Merge "Create sepolicy for allowing system_server rw in /metadata/staged-install" into rvc-dev am: b1ab605166 am: a24edb5aeb
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/11408966
Change-Id: I9c5fa0f609b67bcad2b3937b102b2f95512f11b7
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index db0d8ee..bf68d7b 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -94,6 +94,7 @@
snapshotctl_log_data_file
socket_hook_prop
soundtrigger_middleware_service
+ staged_install_file
storage_config_prop
sysfs_dm_verity
system_adbd_prop
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index 4f86f71..b86d9a2 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -707,6 +707,7 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
#############################
# asec containers
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index bfac1a6..26f81a0 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -1113,6 +1113,10 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 7f56d9a..dffa5a3 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -232,6 +232,8 @@
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index db0d8ee..bf68d7b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -94,6 +94,7 @@
snapshotctl_log_data_file
socket_hook_prop
soundtrigger_middleware_service
+ staged_install_file
storage_config_prop
sysfs_dm_verity
system_adbd_prop
diff --git a/private/file_contexts b/private/file_contexts
index 4f86f71..b86d9a2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -707,6 +707,7 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
#############################
# asec containers
diff --git a/private/system_server.te b/private/system_server.te
index bfac1a6..26f81a0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1113,6 +1113,10 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
diff --git a/public/file.te b/public/file.te
index 7f56d9a..dffa5a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -232,6 +232,8 @@
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;