From 5e175476f21adae5b0a14604198ca69d71ae68cf Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Wed, 5 Feb 2020 14:58:27 -0800
Subject: [PATCH] Allow init to set the encryption policy on unlabeled
 directories.

This fixes a bug where a directory's label was removed, causing it to
be unlabeled, and we crashed on trying to set its encryption policy.

Fixes: 148923156
Test: Successfully update from build with the deleted label.
Change-Id: I69c3707e3e66d9e44a22b0783d3016c8ddab6b8f
---
 public/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/init.te b/public/init.te
index cc60b5a97..19c7e4bd6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -546,7 +546,7 @@ allow init init:key { write search setattr };
 allow init unencrypted_data_file:dir create_dir_perms;
 
 # Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
   FS_IOC_GET_ENCRYPTION_POLICY
   FS_IOC_SET_ENCRYPTION_POLICY
 };