commit d25ccabd24339938b6b3bb93cb3cb96b4aa55958
author Jeff Vander Stoep <jeffv@google.com> Wed Feb 07 16:29:06 2018 -0800
committer Jeffrey Vander Stoep <jeffv@google.com> Thu Feb 08 17:21:25 2018 +0000
tree f60d688f2fbc6a91785e2d07496b1ed5b8442371
parent 8c87c2ad6559956fce5860d771b74046cde54714

label /data/vendor{_ce,_de}

Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34

private/vold_prepare_subdirs.te

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510e..af1f442 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
 allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
 allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+  system_data_file
+  vendor_data_file
+}:dir { open read write add_name remove_name };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
 allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
 allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;