diff --git a/Android.mk b/Android.mk
index f31ddec634055e09c5deaac797d07fd5ea74e20a..9a99732c61f160c6020544a5293da5060a34245d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -829,7 +829,10 @@ include $(BUILD_SYSTEM)/base_rules.mk
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -917,6 +920,9 @@ local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 056342b0c8c6667260e5da0c05a5fda359c9cd86..ee202ba3a57f921e3f6c2a425897fdad72c7f499 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -84,6 +84,7 @@
netd_stable_secret_prop
network_watchlist_data_file
network_watchlist_service
+ overlayfs_file
package_native_service
perfetto
perfetto_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index f99f9a7cfeaaaecbcfcdf9adcd1d343334cb11a0..b99de06032d687a4aea17726ba21ed1693138f87 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -72,6 +72,7 @@
mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
+ overlayfs_file
perfetto
perfetto_exec
perfetto_tmpfs
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index ad7faa3512806bd5d528f387ecc0ad1f30588a6a..7b16b964fc8cf4b4ccc77ee99cc8806c366a5338 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -9,6 +9,7 @@
llkd_exec
llkd_tmpfs
mnt_product_file
+ overlayfs_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/file_contexts b/private/file_contexts
index 2087a368936f5cbf8564ff613da143a339a94a52..6c753857b487d5837a6b55b1ca40ae2518e456c3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -518,6 +518,11 @@
# LocalTransport (backup) uses this subtree
/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+#############################
+# Overlayfs support directories
+#
+/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
+
/data/cache(/.*)? u:object_r:cache_file:s0
/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
# General backup/restore interchange with apps
diff --git a/private/file_contexts_overlayfs b/private/file_contexts_overlayfs
new file mode 100644
index 0000000000000000000000000000000000000000..00902c2daf640ca56d838c34bdf89f513b386fb8
--- /dev/null
+++ b/private/file_contexts_overlayfs
@@ -0,0 +1,6 @@
+#############################
+# Overlayfs support directories for userdebug/eng devices
+#
+/cache/overlay/(system|product)/upper u:object_r:system_file:s0
+/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
+/cache/overlay/oem/upper u:object_r:vendor_file:s0
diff --git a/private/fs_use b/private/fs_use
index d351c368dffe1c51b1c2f2f1df895bfbc592270c..19643487d2c4c1d720005d241deb88d8443ac86e 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -8,6 +8,7 @@ fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
# Label inodes from task label.
diff --git a/public/file.te b/public/file.te
index 290283a190b89414d75d8970ec1f46a7641cbee5..47e9d0cf6bb306cbd83d57cd1192b14c98e6f716 100644
--- a/public/file.te
+++ b/public/file.te
@@ -290,6 +290,8 @@ type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstr
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for /cache/overlay
+type overlayfs_file, file_type, data_file_type, core_data_file_type;
# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
diff --git a/public/init.te b/public/init.te
index 4adf5cdb94032beec0bb039e3057b6ff2b24d73b..aa51a2f2862fac0c2b58f9505b2d08e9973ce0c1 100644
--- a/public/init.te
+++ b/public/init.te
@@ -288,6 +288,11 @@ allow init self:global_capability2_class_set syslog;
# init access to /proc.
r_dir_file(init, proc_net_type)
+# Overlayfs workdir write access check during mount to permit remount,rw
+userdebug_or_eng(`
+ allow init overlayfs_file:dir { relabelfrom write };
+')
+
allow init {
proc_cmdline
proc_diskstats
diff --git a/public/shell.te b/public/shell.te
index 6755f69e5244eea9850d4661affc2183ab90d44b..31408a0e3c26493666c014dd454e5d6d8aee019e 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -144,7 +144,7 @@ allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev