Initial policy for expanded storage.

Expanded storage supports a subset of the features of the internal
data partition.  Mirror that policy for consistency.  vold is also
granted enough permissions to prepare initial directories.

avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5

app.te

@@ -58,6 +58,9 @@ allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute execute_no_trans open execmod };
 
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
 # Keychain and user-trusted credentials
 allow appdomain keychain_data_file:dir r_dir_perms;
 allow appdomain keychain_data_file:file r_file_perms;

file.te

@@ -86,6 +86,7 @@ type bootchart_data_file, file_type, data_file_type;
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
 type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
 type storage_file, file_type;
 
 # Label for storage dirs which are just mount stubs

file_contexts

@@ -190,6 +190,9 @@
 #############################
 # Data files
 #
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
 /data(/.*)?		u:object_r:system_data_file:s0
 /data/.layout_version		u:object_r:install_data_file:s0
 /data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
@@ -244,6 +247,18 @@
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)?                                   u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)?                             u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)?                         u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)?               u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)?          u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)?      u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)?                   u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)?                       u:object_r:media_rw_data_file:s0
+
 # coredump directory for userdebug/eng devices
 /cores(/.*)?                    u:object_r:coredump_file:s0
 

system_server.te

@@ -456,6 +456,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
 # we shouldn't be killed during unsafe removal
 allow system_server sdcard_type:dir { getattr search };
 
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
 ###
 ### Neverallow rules
 ###

vold.te

@@ -52,6 +52,12 @@ allow vold sdcard_type:filesystem { mount unmount remount };
 allow vold mnt_user_file:dir create_dir_perms;
 allow vold mnt_user_file:lnk_file create_file_perms;
 
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold media_rw_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
@@ -95,8 +101,8 @@ allow vold labeledfs:filesystem { mount unmount remount };
 # XXX Split into a separate type?
 allow vold efs_file:file rw_file_perms;
 
-# Create and mount on /data/tmp_mnt.
+# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton };
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
 
 # Set scheduling policy of kernel processes
 allow vold kernel:process setsched;