Merge changes Ie973be6b,Ie090e085
* changes:
permissions for incremental control file
new label for incremental control files
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index c56bfae..f28757e 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -45,6 +45,7 @@
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
+ incremental_control_file
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
diff --git a/private/file_contexts b/private/file_contexts
index a35cfb4..3955708 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -611,7 +611,9 @@
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
# Incremental directories
-/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/private/priv_app.te b/private/priv_app.te
index 74930ee..75e9732 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -146,6 +146,10 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System
+allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
###
### neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index 1432017..9789a52 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -72,6 +72,9 @@
# Allow system_app (adb data loader) to write data to /data/incremental
allow system_app apk_data_file:file write;
+# Allow system app (adb data loader) to read logs
+allow system_app incremental_control_file:file r_file_perms;
+
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/system_server.te b/private/system_server.te
index 9eea579..ef527fd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -24,6 +24,13 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
+# To create files on Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+
+# To get signature of an APK installed on Incremental File System
+allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index ddae678..0585afd 100644
--- a/public/file.te
+++ b/public/file.te
@@ -186,6 +186,8 @@
type art_apex_dir, system_file_type, file_type;
# /linkerconfig(/.*)?
type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/ioctl_defines b/public/ioctl_defines
index b2a6fbf..4eeeb4e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1055,6 +1055,8 @@
define(`IMGETVERSION', `0x80044942')
define(`IMHOLD_L1', `0x80044948')
define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/vold.te b/public/vold.te
index 1ddd19e..fd3ed84 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -132,6 +132,8 @@
allow vold apk_data_file:file rw_file_perms;
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;