Add initial sepolicy for app data snapshots.
Define a rollback_data_file label and apply it to the snapshots
directory. This change contains just enough detail to allow
vold_prepare_subdirs to prepare these directories correctly.
A follow up change will flesh out the access policy on these
directories in more detail.
Test: make, manual
Bug: 112431924
Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
diff --git a/private/file.te b/private/file.te
index 6704c79..a856792 100644
--- a/private/file.te
+++ b/private/file.te
@@ -16,3 +16,7 @@
# App executable files in /data/data directories
type app_exec_data_file, file_type, data_file_type, core_data_file_type;
typealias app_exec_data_file alias rs_data_file;
+
+# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
+# of application data.
+type rollback_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 0605ee4..11f8f6e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -514,6 +514,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# App data snapshots (managed by installd).
+/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e93e1e5..09d0ca9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -17,6 +17,7 @@
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
+ rollback_data_file
storaged_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
@@ -24,6 +25,7 @@
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
+ rollback_data_file
storaged_data_file
system_data_file
vold_data_file