SELinux policies for /data/preloads directory A new directory is created in user data partition that contains preloaded content such as a retail mode demo video and pre-loaded APKs. The new directory is writable/deletable by system server. It can only be readable (including directory list) by privileged or platform apps Bug: 28855287 Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037

commit: 49ac2a3d7a40d998e3b1be0b0172be8f651bc935 [log] [tgz]
author: Fyodor Kupolov <fkupolov@google.com> Fri May 20 11:08:45 2016 -0700
committer: Fyodor Kupolov <fkupolov@google.com> Tue May 24 20:17:45 2016 +0000
tree: ee98ab041856ff6c8d80c9ab39150c1f52c66458
parent: 13bdd39cf1c4aa1f86623820aea167abf1b263f2 [diff]
diff --git a/file.te b/file.te
index 8b525da..ce9eff9 100644
--- a/file.te
+++ b/file.te

@@ -110,6 +110,8 @@
 type nativetest_data_file, file_type, data_file_type;
 # /data/system_de/0/ringtones
 type ringtone_file, file_type, data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;

diff --git a/file_contexts b/file_contexts
index c4f8f6a..062b929 100644
--- a/file_contexts
+++ b/file_contexts

@@ -260,6 +260,7 @@
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
 /data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
 /data/property(/.*)?	u:object_r:property_data_file:s0
+/data/preloads(/.*)?	u:object_r:preloads_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0

diff --git a/platform_app.te b/platform_app.te
index 8ac7932..0d3bdba 100644
--- a/platform_app.te
+++ b/platform_app.te

@@ -51,3 +51,7 @@
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;

diff --git a/priv_app.te b/priv_app.te
index 5801619..d380a67 100644
--- a/priv_app.te
+++ b/priv_app.te

@@ -92,6 +92,10 @@
 # Allow Phone to read/write cached ringtones (opened by system).
 allow priv_app ringtone_file:file { getattr read write };
 
+# Access to /data/preloads
+allow priv_app preloads_data_file:file r_file_perms;
+allow priv_app preloads_data_file:dir r_dir_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/system_server.te b/system_server.te
index 6b2fa7e..b205c24 100644
--- a/system_server.te
+++ b/system_server.te

@@ -529,6 +529,10 @@
 allow system_server update_engine:fd use;
 allow system_server update_engine:fifo_file write;
 
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name };
+
 ###
 ### Neverallow rules
 ###
commit	49ac2a3d7a40d998e3b1be0b0172be8f651bc935	[log] [tgz]
author	Fyodor Kupolov <fkupolov@google.com>	Fri May 20 11:08:45 2016 -0700
committer	Fyodor Kupolov <fkupolov@google.com>	Tue May 24 20:17:45 2016 +0000
tree	ee98ab041856ff6c8d80c9ab39150c1f52c66458
parent	13bdd39cf1c4aa1f86623820aea167abf1b263f2 [diff]