Merge "Create sepolicy for allowing system_server rw in /metadata/staged-install" am: 19b3a4408d

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1314915

Change-Id: Ie3ed3523a8a95356b909d6438ddd347522539e29

prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil

@@ -90,6 +90,7 @@
     snapshotctl_log_data_file
     socket_hook_prop
     soundtrigger_middleware_service
+    staged_install_file
     storage_config_prop
     sysfs_dm_verity
     system_adbd_prop

prebuilts/api/30.0/private/file_contexts

@@ -706,6 +706,7 @@
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 
 #############################
 # asec containers

prebuilts/api/30.0/private/system_server.te

@@ -1112,6 +1112,10 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
 # Allow init to set sysprop used to compute stats about userspace reboot.
 set_prop(system_server, userspace_reboot_log_prop)
 

prebuilts/api/30.0/public/file.te

@@ -231,6 +231,8 @@ type apex_metadata_file, file_type;
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;

private/compat/29.0/29.0.ignore.cil

@@ -94,6 +94,7 @@
     snapshotctl_log_data_file
     socket_hook_prop
     soundtrigger_middleware_service
+    staged_install_file
     storage_config_prop
     sysfs_dm_verity
     system_adbd_prop

private/file_contexts

@@ -709,6 +709,7 @@
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 
 #############################
 # asec containers

private/system_server.te

@@ -1131,6 +1131,10 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
 # Allow init to set sysprop used to compute stats about userspace reboot.
 set_prop(system_server, userspace_reboot_log_prop)
 

public/file.te

@@ -231,6 +231,8 @@ type apex_metadata_file, file_type;
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;