Merge "Sepolicy for rw mount point for product extensions."

private/compat/26.0/26.0.ignore.cil

@@ -82,6 +82,7 @@
     mediaextractor_update_service
     mediaprovider_tmpfs
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file

private/compat/27.0/27.0.ignore.cil

@@ -68,6 +68,7 @@
     lowpan_service
     mediaextractor_update_service
     metadata_file
+    mnt_product_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service

private/file_contexts

@@ -542,3 +542,7 @@
 #############################
 # mount point for read-write vendor partitions
 /mnt/vendor(/.*)?           u:object_r:mnt_vendor_file:s0
+
+#############################
+# mount point for read-write product partitions
+/mnt/product(/.*)?          u:object_r:mnt_product_file:s0

public/domain.te

@@ -1400,3 +1400,9 @@ full_treble_only(`
     -appdomain
   } vendor_public_lib_file:file { execute execute_no_trans };
 ')
+
+# Vendor domian must not have access to /mnt/product.
+neverallow {
+  domain
+  -coredomain
+} mnt_product_file:dir *;

public/file.te

@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
 # Mount location for read-write vendor partitions.
 type mnt_vendor_file, file_type;
 
+# Mount location for read-write product partitions.
+type mnt_product_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.

public/vendor_init.te

@@ -42,6 +42,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -system_file
+  -mnt_product_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -82,6 +83,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
+  -mnt_product_file
   -system_file
   -vendor_file_type
   -vold_metadata_file