Add type for directories containing snapshots of apex data.
This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.
Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.
Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
diff --git a/private/apexd.te b/private/apexd.te
index f752930..1e1ccc5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -11,6 +11,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_rollback_data_file:dir create_dir_perms;
+allow apexd apex_rollback_data_file:file create_file_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -125,3 +129,6 @@
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index bfd6a2f..f43c1c1 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -6,6 +6,7 @@
(typeattributeset new_objects
( new_objects
apex_module_data_file
+ apex_rollback_data_file
app_integrity_service
app_search_service
auth_service
diff --git a/private/file_contexts b/private/file_contexts
index 6ffbf10..26f4586 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -496,6 +496,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
@@ -583,6 +584,10 @@
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+# Apex rollback directories
+/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 51cc138..b287bdc 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -15,6 +15,7 @@
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -25,6 +26,7 @@
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
diff --git a/public/file.te b/public/file.te
index 5564577..c7cfd18 100644
--- a/public/file.te
+++ b/public/file.te
@@ -331,6 +331,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;