Merge "Sepolicy for rw mount point for vendors." into pi-dev

ae0b835c · TreeHugger Robot · Android (Google) Code Review · 1f4037f2 · 210a805b · ae0b835c
Commit ae0b835c authored 6 years ago by TreeHugger Robot Committed by Android (Google) Code Review 6 years ago
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -65,6 +65,7 @@
    lowpan_service
    mediaextractor_update_service
    mediaprovider_tmpfs
+    mnt_vendor_file
    netd_stable_secret_prop
    network_watchlist_data_file
    network_watchlist_service

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
    lowpan_prop
    lowpan_service
    mediaextractor_update_service
+    mnt_vendor_file
    network_watchlist_data_file
    network_watchlist_service
    perfetto

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -526,3 +526,7 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
--- a/public/domain.te
+++ b/public/domain.te
@@ -1357,3 +1357,9 @@ userdebug_or_eng(`
  dontaudit domain proc_type:file create;
  dontaudit domain sysfs_type:file create;
 ')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+  coredomain
+  -init
+} mnt_vendor_file:dir *;
--- a/public/file.te
+++ b/public/file.te
@@ -225,6 +225,9 @@ type storage_file, file_type;
 type mnt_media_rw_stub_file, file_type;
 type storage_stub_file, file_type;

+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.