Add metadata_file class for root of metadata folder.

Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91

private/compat/26.0/26.0.ignore.cil

@@ -66,6 +66,7 @@
     lowpan_service
     mediaextractor_update_service
     mediaprovider_tmpfs
+    metadata_file
     mnt_vendor_file
     netd_stable_secret_prop
     network_watchlist_data_file

private/compat/27.0/27.0.ignore.cil

@@ -54,6 +54,7 @@
     lowpan_prop
     lowpan_service
     mediaextractor_update_service
+    metadata_file
     mnt_vendor_file
     network_watchlist_data_file
     network_watchlist_service

public/file.te

@@ -150,7 +150,9 @@ type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
 type vold_metadata_file, file_type;
 
 # Speedup access for trusted applications to the runtime event tags

public/init.te

@@ -98,6 +98,9 @@ allow init configfs:dir mounton;
 allow init configfs:dir create_dir_perms;
 allow init configfs:{ file lnk_file } create_file_perms;
 
+# /metadata
+allow init metadata_file:dir mounton;
+
 # Use tmpfs as /data, used for booting when /data is encrypted
 allow init tmpfs:dir relabelfrom;
 

public/vold.te

@@ -17,6 +17,7 @@ allow vold sysfs_usb:file w_file_perms;
 allow vold sysfs_zram_uevent:file w_file_perms;
 
 r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
 allow vold {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
   proc_cmdline