From 2ad229c7886b7cc4534eadbad4ef47d07bc6f69a Mon Sep 17 00:00:00 2001
From: Narayan Kamath <narayan@google.com>
Date: Mon, 14 Jan 2019 15:02:12 +0000
Subject: [PATCH] Add initial sepolicy for app data snapshots.

Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.

A follow up change will flesh out the access policy on these
directories in more detail.

Test: make, manual
Bug: 112431924

Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
---
 private/file.te                 | 4 ++++
 private/file_contexts           | 4 ++++
 private/vold_prepare_subdirs.te | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/private/file.te b/private/file.te
index 6704c7934..a856792f9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -16,3 +16,7 @@ type debugfs_kcov, fs_type, debugfs_type;
 # App executable files in /data/data directories
 type app_exec_data_file, file_type, data_file_type, core_data_file_type;
 typealias app_exec_data_file alias rs_data_file;
+
+# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
+# of application data.
+type rollback_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 0605ee495..11f8f6e58 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -514,6 +514,10 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+# App data snapshots (managed by installd).
+/data/misc_de/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
+/data/misc_ce/[0-9]+/rollback(/.*)?       u:object_r:rollback_data_file:s0
+
 #############################
 # Expanded data files
 #
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e93e1e5cc..09d0ca923 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -17,6 +17,7 @@ allow vold_prepare_subdirs {
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
+    rollback_data_file
     storaged_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };
@@ -24,6 +25,7 @@ allow vold_prepare_subdirs {
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
+    rollback_data_file
     storaged_data_file
     system_data_file
     vold_data_file
-- 
GitLab