Merge changes Ie973be6b,Ie090e085

* changes:
  permissions for incremental control file
  new label for incremental control files

private/compat/29.0/29.0.ignore.cil

@@ -45,6 +45,7 @@
     hal_rebootescrow_service
     hal_tv_tuner_hwservice
     hal_vibrator_service
+    incremental_control_file
     incremental_service
     init_perf_lsm_hooks_prop
     init_svc_debug_prop

private/file_contexts

@@ -611,7 +611,9 @@
 /data/misc_ce/[0-9]+/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 
 # Incremental directories
-/data/incremental(/.*)?                        u:object_r:apk_data_file:s0
+/data/incremental(/.*)?                                 u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads         u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log                   u:object_r:incremental_control_file:s0
 
 #############################
 # Expanded data files

private/priv_app.te

@@ -146,6 +146,10 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System
+allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
 ###
 ### neverallow rules
 ###

private/system_app.te

@@ -72,6 +72,9 @@ allow system_app asec_apk_file:file r_file_perms;
 # Allow system_app (adb data loader) to write data to /data/incremental
 allow system_app apk_data_file:file write;
 
+# Allow system app (adb data loader) to read logs
+allow system_app incremental_control_file:file r_file_perms;
+
 # Allow system apps (like Settings) to interact with statsd
 binder_call(system_app, statsd)
 

private/system_server.te

@@ -24,6 +24,13 @@ allow system_server appdomain_tmpfs:file { getattr map read write };
 # For Incremental Service to check if incfs is available
 allow system_server proc_filesystems:file r_file_perms;
 
+# To create files on Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+
+# To get signature of an APK installed on Incremental File System
+allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file r_file_perms;

public/file.te

@@ -186,6 +186,8 @@ type vendor_task_profiles_file, vendor_file_type, file_type;
 type art_apex_dir, system_file_type, file_type;
 # /linkerconfig(/.*)?
 type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
 
 # Default type for directories search for
 # HAL implementations

public/ioctl_defines

@@ -1055,6 +1055,8 @@ define(`IMGETDEVINFO', `0x80044944')
 define(`IMGETVERSION', `0x80044942')
 define(`IMHOLD_L1', `0x80044948')
 define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
 define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
 define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
 define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')

public/vold.te

@@ -132,6 +132,8 @@ allow vold apk_data_file:dir { mounton rw_dir_perms };
 allow vold apk_data_file:file rw_file_perms;
 # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
 allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
 
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;