From 42bd1638bfc130b788d118a69de7d490a7cfd5b2 Mon Sep 17 00:00:00 2001
From: Paul Crowley <paulcrowley@google.com>
Date: Fri, 20 Apr 2018 11:14:49 -0700
Subject: [PATCH] Add metadata_file class for root of metadata folder.

Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/compat/27.0/27.0.ignore.cil | 1 +
 public/file.te                      | 4 +++-
 public/init.te                      | 3 +++
 public/vold.te                      | 1 +
 5 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 29a2d7fb7..94a37d6ab 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -66,6 +66,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    metadata_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 64ec724b1..31d08e9ce 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    metadata_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service
diff --git a/public/file.te b/public/file.te
index aeb15dc91..e68e46601 100644
--- a/public/file.te
+++ b/public/file.te
@@ -150,7 +150,9 @@ type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
 type vold_metadata_file, file_type;
 
 # Speedup access for trusted applications to the runtime event tags
diff --git a/public/init.te b/public/init.te
index 304703766..35a98fe44 100644
--- a/public/init.te
+++ b/public/init.te
@@ -98,6 +98,9 @@ allow init configfs:dir mounton;
 allow init configfs:dir create_dir_perms;
 allow init configfs:{ file lnk_file } create_file_perms;
 
+# /metadata
+allow init metadata_file:dir mounton;
+
 # Use tmpfs as /data, used for booting when /data is encrypted
 allow init tmpfs:dir relabelfrom;
 
diff --git a/public/vold.te b/public/vold.te
index 95847cf64..0b0c7663b 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -17,6 +17,7 @@ allow vold sysfs_usb:file w_file_perms;
 allow vold sysfs_zram_uevent:file w_file_perms;
 
 r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
 allow vold {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
   proc_cmdline