Add /data/fonts/files directory

The updated font files will be stored to /data/fonts/files and
all application will read it for drawing text.
Thus, /data/fonts/files needs to be readable by apps and only writable
by system_server (and init).

Bug: 173517579
Test: atest CtsGraphicsTestCases
Test: Manually done
Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231
diff --git a/private/app.te b/private/app.te
index 30ef991..c635aed 100644
--- a/private/app.te
+++ b/private/app.te
@@ -63,6 +63,10 @@
 # Allow to read db.log.detailed, db.log.slow_query_threshold*
 get_prop(appdomain, sqlite_log_prop)
 
+# Allow font file read by apps.
+allow appdomain font_data_file:file r_file_perms;
+allow appdomain font_data_file:dir r_dir_perms;
+
 # Read /data/misc/apexdata/com.android.art
 allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
 allow appdomain apex_art_data_file:file r_file_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 6868554..559d4ad 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -26,6 +26,7 @@
     dumpstate_tmpfs
     framework_watchdog_config_prop
     game_service
+    font_data_file
     gki_apex_prepostinstall
     gki_apex_prepostinstall_exec
     hal_authsecret_service
diff --git a/private/file.te b/private/file.te
index 284a9ee..87443ef 100644
--- a/private/file.te
+++ b/private/file.te
@@ -41,3 +41,6 @@
 
 # /data/misc/apexdata/com.android.art/staging
 type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/font/files
+type font_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 0b21e39..89c67fc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -551,6 +551,7 @@
 # to avoid restorecon conflicts
 /data/rollback/\d+/[^/]+/.*\.apk  u:object_r:apk_data_file:s0
 /data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
+/data/fonts/files(/.*)?     u:object_r:font_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 98c1a1b..b7dbed0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1039,6 +1039,13 @@
 # Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
 get_prop(system_server, framework_watchdog_config_prop)
 
+
+# Font files are written by system server
+allow system_server font_data_file:file create_file_perms;
+allow system_server font_data_file:dir create_dir_perms;
+# Allow system process to setup fs-verity for font files
+allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
 ###
 ### Neverallow rules
 ###
@@ -1270,3 +1277,7 @@
 # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
 # interface
 neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
+# Only system server can write the font files.
+neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
+neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;