From c1bc87394de8b964dd79440d0da53ae66f798de2 Mon Sep 17 00:00:00 2001
From: David Anderson <dvander@google.com>
Date: Mon, 8 Jul 2019 19:03:59 -0700
Subject: [PATCH] Add selinux labels for /metadata/ota.

/metadata/ota will store critical bits necessary to reify
system and vendor partition state during an OTA. It will be accessed
primarily by first-stage init, recovery/fastbootd, and update_engine.

Bug: 136678799
Test: manual test
Change-Id: Ib78cb96ac60ca11bb27d2b2fe011482e64ba0cf8
---
 private/compat/29.0/29.0.ignore.cil | 1 +
 private/file_contexts               | 1 +
 public/file.te                      | 2 ++
 public/vendor_init.te               | 5 +++++
 4 files changed, 9 insertions(+)

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 225b5829a..77bf84bad 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -8,6 +8,7 @@
     cold_boot_done_prop
     ctl_apexd_prop
     device_config_sys_traced_prop
+    ota_metadata_file
     runtime_apex_dir
     system_ashmem_hwservice
     vendor_apex_file))
diff --git a/private/file_contexts b/private/file_contexts
index 5532bd317..aa2a42e8c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -629,6 +629,7 @@
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
+/metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 
 #############################
 # asec containers
diff --git a/public/file.te b/public/file.te
index c78ddd5b9..8148a9ef3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -212,6 +212,8 @@ type gsi_metadata_file, file_type;
 type password_slot_metadata_file, file_type;
 # APEX files within /metadata
 type apex_metadata_file, file_type;
+# libsnapshot files within /metadata
+type ota_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c439ffd22..3312ff8f1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -51,6 +51,7 @@ allow vendor_init {
   -system_file_type
   -mnt_product_file
   -password_slot_metadata_file
+  -ota_metadata_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -65,6 +66,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
+  -ota_metadata_file
   -runtime_event_log_tags_file
   -system_file_type
   -unlabeled
@@ -79,6 +81,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
+  -ota_metadata_file
   -system_file_type
   -unlabeled
   -vendor_file_type
@@ -93,6 +96,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
+  -ota_metadata_file
   -system_file_type
   -unlabeled
   -vendor_file_type
@@ -107,6 +111,7 @@ allow vendor_init {
   -exec_type
   -mnt_product_file
   -password_slot_metadata_file
+  -ota_metadata_file
   -system_file_type
   -vendor_file_type
   -vold_metadata_file