Merge "Sepolicy for rw mount point for vendors."

am: 5a5894a979

Change-Id: Iad07653a6b49eee4f757b7fdee22975605984ea1

private/compat/26.0/26.0.ignore.cil

@@ -66,6 +66,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
     network_watchlist_service

private/compat/27.0/27.0.ignore.cil

@@ -54,6 +54,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
     perfetto

private/file_contexts

@@ -525,3 +525,7 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0

public/domain.te

@@ -1363,3 +1363,9 @@ userdebug_or_eng(`
   dontaudit domain proc_type:file create;
   dontaudit domain sysfs_type:file create;
 ')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+  coredomain
+  -init
+} mnt_vendor_file:dir *;

public/file.te

@@ -225,6 +225,9 @@ type storage_file, file_type;
 type mnt_media_rw_stub_file, file_type;
 type storage_stub_file, file_type;
 
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.