fs_mgr: add overlayfs handling for squashfs system filesystems
/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices. Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.
Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
diff --git a/Android.mk b/Android.mk
index f31ddec..9a99732 100644
--- a/Android.mk
+++ b/Android.mk
@@ -829,7 +829,10 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -917,6 +920,9 @@
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 056342b..ee202ba 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -84,6 +84,7 @@
netd_stable_secret_prop
network_watchlist_data_file
network_watchlist_service
+ overlayfs_file
package_native_service
perfetto
perfetto_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index f99f9a7..b99de06 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -72,6 +72,7 @@
mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
+ overlayfs_file
perfetto
perfetto_exec
perfetto_tmpfs
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index ad7faa3..7b16b96 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -9,6 +9,7 @@
llkd_exec
llkd_tmpfs
mnt_product_file
+ overlayfs_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/file_contexts b/private/file_contexts
index 2087a36..6c75385 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -518,6 +518,11 @@
# LocalTransport (backup) uses this subtree
/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+#############################
+# Overlayfs support directories
+#
+/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
+
/data/cache(/.*)? u:object_r:cache_file:s0
/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
# General backup/restore interchange with apps
diff --git a/private/file_contexts_overlayfs b/private/file_contexts_overlayfs
new file mode 100644
index 0000000..00902c2
--- /dev/null
+++ b/private/file_contexts_overlayfs
@@ -0,0 +1,6 @@
+#############################
+# Overlayfs support directories for userdebug/eng devices
+#
+/cache/overlay/(system|product)/upper u:object_r:system_file:s0
+/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
+/cache/overlay/oem/upper u:object_r:vendor_file:s0
diff --git a/private/fs_use b/private/fs_use
index d351c36..1964348 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -8,6 +8,7 @@
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
# Label inodes from task label.
diff --git a/public/file.te b/public/file.te
index 290283a..47e9d0c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -290,6 +290,8 @@
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for /cache/overlay
+type overlayfs_file, file_type, data_file_type, core_data_file_type;
# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
diff --git a/public/init.te b/public/init.te
index 4adf5cd..aa51a2f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -288,6 +288,11 @@
# init access to /proc.
r_dir_file(init, proc_net_type)
+# Overlayfs workdir write access check during mount to permit remount,rw
+userdebug_or_eng(`
+ allow init overlayfs_file:dir { relabelfrom write };
+')
+
allow init {
proc_cmdline
proc_diskstats
diff --git a/public/shell.te b/public/shell.te
index 6755f69..31408a0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -144,7 +144,7 @@
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev