From 4c3d11c018724af5a7f2405ca72e3407f78a1ad4 Mon Sep 17 00:00:00 2001
From: Annie Meng <anniemeng@google.com>
Date: Tue, 15 Jan 2019 21:20:13 +0000
Subject: [PATCH] Add rules for multi-user backup/restore

The backup system service will move its storage location to per-user CE
directories to support multiple users. Add additional iterations on the
existing rules to support the new location.

/data/backup -> /data/system_ce/[user id]/backup
Previously covered by rule backup_data_file

/cache/backup -> /data/system_ce/[user id]/backup_stage
Previously covered by rule cache_backup_file

Also add support for vold to create and perform restorecon on the new
locations.

Example denials and detailed proposal in the doc on the linked bug.

Bug: 121197420
Test: 1) Boot device; check dirs created with correct label; run backup
successfully on system user
2) Create secondary user; check dirs created with correct label; run
backup successfully

Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
---
 private/file_contexts           | 5 +++++
 private/vold_prepare_subdirs.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/private/file_contexts b/private/file_contexts
index 11f8f6e58..ac1b7ab79 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -557,6 +557,11 @@
 # iorapd per-user data
 /data/misc_ce/[0-9]+/iorapd(/.*)?           u:object_r:iorapd_data_file:s0
 
+# Backup service persistent per-user bookkeeping
+/data/system_ce/[0-9]+/backup(/.*)?		u:object_r:backup_data_file:s0
+# Backup service temporary per-user data for inter-change with apps
+/data/system_ce/[0-9]+/backup_stage(/.*)?	u:object_r:backup_data_file:s0
+
 #############################
 # efs files
 #
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 09d0ca923..e6df48df2 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,6 +14,7 @@ allow vold_prepare_subdirs {
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
+    backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
@@ -22,6 +23,7 @@ allow vold_prepare_subdirs {
     vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
+    backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
-- 
GitLab