Merge "Fix SELinux policies to allow resource overlays."

app.te

@@ -141,6 +141,10 @@ allow appdomain shared_relro_file:file r_file_perms;
 # Allow apps to read/execute installed binaries
 allow appdomain apk_data_file:file { rx_file_perms execmod };
 
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
 ###
 ### CTS-specific rules
 ###

file.te

@@ -61,6 +61,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/dalvik-cache/profiles
 type dalvikcache_profiles_data_file, file_type, data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
 type shell_data_file, file_type, data_file_type;
 # /data/gps

file_contexts

@@ -173,6 +173,7 @@
 /data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0

installd.te

@@ -49,6 +49,10 @@ allow installd dalvikcache_data_file:file create_file_perms;
 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
 
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

system_server.te

@@ -15,6 +15,10 @@ allow system_server system_server_tmpfs:file execute;
 # For art.
 allow system_server dalvikcache_data_file:file execute;
 
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
 # ptrace to processes in the same domain for debugging crashes.
 allow system_server self:process ptrace;
 

zygote.te

@@ -24,6 +24,9 @@ allow zygote system_data_file:file r_file_perms;
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
+# Write to /data/resource-cache
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.