Merge "Allow apexd to access a new dev_type: virtual disk" am: 1c996021a5

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1673185

Change-Id: I5cd7128b8b7caeefba9e84dfa82ab2b6e49838d3

private/apexd.te

@@ -52,6 +52,9 @@ allowxperm apexd loop_device:blk_file ioctl {
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;
 
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
 # allow apexd to access /dev/block/dm-* (device-mapper entries)
 allow apexd dm_device:chr_file rw_file_perms;
 allow apexd dm_device:blk_file rw_file_perms;

private/compat/30.0/30.0.ignore.cil

@@ -128,6 +128,7 @@
     userspace_reboot_metadata_file
     uwb_service
     vcn_management_service
+    vd_device
     vendor_kernel_modules
     vibrator_manager_service
     virtualization_service

private/file_contexts

@@ -88,6 +88,7 @@
 /dev/block(/.*)?	u:object_r:block_device:s0
 /dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]*  u:object_r:vd_device:s0
 /dev/block/vold/.+	u:object_r:vold_device:s0
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0

private/init.te

@@ -66,6 +66,10 @@ allow init snapuserd:unix_stream_socket connectto;
 # Allow for libsnapshot's use of flock() on /metadata/ota.
 allow init ota_metadata_file:dir lock;
 
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
 # Only init is allowed to set the sysprop indicating whether perf_event_open()
 # SELinux hooks were detected.
 set_prop(init, init_perf_lsm_hooks_prop)

public/device.te

@@ -17,6 +17,7 @@ type pmsg_device, dev_type, mlstrustedobject;
 type radio_device, dev_type;
 type ram_device, dev_type;
 type rtc_device, dev_type;
+type vd_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type fscklogs, dev_type;