Merge "Sepolicy for rw mount point for product extensions."

am: 589dbe14 Change-Id: Ife838a971f7145583d2d1444a2c366515060e5a4

Merge "Sepolicy for rw mount point for product extensions."
am: 589dbe14 Change-Id: Ife838a971f7145583d2d1444a2c366515060e5a4
dc7e8d3d · Bowgo Tsai · android-build-merger · 35f9e08b · 589dbe14 · dc7e8d3d
Commit dc7e8d3d authored 6 years ago by Bowgo Tsai Committed by android-build-merger 6 years ago
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -79,6 +79,7 @@
    mediaextractor_update_service
    mediaprovider_tmpfs
    metadata_file
+    mnt_product_file
    mnt_vendor_file
    netd_stable_secret_prop
    network_watchlist_data_file

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -68,6 +68,7 @@
    lowpan_service
    mediaextractor_update_service
    metadata_file
+    mnt_product_file
    mnt_vendor_file
    network_watchlist_data_file
    network_watchlist_service

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -545,4 +545,8 @@
 #############################
 # mount point for read-write vendor partitions
-/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0
+/mnt/vendor(/.*)?           u:object_r:mnt_vendor_file:s0
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)?          u:object_r:mnt_product_file:s0
--- a/public/domain.te
+++ b/public/domain.te
@@ -1400,3 +1400,9 @@ full_treble_only(`
    -appdomain
  } vendor_public_lib_file:file { execute execute_no_trans };
 ')
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+  domain
+  -coredomain
+} mnt_product_file:dir *;
--- a/public/file.te
+++ b/public/file.te
@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
 # Mount location for read-write vendor partitions.
 type mnt_vendor_file, file_type;
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -42,6 +42,7 @@ allow vendor_init {
  -core_data_file_type
  -exec_type
  -system_file
+  -mnt_product_file
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
@@ -82,6 +83,7 @@ allow vendor_init {
  file_type
  -core_data_file_type
  -exec_type
+  -mnt_product_file
  -system_file
  -vendor_file_type
  -vold_metadata_file