From 8c1a1b24725e49f0dce8ad371c7076b2ebfdde06 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 10 Apr 2018 20:49:45 -0700
Subject: [PATCH] Sepolicy for rw mount point for vendors.

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b46782a2a49bf5338732cf8c6abaf95de)
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 private/file_contexts               | 4 ++++
 public/domain.te                    | 6 ++++++
 public/file.te                      | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 68d6b409e..bc31452d0 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -66,6 +66,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
     network_watchlist_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1eaf22a7d..0571bfc78 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
     perfetto
diff --git a/private/file_contexts b/private/file_contexts
index 109f21908..4e2a7654b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -525,3 +525,7 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
diff --git a/public/domain.te b/public/domain.te
index 0e815b607..9458d796a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1363,3 +1363,9 @@ userdebug_or_eng(`
   dontaudit domain proc_type:file create;
   dontaudit domain sysfs_type:file create;
 ')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+  coredomain
+  -init
+} mnt_vendor_file:dir *;
diff --git a/public/file.te b/public/file.te
index 5a5ee80ba..01b489d71 100644
--- a/public/file.te
+++ b/public/file.te
@@ -225,6 +225,9 @@ type storage_file, file_type;
 type mnt_media_rw_stub_file, file_type;
 type storage_stub_file, file_type;
 
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-- 
GitLab