Sepolicy for rw mount point for product extensions.
Bug: 110808288
Test: device boots with /mnt/product present and selinux label
mnt_product_file applied correctly.
Change-Id: I596e4b79285fe1a79d31ad1b07f4bcffe6a6cd98
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d99c58f..ae36f1c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -82,6 +82,7 @@
mediaextractor_update_service
mediaprovider_tmpfs
metadata_file
+ mnt_product_file
mnt_vendor_file
netd_stable_secret_prop
network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 9b82f35..4530df4 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -68,6 +68,7 @@
lowpan_service
mediaextractor_update_service
metadata_file
+ mnt_product_file
mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
diff --git a/private/file_contexts b/private/file_contexts
index bec6b14..9f3d817 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -541,4 +541,8 @@
#############################
# mount point for read-write vendor partitions
-/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)? u:object_r:mnt_product_file:s0
diff --git a/public/domain.te b/public/domain.te
index 3d35fab..6b00e12 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1400,3 +1400,9 @@
-appdomain
} vendor_public_lib_file:file { execute execute_no_trans };
')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+ domain
+ -coredomain
+} mnt_product_file:dir *;
diff --git a/public/file.te b/public/file.te
index 68ce321..2f14b5b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -237,6 +237,9 @@
# Mount location for read-write vendor partitions.
type mnt_vendor_file, file_type;
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 8112474..9b537c1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -42,6 +42,7 @@
-core_data_file_type
-exec_type
-system_file
+ -mnt_product_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -82,6 +83,7 @@
file_type
-core_data_file_type
-exec_type
+ -mnt_product_file
-system_file
-vendor_file_type
-vold_metadata_file