a very common pattern in distros (including CrOS) is initializing state paths at runtime, including permissions and ownership.  we see this in CrOS often with pre-start stanzas in upstart scripts:
authpolicyd.conf:
pre-start script
  AUTHPOLICY_LIB_DIR=/var/lib/authpolicyd
  mkdir -m 0710 -p "${AUTHPOLICY_LIB_DIR}"
  chown -R authpolicyd:authpolicyd "${AUTHPOLICY_LIB_DIR}"
  AUTHPOLICY_RUN_DIR=/run/authpolicyd
  mkdir -m 0700 -p "${AUTHPOLICY_RUN_DIR}"
  chown -R authpolicyd:authpolicyd "${AUTHPOLICY_RUN_DIR}"
end script

other distros have converged on a "tmpfiles.d" format:
https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

this has the advantage of reducing boiler plate and overhead (pre-start stanzas are arbitrary shell scripts that run programs to get things done), as well as making sure we only have a single codepath to harden wrt symlink processing and such.

the canonical implementation is part of systemd which won't work for us.  there is a standalone replacement, but it needs rewriting first.
https://github.com/OpenRC/opentmpfiles