Create sepolicy for allowing system_server rw in /metadata/staged-install
Bug: 146343545
Test: presubmit
Change-Id: I4a7a74ec4c5046d167741389a40da7f330d4c63d
Merged-In: I4a7a74ec4c5046d167741389a40da7f330d4c63d
(cherry picked from commit be5c4de29fe7ead7fa55ab6865d9f397dd179a30)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 40e91e2..ed41f76 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -94,6 +94,7 @@
snapshotctl_log_data_file
socket_hook_prop
soundtrigger_middleware_service
+ staged_install_file
storage_config_prop
sysfs_dm_verity
system_adbd_prop
diff --git a/private/file_contexts b/private/file_contexts
index dd64d57..ca3220c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -709,6 +709,7 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
#############################
# asec containers
diff --git a/private/system_server.te b/private/system_server.te
index 4a3a538..e71e847 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1131,6 +1131,10 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)