Merge "[SEPolicy][sota_app]Move sota_app to gs-common." into udc-d1-dev
diff --git a/sota_app/factoryota.mk b/sota_app/factoryota.mk
new file mode 100644
index 0000000..14ed2b5
--- /dev/null
+++ b/sota_app/factoryota.mk
@@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += \
+ FactoryOtaPrebuilt
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext
diff --git a/sota_app/sepolicy/system_ext/factory_ota_app.te b/sota_app/sepolicy/system_ext/factory_ota_app.te
new file mode 100644
index 0000000..f48adeb
--- /dev/null
+++ b/sota_app/sepolicy/system_ext/factory_ota_app.te
@@ -0,0 +1,32 @@
+type factory_ota_app, domain, coredomain;
+
+app_domain(factory_ota_app)
+net_domain(factory_ota_app)
+
+# Write to /data/ota_package for OTA packages.
+# Factory OTA client will download OTA image into ota_package folder and unzip it.
+# Than Update engine could use it to execute OTA process.
+# So Factory OTA client need read / write and create file access right for this folder
+allow factory_ota_app ota_package_file:dir rw_dir_perms;
+allow factory_ota_app ota_package_file:file create_file_perms;
+
+# Properties
+# For write system property persist.*
+set_prop(factory_ota_app, sota_prop);
+
+# Services
+# For get access WiFi manager service and activity service
+allow factory_ota_app app_api_service:service_manager find;
+# Allow Factory OTA to call Update Engine
+binder_call(factory_ota_app, update_engine)
+# Allow Update Engine to call the Factory OTA callback
+binder_call(update_engine, factory_ota_app)
+#For access update engine function
+allow factory_ota_app update_engine_service:service_manager find;
+#For disable NFC wake up device feature
+allow factory_ota_app nfc_service:service_manager find;
+#For get device IMEI
+allow factory_ota_app radio_service:service_manager find;
+
+# For suppress more GPU service sepolicy error log.
+dontaudit factory_ota_app gpuservice:binder call;
diff --git a/sota_app/sepolicy/system_ext/property_contexts b/sota_app/sepolicy/system_ext/property_contexts
new file mode 100644
index 0000000..deb34dc
--- /dev/null
+++ b/sota_app/sepolicy/system_ext/property_contexts
@@ -0,0 +1,5 @@
+ro.boot.sota u:object_r:sota_prop:s0
+ro.boot.sota. u:object_r:sota_prop:s0
+persist.vendor.factoryota. u:object_r:sota_prop:s0
+persist.vendor.radio.bootwithlpm u:object_r:sota_prop:s0
+persist.vendor.nfc.factoryota. u:object_r:sota_prop:s0
diff --git a/sota_app/sepolicy/system_ext/seapp_contexts b/sota_app/sepolicy/system_ext/seapp_contexts
new file mode 100644
index 0000000..673f451
--- /dev/null
+++ b/sota_app/sepolicy/system_ext/seapp_contexts
@@ -0,0 +1,2 @@
+# Factory OTA
+user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all
diff --git a/sota_app/sepolicy/system_ext/vendor_init.te b/sota_app/sepolicy/system_ext/vendor_init.te
new file mode 100644
index 0000000..11191e3
--- /dev/null
+++ b/sota_app/sepolicy/system_ext/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, sota_prop)