Add initial sepolicy for app data snapshots.

Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.

A follow up change will flesh out the access policy on these
directories in more detail.

Test: make, manual
Bug: 112431924

Change-Id: I4fa7187d9558697016af4918df6e34aac1957176

private/file.te

@@ -16,3 +16,7 @@ type debugfs_kcov, fs_type, debugfs_type;
 # App executable files in /data/data directories
 type app_exec_data_file, file_type, data_file_type, core_data_file_type;
 typealias app_exec_data_file alias rs_data_file;
+
+# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
+# of application data.
+type rollback_data_file, file_type, data_file_type, core_data_file_type;

private/file_contexts

@@ -514,6 +514,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# App data snapshots (managed by installd).
+/data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
+/data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
+
 #############################
 # Expanded data files
 #

private/vold_prepare_subdirs.te

@@ -17,6 +17,7 @@ allow vold_prepare_subdirs {
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
+    rollback_data_file
     storaged_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };
@@ -24,6 +25,7 @@ allow vold_prepare_subdirs {
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
+    rollback_data_file
     storaged_data_file
     system_data_file
     vold_data_file