Merge "Move more metadata policy from device to here" into pi-dev

prebuilts/api/28.0/private/file_contexts

@@ -515,6 +515,12 @@
 # LocalTransport (backup) uses this subtree
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
+#############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0

prebuilts/api/28.0/public/init.te

@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###

private/file_contexts

@@ -515,6 +515,12 @@
 # LocalTransport (backup) uses this subtree
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
+#############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0

public/init.te

@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###