Move more metadata policy from device to here Test: booted metadata-encrypted device Bug: 79781913 Change-Id: Ib4cb4a04145e5619994083da055f06fe7ae0137a

commit: bb3ba3e5d9e1ea92e6bd571cc259de4b56febcfb [log] [tgz]
author: Paul Crowley <paulcrowley@google.com> Thu May 17 10:15:53 2018 -0700
committer: Paul Crowley <paulcrowley@google.com> Fri May 18 14:12:40 2018 -0700
tree: 22fb5cc91f96a490f3027f13ac8912732a7f1afe
parent: 4c2e89baf83a2475605f61ed1e996cacfb00eb61 [diff]
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 3dfb8a6..5d91971 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts

@@ -516,6 +516,12 @@
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
 #############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
+#############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
 /mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0

diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index 735524e..dafc06f 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te

@@ -477,6 +477,10 @@
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###

diff --git a/private/file_contexts b/private/file_contexts
index 3dfb8a6..5d91971 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -516,6 +516,12 @@
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
 #############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
+#############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
 /mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0

diff --git a/public/init.te b/public/init.te
index 735524e..dafc06f 100644
--- a/public/init.te
+++ b/public/init.te

@@ -477,6 +477,10 @@
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###
commit	bb3ba3e5d9e1ea92e6bd571cc259de4b56febcfb	[log] [tgz]
author	Paul Crowley <paulcrowley@google.com>	Thu May 17 10:15:53 2018 -0700
committer	Paul Crowley <paulcrowley@google.com>	Fri May 18 14:12:40 2018 -0700
tree	22fb5cc91f96a490f3027f13ac8912732a7f1afe
parent	4c2e89baf83a2475605f61ed1e996cacfb00eb61 [diff]