init.rc: restorecon /data/media before chattr
The SELinux type of /data/media has changed from media_rw_data_file to
media_userdir_file, but the recursive restorecon of /data happens too
late when taking an upgrade. Add a restorecon of /data/media to just
above the chattr command which needs the new label to be allowed. This
doesn't "really" matter, since the chattr command is only needed just
after the directory was created anyway, but this fixes a SELinux denial.
Bug: 156305599
Bug: 232824121
Change-Id: I897be19ceb4686511469bdf7efda2483f298eee4
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 2746314..70a3736 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -922,7 +922,6 @@
# contain any subdirectories other than the per-user ones. /data/media/obb
# is an exception that exists for legacy reasons.
mkdir /data/media 0770 media_rw media_rw encryption=None
- exec - media_rw media_rw -- /system/bin/chattr +F /data/media
mkdir /data/misc_ce 01771 system misc encryption=None
mkdir /data/misc_de 01771 system misc encryption=None
mkdir /data/system_ce 0770 system system encryption=None
@@ -932,6 +931,11 @@
mkdir /data/vendor_ce 0771 root root encryption=None
mkdir /data/vendor_de 0771 root root encryption=None
+ # Set the casefold flag on /data/media. For upgrades, a restorecon can be
+ # needed first to relabel the directory from media_rw_data_file.
+ restorecon /data/media
+ exec - media_rw media_rw -- /system/bin/chattr +F /data/media
+
# A tmpfs directory, which will contain all apps CE DE data directory that
# bind mount from the original source.
mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000