Merge "Selinux policy for new userspace reboot logging dir" am: df9d784e6d

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1308233

Change-Id: Ie630cb9254b851f9434c3ddc7b82d1556d9dc642

private/compat/30.0/30.0.ignore.cil

@@ -18,4 +18,5 @@
     profcollectd_exec
     profcollectd_service
     update_engine_stable_service
-    cgroup_v2))
+    cgroup_v2
+    userspace_reboot_metadata_file))

private/file_contexts

@@ -735,6 +735,7 @@
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 
 #############################
 # asec containers

private/system_server.te

@@ -1161,6 +1161,9 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
 # Allow system server rw access to files in /metadata/staged-install folder
 allow system_server staged_install_file:dir rw_dir_perms;
 allow system_server staged_install_file:file create_file_perms;
@@ -1202,6 +1205,10 @@ neverallow {
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
 
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
 neverallow { domain -system_server -init }

public/file.te

@@ -233,6 +233,8 @@ type apex_metadata_file, file_type;
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
 # Staged install files within /metadata/staged-install
 type staged_install_file, file_type;
 

public/init.te

@@ -579,6 +579,7 @@ allow init vold_metadata_file:dir create_dir_perms;
 allow init vold_metadata_file:file getattr;
 allow init metadata_bootstat_file:dir create_dir_perms;
 allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
 
 # Allow init to touch PSI monitors
 allow init proc_pressure_mem:file { rw_file_perms setattr };

public/vendor_init.te

@@ -57,6 +57,7 @@ allow vendor_init {
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -75,6 +76,7 @@ allow vendor_init {
   -gsi_metadata_file
   -apex_metadata_file
   -apex_info_file
+  -userspace_reboot_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -89,6 +91,7 @@ allow vendor_init {
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -104,6 +107,7 @@ allow vendor_init {
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -118,6 +122,7 @@ allow vendor_init {
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;