Merge "selinux rules for loading incremental module"

private/compat/29.0/29.0.ignore.cil

@@ -89,6 +89,7 @@
     vehicle_hal_prop
     vendor_apex_file
     vendor_boringssl_self_test
+    vendor_incremental_module
     vendor_install_recovery
     vendor_install_recovery_exec
     virtual_ab_prop))

private/file_contexts

@@ -372,6 +372,7 @@
 /(vendor|system/vendor)/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
 /(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 /(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko     u:object_r:vendor_incremental_module:s0
 
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0

public/domain.te

@@ -1004,6 +1004,7 @@ full_treble_only(`
     -vendor_overlay_file
     -vendor_public_lib_file
     -vendor_task_profiles_file
+    -vendor_incremental_module
     -vndk_sp_file
   }:file *;
 ')

public/file.te

@@ -210,6 +210,8 @@ type vendor_overlay_file, vendor_file_type, file_type;
 # Type for all vendor public libraries. These libs should only be exposed to
 # apps. ABI stability of these libs is vendor's responsibility.
 type vendor_public_lib_file, vendor_file_type, file_type;
+# Default type for incremental file system driver
+type vendor_incremental_module, vendor_file_type, file_type;
 
 # Input configuration
 type vendor_keylayout_file, vendor_file_type, file_type;

public/vold.te

@@ -52,6 +52,11 @@ allowxperm vold data_file_type:dir ioctl {
   FS_IOC_REMOVE_ENCRYPTION_KEY
 };
 
+# Allow to load incremental file system driver
+allow vold self:capability sys_module;
+allow vold vendor_incremental_module:file r_file_perms;
+allow vold vendor_incremental_module:system module_load;
+
 # Only vold and init should ever set file-based encryption policies.
 neverallowxperm {
   domain