Add type for directories containing snapshots of apex data.

This adds a new apex_rollback_data_file type for the snapshots (backups)
of APEX data directories that can be restored in the event of a rollback.

Permission is given for apexd to create files and dirs in those directories
and for vold_prepare_subdirs to create the directories.

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created with the correct
type.

Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd

private/apexd.te

@@ -11,6 +11,10 @@ allow apexd metadata_file:dir search;
 allow apexd apex_metadata_file:dir create_dir_perms;
 allow apexd apex_metadata_file:file create_file_perms;
 
+# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_rollback_data_file:dir create_dir_perms;
+allow apexd apex_rollback_data_file:file create_file_perms;
+
 # allow apexd to create loop devices with /dev/loop-control
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
@@ -125,3 +129,6 @@ neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
 
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;

private/compat/29.0/29.0.ignore.cil

@@ -6,6 +6,7 @@
 (typeattributeset new_objects
   ( new_objects
     apex_module_data_file
+    apex_rollback_data_file
     app_integrity_service
     app_search_service
     auth_service

private/file_contexts

@@ -496,6 +496,7 @@
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
+/data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
 /data/misc/audioserver(/.*)?    u:object_r:audioserver_data_file:s0
@@ -583,6 +584,10 @@
 /data/misc_de/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc_ce/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 
+# Apex rollback directories
+/data/misc_de/[0-9]+/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
+/data/misc_ce/[0-9]+/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
+
 #############################
 # Expanded data files
 #

private/vold_prepare_subdirs.te

@@ -15,6 +15,7 @@ allow vold_prepare_subdirs {
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
     apex_module_data_file
+    apex_rollback_data_file
     backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
@@ -25,6 +26,7 @@ allow vold_prepare_subdirs {
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
     apex_module_data_file
+    apex_rollback_data_file
     backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file

public/file.te

@@ -331,6 +331,7 @@ type postinstall_apex_mnt_dir, file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
 type audio_data_file, file_type, data_file_type, core_data_file_type;
 type audioserver_data_file, file_type, data_file_type, core_data_file_type;
 type bluetooth_data_file, file_type, data_file_type, core_data_file_type;