SEPolicy Prebuilts for P

Bug: 77589980
Test: Build
Change-Id: I5395314006f42dd3c925fed554c04d182ddde2c5

prebuilts/api/28.0/private/app_neverallows.te

@@ -93,9 +93,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
 # application un-installation.
 neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
-  -fuse                     # sdcard
-  -sdcardfs                 # sdcard
-  -vfat
+  -sdcard_type
   file_type
   -app_data_file            # The apps sandbox itself
   -media_rw_data_file       # Internal storage. Known that apps can

prebuilts/api/28.0/private/bug_map

+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
+otapreopt_chroot postinstall_file lnk_file 75287236
 platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
 priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+radio statsdw_socket sock_file 78456764
+statsd hal_health_default binder 77919007
+storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
 system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
 untrusted_app_25 system_data_file dir 72550646
 untrusted_app_27 system_data_file dir 72550646
 usbd usbd capability 72472544
 system_server sysfs file 77816522
+zygote untrusted_app_25 process 77925912

prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil

@@ -18,6 +18,7 @@
     crossprofileapps_service
     e2fs
     e2fs_exec
+    exfat
     exported_bluetooth_prop
     exported_config_prop
     exported_dalvik_prop
@@ -43,17 +44,20 @@
     exported3_system_prop
     fingerprint_vendor_data_file
     fs_bpf
+    hal_audiocontrol_hwservice
     hal_authsecret_hwservice
     hal_broadcastradio_hwservice
     hal_cas_hwservice
     hal_codec2_hwservice
     hal_confirmationui_hwservice
+    hal_evs_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
     hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_wifi_hostapd_hwservice
     hal_usb_gadget_hwservice
+    hal_vehicle_hwservice
     hal_wifi_offload_hwservice
     incident_helper
     incident_helper_exec
@@ -64,6 +68,8 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    metadata_file
+    mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
     network_watchlist_service
@@ -86,6 +92,8 @@
     statsd
     statsd_exec
     statsd_tmpfs
+    statsdw
+    statsdw_socket
     statscompanion_service
     storaged_data_file
     sysfs_fs_ext4_features
@@ -105,6 +113,7 @@
     traceur_app_tmpfs
     traced
     traced_consumer_socket
+    traced_enabled_prop
     traced_exec
     traced_probes
     traced_probes_exec
@@ -114,6 +123,7 @@
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop
+    vendor_security_patch_level_prop
     usbd
     usbd_exec
     usbd_tmpfs

prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil

@@ -14,6 +14,7 @@
     bpfloader_exec
     cgroup_bpf
     crossprofileapps_service
+    exfat
     exported2_config_prop
     exported2_default_prop
     exported2_radio_prop
@@ -39,12 +40,15 @@
     exported_wifi_prop
     fingerprint_vendor_data_file
     fs_bpf
+    hal_audiocontrol_hwservice
     hal_authsecret_hwservice
     hal_codec2_hwservice
     hal_confirmationui_hwservice
+    hal_evs_hwservice
     hal_lowpan_hwservice
     hal_secure_element_hwservice
     hal_usb_gadget_hwservice
+    hal_vehicle_hwservice
     hal_wifi_hostapd_hwservice
     incident_helper
     incident_helper_exec
@@ -53,6 +57,8 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    metadata_file
+    mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
     perfetto
@@ -74,6 +80,8 @@
     statsd
     statsd_exec
     statsd_tmpfs
+    statsdw
+    statsdw_socket
     storaged_data_file
     system_boot_reason_prop
     system_update_service
@@ -81,6 +89,7 @@
     trace_data_file
     traced
     traced_consumer_socket
+    traced_enabled_prop
     traced_exec
     traced_probes
     traced_probes_exec
@@ -96,6 +105,7 @@
     usbd_tmpfs
     vendor_default_prop
     vendor_init
+    vendor_security_patch_level_prop
     vendor_shell
     vold_metadata_file
     vold_prepare_subdirs

prebuilts/api/28.0/private/file.te

@@ -4,6 +4,8 @@ type config_gz, fs_type, proc_type;
 # /data/misc/stats-data, /data/misc/stats-service
 type stats_data_file, file_type, data_file_type, core_data_file_type;
 
