Add rules for multi-user backup/restore
The backup system service will move its storage location to per-user CE
directories to support multiple users. Add additional iterations on the
existing rules to support the new location.
/data/backup -> /data/system_ce/[user id]/backup
Previously covered by rule backup_data_file
/cache/backup -> /data/system_ce/[user id]/backup_stage
Previously covered by rule cache_backup_file
Also add support for vold to create and perform restorecon on the new
locations.
Example denials and detailed proposal in the doc on the linked bug.
Bug: 121197420
Test: 1) Boot device; check dirs created with correct label; run backup
successfully on system user
2) Create secondary user; check dirs created with correct label; run
backup successfully
Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
diff --git a/private/file_contexts b/private/file_contexts
index 11f8f6e..ac1b7ab 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -557,6 +557,11 @@
# iorapd per-user data
/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+# Backup service persistent per-user bookkeeping
+/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
+# Backup service temporary per-user data for inter-change with apps
+/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
+
#############################
# efs files
#
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 09d0ca9..e6df48d 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,6 +14,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
@@ -22,6 +23,7 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file