From bb3ba3e5d9e1ea92e6bd571cc259de4b56febcfb Mon Sep 17 00:00:00 2001
From: Paul Crowley <paulcrowley@google.com>
Date: Thu, 17 May 2018 10:15:53 -0700
Subject: [PATCH] Move more metadata policy from device to here

Test: booted metadata-encrypted device
Bug: 79781913
Change-Id: Ib4cb4a04145e5619994083da055f06fe7ae0137a
---
 prebuilts/api/28.0/private/file_contexts | 6 ++++++
 prebuilts/api/28.0/public/init.te        | 4 ++++
 private/file_contexts                    | 6 ++++++
 public/init.te                           | 4 ++++
 4 files changed, 20 insertions(+)

diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 3dfb8a649..5d919710e 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -515,6 +515,12 @@
 # LocalTransport (backup) uses this subtree
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
+#############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index 735524e0c..dafc06f99 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###
diff --git a/private/file_contexts b/private/file_contexts
index 3dfb8a649..5d919710e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -515,6 +515,12 @@
 # LocalTransport (backup) uses this subtree
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
+#############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
diff --git a/public/init.te b/public/init.te
index 735524e0c..dafc06f99 100644
--- a/public/init.te
+++ b/public/init.te
@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab