Uncrypt: Allow uncrypt to write on ota_package_file. am: 5491d7e26c

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/12133466

Change-Id: Id9a91163e2b981bfee21fc6ef5f78123d50668e2

prebuilts/api/30.0/public/uncrypt.te

@@ -15,9 +15,9 @@ allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
 allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
 
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@ allow uncrypt proc_cmdline:file r_file_perms;
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;

public/uncrypt.te

@@ -15,9 +15,9 @@ allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
 allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
 
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@ allow uncrypt proc_cmdline:file r_file_perms;
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;