:object_r:staging_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0

private/system_server.te

@@ -471,6 +471,10 @@ allow system_server wifi_data_file:file create_file_perms;
 allow system_server zoneinfo_data_file:dir create_dir_perms;
 allow system_server zoneinfo_data_file:file create_file_perms;
 
+# Manage /data/staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
+
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server {

public/file.te

@@ -253,6 +253,8 @@ type preloads_media_file, file_type, data_file_type, core_data_file_type;
 type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 # /data/server_configurable_flags
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;