Add rules for multi-user backup/restore

The backup system service will move its storage location to per-user CE
directories to support multiple users. Add additional iterations on the
existing rules to support the new location.

/data/backup -> /data/system_ce/[user id]/backup
Previously covered by rule backup_data_file

/cache/backup -> /data/system_ce/[user id]/backup_stage
Previously covered by rule cache_backup_file

Also add support for vold to create and perform restorecon on the new
locations.

Example denials and detailed proposal in the doc on the linked bug.

Bug: 121197420
Test: 1) Boot device; check dirs created with correct label; run backup
successfully on system user
2) Create secondary user; check dirs created with correct label; run
backup successfully

Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77

private/file_contexts

@@ -557,6 +557,11 @@
 # iorapd per-user data
 /data/misc_ce/[0-9]+/iorapd(/.*)?           u:object_r:iorapd_data_file:s0
 
+# Backup service persistent per-user bookkeeping
+/data/system_ce/[0-9]+/backup(/.*)?		u:object_r:backup_data_file:s0
+# Backup service temporary per-user data for inter-change with apps
+/data/system_ce/[0-9]+/backup_stage(/.*)?	u:object_r:backup_data_file:s0
+
 #############################
 # efs files
 #

private/vold_prepare_subdirs.te

@@ -14,6 +14,7 @@ allow vold_prepare_subdirs {
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
+    backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
@@ -22,6 +23,7 @@ allow vold_prepare_subdirs {
     vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
+    backup_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file