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;
 

prebuilts/api/28.0/private/file_contexts

@@ -132,6 +132,7 @@
 /dev/socket/logd	u:object_r:logd_socket:s0
 /dev/socket/logdr	u:object_r:logdr_socket:s0
 /dev/socket/logdw	u:object_r:logdw_socket:s0
+/dev/socket/statsdw	u:object_r:statsdw_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
 /dev/socket/mtpd	u:object_r:mtpd_socket:s0
@@ -526,3 +527,7 @@
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
 /mnt/runtime(/.*)?          u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)?          u:object_r:mnt_vendor_file:s0

prebuilts/api/28.0/private/genfs_contexts

@@ -229,6 +229,7 @@ genfscon debugfs /tracing/events/lowmemorykiller/
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0

prebuilts/api/28.0/private/hwservice_contexts

@@ -4,6 +4,9 @@ android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_s
 android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
 android.hardware.authsecret::IAuthSecret                        u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl         u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator                 u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle                   u:object_r:hal_vehicle_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.bluetooth.a2dp::IBluetoothAudioOffload         u:object_r:hal_audio_hwservice:s0

prebuilts/api/28.0/private/hwservicemanager.te

@@ -6,3 +6,4 @@ add_hwservice(hwservicemanager, hidl_manager_hwservice)
 add_hwservice(hwservicemanager, hidl_token_hwservice)
 
 set_prop(hwservicemanager, ctl_default_prop)
+set_prop(hwservicemanager, ctl_dumpstate_prop)

prebuilts/api/28.0/private/platform_app.te

@@ -34,8 +34,8 @@ allow platform_app cache_file:file create_file_perms;
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
 allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
 
 # com.android.systemui
 allow platform_app rootfs:dir getattr;

prebuilts/api/28.0/private/priv_app.te

@@ -140,6 +140,7 @@ unix_socket_connect(priv_app, traced_producer, traced)
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
+dontaudit priv_app fs_bpf:dir search;
 dontaudit priv_app net_dns_prop:file read;
 dontaudit priv_app proc:file read;
 dontaudit priv_app proc_interrupts:file read;

prebuilts/api/28.0/private/property_contexts

@@ -59,6 +59,7 @@ persist.sys.audit_safemode      u:object_r:safemode_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
+persist.traced.enable   u:object_r:traced_enabled_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0
@@ -93,6 +94,7 @@ ro.persistent_properties.ready  u:object_r:persistent_properties_ready_prop:s0
 
 # ctl properties
 ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
+ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.fuse_               u:object_r:ctl_fuse_prop:s0
 ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0

prebuilts/api/28.0/private/statsd.te

-type statsd, domain;
+type statsd, domain, mlstrustedsubject;
 typeattribute statsd coredomain;
 
 init_daemon_domain(statsd)
@@ -73,6 +73,7 @@ binder_call(statsd, stats)
 
 # Allow access to with hardware layer and process stats.
 allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
 hal_client_domain(statsd, hal_power)
 hal_client_domain(statsd, hal_thermal)
 
@@ -81,6 +82,13 @@ allow statsd adbd:fd use;
 allow statsd adbd:unix_stream_socket { getattr read write };
 allow statsd shell:fifo_file { getattr read };
 
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
 ###
 ### neverallow rules
 ###

prebuilts/api/28.0/private/system_server.te

@@ -105,6 +105,7 @@ allow system_server appdomain:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server mediacodec:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
 allow system_server hal_camera:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
@@ -113,6 +114,7 @@ allow system_server bootanim:process { getsched setsched };
 # Allow system_server to write to /proc/<pid>/timerslack_ns
 allow system_server appdomain:file w_file_perms;
 allow system_server audioserver:file w_file_perms;
+allow system_server mediacodec:file w_file_perms;
 allow system_server cameraserver:file w_file_perms;
 allow system_server hal_audio_server:file w_file_perms;
 

prebuilts/api/28.0/private/vold_prepare_subdirs.te

@@ -7,13 +7,20 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
   system_data_file
   vendor_data_file
-}:dir { open read write add_name remove_name };
-allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
-allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
-allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
-allow vold_prepare_subdirs fingerprint_vendor_data_file:dir create_dir_perms;
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+    fingerprint_vendor_data_file
+    storaged_data_file
+    vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+    fingerprint_vendor_data_file
+    storaged_data_file
+    system_data_file
+    vold_data_file
+}:file { getattr unlink };

prebuilts/api/28.0/public/app.te

@@ -260,19 +260,12 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html

prebuilts/api/28.0/public/attributes

@@ -240,6 +240,7 @@ expandattribute hal_cas_server false;
 
