Sepolicy for rw mount point for product extensions.

Bug: 110808288 Test: device boots with /mnt/product present and selinux label mnt_product_file applied correctly. Change-Id: I596e4b79285fe1a79d31ad1b07f4bcffe6a6cd98

Sepolicy for rw mount point for product extensions.
Bug: 110808288 Test: device boots with /mnt/product present and selinux label mnt_product_file applied correctly. Change-Id: I596e4b79285fe1a79d31ad1b07f4bcffe6a6cd98
c287032f · Bowgo Tsai · ff91d5d6 · c287032f · c287032f · c287032f
Commit c287032f authored 6 years ago by Bowgo Tsai
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -82,6 +82,7 @@
    mediaextractor_update_service
    mediaprovider_tmpfs
    metadata_file
+    mnt_product_file
    mnt_vendor_file
    netd_stable_secret_prop
    network_watchlist_data_file

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -68,6 +68,7 @@
    lowpan_service
    mediaextractor_update_service
    metadata_file
+    mnt_product_file
    mnt_vendor_file
    network_watchlist_data_file
    network_watchlist_service

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -541,4 +541,8 @@

 #############################
 # mount point for read-write vendor partitions
-/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
+/mnt/vendor(/.*)?           u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)?          u:object_r:mnt_product_file:s0
--- a/public/domain.te
+++ b/public/domain.te
@@ -1400,3 +1400,9 @@ full_treble_only(`
    -appdomain
  } vendor_public_lib_file:file { execute execute_no_trans };
 ')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+  domain
+  -coredomain
+} mnt_product_file:dir *;
--- a/public/file.te
+++ b/public/file.te
@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
 # Mount location for read-write vendor partitions.
 type mnt_vendor_file, file_type;

+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -42,6 +42,7 @@ allow vendor_init {
  -core_data_file_type
  -exec_type
  -system_file
+  -mnt_product_file
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
@@ -82,6 +83,7 @@ allow vendor_init {
  file_type
  -core_data_file_type
  -exec_type
+  -mnt_product_file
  -system_file
  -vendor_file_type
  -vold_metadata_file