Move FactoryOTA sepolicy Setting to Pixel-wide location
Bug: 150564805
Test: Manual
Change-Id: I5f68061671ef7f2439378925998b2e89f8decd2f
Merged-In: I5f68061671ef7f2439378925998b2e89f8decd2f
(cherry picked from commit f8fb5f636c2c93ee16eeba961f75714ea83fac9f)
diff --git a/sota_app/factory_ota_app.te b/sota_app/factory_ota_app.te
new file mode 100644
index 0000000..5652ce9
--- /dev/null
+++ b/sota_app/factory_ota_app.te
@@ -0,0 +1,33 @@
+type factory_ota_app, domain, coredomain;
+
+app_domain(factory_ota_app)
+net_domain(factory_ota_app)
+
+# Write to /data/ota_package for OTA packages.
+# