From 9b398f3fb75128288eff8e0c2abb7c350f249c07 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Wed, 13 Jun 2018 08:02:29 -0700
Subject: [PATCH] fs_mgr: add overlayfs handling for squashfs system
 filesystems

/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices.  Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.

Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
---
 Android.mk                          | 8 +++++++-
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 private/compat/28.0/28.0.ignore.cil | 1 +
 private/file_contexts               | 5 +++++
 private/file_contexts_overlayfs     | 6 ++++++
 private/fs_use                      | 1 +
 public/file.te                      | 2 ++
 public/init.te                      | 5 +++++
 public/shell.te                     | 2 +-
 10 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 private/file_contexts_overlayfs

diff --git a/Android.mk b/Android.mk
index f31ddec63..9a99732c6 100644
--- a/Android.mk
+++ b/Android.mk
@@ -829,7 +829,10 @@ include $(BUILD_SYSTEM)/base_rules.mk
 local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
 
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+  local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+  local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
 endif
 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
 
@@ -917,6 +920,9 @@ local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
   local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
 endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+  local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
+endif
 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 056342b0c..ee202ba3a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -84,6 +84,7 @@
     netd_stable_secret_prop
     network_watchlist_data_file
     network_watchlist_service
+    overlayfs_file
     package_native_service
     perfetto
     perfetto_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index f99f9a7cf..b99de0603 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -72,6 +72,7 @@
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
+    overlayfs_file
     perfetto
     perfetto_exec
     perfetto_tmpfs
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index ad7faa351..7b16b964f 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -9,6 +9,7 @@
     llkd_exec
     llkd_tmpfs
     mnt_product_file
+    overlayfs_file
     time_prop
     timedetector_service
     timezonedetector_service
diff --git a/private/file_contexts b/private/file_contexts
index 2087a3689..6c753857b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -518,6 +518,11 @@
 # LocalTransport (backup) uses this subtree
 /cache/backup(/.*)?		u:object_r:cache_private_backup_file:s0
 
+#############################
+# Overlayfs support directories
+#
+/cache/overlay(/.*)?            u:object_r:overlayfs_file:s0
+
 /data/cache(/.*)?		u:object_r:cache_file:s0
 /data/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
 # General backup/restore interchange with apps
diff --git a/private/file_contexts_overlayfs b/private/file_contexts_overlayfs
new file mode 100644
index 000000000..00902c2da
--- /dev/null
+++ b/private/file_contexts_overlayfs
@@ -0,0 +1,6 @@
+#############################
+# Overlayfs support directories for userdebug/eng devices
+#
+/cache/overlay/(system|product)/upper       u:object_r:system_file:s0
+/cache/overlay/(vendor|odm)/upper           u:object_r:vendor_file:s0
+/cache/overlay/oem/upper                    u:object_r:vendor_file:s0
diff --git a/private/fs_use b/private/fs_use
index d351c368d..19643487d 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -8,6 +8,7 @@ fs_use_xattr xfs u:object_r:labeledfs:s0;
 fs_use_xattr btrfs u:object_r:labeledfs:s0;
 fs_use_xattr f2fs u:object_r:labeledfs:s0;
 fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
 fs_use_xattr erofs u:object_r:labeledfs:s0;
 
 # Label inodes from task label.
diff --git a/public/file.te b/public/file.te
index 290283a19..47e9d0cf6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -290,6 +290,8 @@ type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstr
 # Compatibility with type name used in Android 4.3 and 4.4.
 # Default type for anything under /cache
 type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for /cache/overlay
+type overlayfs_file, file_type, data_file_type, core_data_file_type;
 # Type for /cache/backup_stage/* (fd interchange with apps)
 type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # type for anything under /cache/backup (local transport storage)
diff --git a/public/init.te b/public/init.te
index 4adf5cdb9..aa51a2f28 100644
--- a/public/init.te
+++ b/public/init.te
@@ -288,6 +288,11 @@ allow init self:global_capability2_class_set syslog;
 # init access to /proc.
 r_dir_file(init, proc_net_type)
 
+# Overlayfs workdir write access check during mount to permit remount,rw
+userdebug_or_eng(`
+  allow init overlayfs_file:dir { relabelfrom write };
+')
+
 allow init {
   proc_cmdline
   proc_diskstats
diff --git a/public/shell.te b/public/shell.te
index 6755f69e5..31408a0e3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -144,7 +144,7 @@ allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 
 # statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
 allow shell { proc labeledfs }:filesystem getattr;
 
 # stat() of /dev
-- 
GitLab