From c287032f613c00447b5ca500c099608b4fd6e933 Mon Sep 17 00:00:00 2001
From: Bowgo Tsai <bowgotsai@google.com>
Date: Fri, 29 Jun 2018 10:10:00 +0800
Subject: [PATCH] Sepolicy for rw mount point for product extensions.

Bug: 110808288
Test: device boots with /mnt/product present and selinux label
      mnt_product_file applied correctly.

Change-Id: I596e4b79285fe1a79d31ad1b07f4bcffe6a6cd98
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 private/file_contexts               | 6 +++++-
 public/domain.te                    | 6 ++++++
 public/file.te                      | 3 +++
 public/vendor_init.te               | 2 ++
 6 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d99c58f55..ae36f1c70 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -82,6 +82,7 @@
     mediaextractor_update_service
     mediaprovider_tmpfs
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 9b82f35f3..4530df498 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -68,6 +68,7 @@
     lowpan_service
     mediaextractor_update_service
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
diff --git a/private/file_contexts b/private/file_contexts
index bec6b1405..9f3d8174b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -541,4 +541,8 @@
 
 #############################
 # mount point for read-write vendor partitions
-/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
+/mnt/vendor(/.*)?           u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)?          u:object_r:mnt_product_file:s0
diff --git a/public/domain.te b/public/domain.te
index 3d35fabf0..6b00e1264 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1400,3 +1400,9 @@ full_treble_only(`
     -appdomain
   } vendor_public_lib_file:file { execute execute_no_trans };
 ')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+  domain
+  -coredomain
+} mnt_product_file:dir *;
diff --git a/public/file.te b/public/file.te
index 68ce32170..2f14b5b12 100644
--- a/public/file.te
+++ b/public/file.te
@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
 # Mount location for read-write vendor partitions.
 type mnt_vendor_file, file_type;
 
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 81124743e..9b537c10f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -42,6 +42,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -system_file
+  -mnt_product_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -82,6 +83,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
+  -mnt_product_file
   -system_file
   -vendor_file_type
   -vold_metadata_file
-- 
GitLab