 # HALs
 hal_attribute(allocator);
+hal_attribute(audiocontrol);
 hal_attribute(authsecret);
 hal_attribute(bluetooth);
 hal_attribute(broadcastradio);
@@ -247,6 +248,7 @@ hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
 hal_attribute(dumpstate);
+hal_attribute(evs);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
@@ -271,6 +273,7 @@ hal_attribute(tv_cec);
 hal_attribute(tv_input);
 hal_attribute(usb);
 hal_attribute(usb_gadget);
+hal_attribute(vehicle);
 hal_attribute(vibrator);
 hal_attribute(vr);
 hal_attribute(weaver);

prebuilts/api/28.0/public/domain.te

@@ -363,6 +363,14 @@ neverallow {
   -system_server
   -ueventd
 } hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+  domain
+  -init
+  -shell # stat of /dev, getattr only
+  -vendor_init
+  -ueventd
+} keychord_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
@@ -560,7 +568,7 @@ neverallow {
 } serialno_prop:file r_file_perms;
 
 # Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
 
 neverallow {
   domain
@@ -600,6 +608,7 @@ neverallow {
   -init
   -uncrypt
   -update_engine
+  -vendor_init
   -vold
   -recovery
   -ueventd
@@ -834,13 +843,25 @@ full_treble_only(`
     -appdomain # TODO(b/34980020) remove exemption for appdomain
     -coredomain
     -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    -vendor_init
   } {
     core_data_file_type
     # libc includes functions like mktime and localtime which attempt to access
     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
     # vndk-stable and thus must be allowed for all processes.
     -zoneinfo_data_file
-    }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write };
+  neverallow {
+    vendor_init
+    -data_between_core_and_vendor_violators
+  } {
+    core_data_file_type
+    -unencrypted_data_file
+    -zoneinfo_data_file
+  }:file_class_set ~{ append getattr ioctl read write };
+  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+  # The vendor init binary lives on the system partition so there is not a concern with stability.
+  neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
 ')
 full_treble_only(`
   # vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -849,12 +870,26 @@ full_treble_only(`
     -appdomain # TODO(b/34980020) remove exemption for appdomain
     -coredomain
     -data_between_core_and_vendor_violators
-    } {
-      core_data_file_type
-      -system_data_file # default label for files on /data. Covered below...
-      -vendor_data_file
-      -zoneinfo_data_file
-    }:dir *;
+    -vendor_init
+  } {
+    core_data_file_type
+    -system_data_file # default label for files on /data. Covered below...
+    -vendor_data_file
+    -zoneinfo_data_file
+  }:dir *;
+  neverallow {
+    vendor_init
+    -data_between_core_and_vendor_violators
+  } {
+    core_data_file_type
+    -unencrypted_data_file
+    -system_data_file
+    -vendor_data_file
+    -zoneinfo_data_file
+  }:dir *;
+  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+  # The vendor init binary lives on the system partition so there is not a concern with stability.
+  neverallow vendor_init unencrypted_data_file:dir ~search;
 ')
 full_treble_only(`
   # vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -1121,6 +1156,7 @@ neverallow {
   -system_app
   -init
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
+  -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -1355,3 +1391,9 @@ userdebug_or_eng(`
   dontaudit domain proc_type:file create;
   dontaudit domain sysfs_type:file create;
 ')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+  coredomain
+  -init
+} mnt_vendor_file:dir *;

prebuilts/api/28.0/public/dumpstate.te

@@ -190,6 +190,10 @@ allow dumpstate cache_recovery_file:file r_file_perms;
 allow dumpstate recovery_data_file:dir r_dir_perms;
 allow dumpstate recovery_data_file:file r_file_perms;
 
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
 # Access /data/misc/profiles/{cur,ref}/
 userdebug_or_eng(`
   allow dumpstate user_profile_data_file:dir r_dir_perms;
@@ -233,16 +237,8 @@ set_prop(dumpstate, exported_dumpstate_prop)
 # dumpstate_options_prop is used to pass extra command-line args.
 set_prop(dumpstate, dumpstate_options_prop)
 
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(dumpstate, bootloader_boot_reason_prop)
-get_prop(dumpstate, last_boot_reason_prop)
-get_prop(dumpstate, system_boot_reason_prop)
+# Read any system properties
+get_prop(dumpstate, property_type)
 
 # Access to /data/media.
 # This should be removed if sdcardfs is modified to alter the secontext for its
@@ -271,6 +267,9 @@ allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4) have a new class for sockets
 allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
 ###
 ### neverallow rules
 ###

prebuilts/api/28.0/public/file.te

@@ -108,6 +108,7 @@ type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
@@ -149,7 +150,9 @@ type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
 type vold_metadata_file, file_type;
 
 # Speedup access for trusted applications to the runtime event tags
@@ -224,6 +227,9 @@ type storage_file, file_type;
 type mnt_media_rw_stub_file, file_type;
 type storage_stub_file, file_type;
 
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.