Add /data/fonts/files directory
The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).
Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
diff --git a/private/app.te b/private/app.te
index 30ef991..c635aed 100644
--- a/private/app.te
+++ b/private/app.te
@@ -63,6 +63,10 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+# Allow font file read by apps.
+allow appdomain font_data_file:file r_file_perms;
+allow appdomain font_data_file:dir r_dir_perms;
+
# Read /data/misc/apexdata/com.android.art
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6868554..559d4ad 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -26,6 +26,7 @@
dumpstate_tmpfs
framework_watchdog_config_prop
game_service
+ font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_authsecret_service
diff --git a/private/file.te b/private/file.te
index 284a9ee..87443ef 100644
--- a/private/file.te
+++ b/private/file.te
@@ -41,3 +41,6 @@
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/font/files
+type font_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 0b21e39..89c67fc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -551,6 +551,7 @@
# to avoid restorecon conflicts
/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
+/data/fonts/files(/.*)? u:object_r:font_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 98c1a1b..b7dbed0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1039,6 +1039,13 @@
# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
get_prop(system_server, framework_watchdog_config_prop)
+
+# Font files are written by system server
+allow system_server font_data_file:file create_file_perms;
+allow system_server font_data_file:dir create_dir_perms;
+# Allow system process to setup fs-verity for font files
+allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
###
### Neverallow rules
###
@@ -1270,3 +1277,7 @@
# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
# interface
neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Only system server can write the font files.
+neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
+neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;