Create sepolicy for allowing system_server rw in /metadata/repair-mode
Bug: 277561275
Test: ls -all -Z /metadata/repair-mode
Change-Id: Ie27b6ef377bb3503e87fbc5bb2446bc0de396123
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index fa6712f..069d06a 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -59,6 +59,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index ac2ab12..0caddf2 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -841,6 +841,7 @@
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 98d859c..aff4a0a 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te
@@ -1441,6 +1441,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index da76aee..7cfd8ad 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te
@@ -287,6 +287,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 618bb11..3f18f8c 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -63,6 +63,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/private/file_contexts b/private/file_contexts
index 3a9c04d..600c2b8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -841,6 +841,7 @@
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/private/system_server.te b/private/system_server.te
index 0856bd6..099d786 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1435,6 +1435,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
diff --git a/public/file.te b/public/file.te
index d06331c..9496c02 100644
--- a/public/file.te
+++ b/public/file.te
@@ -290,6 +290,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;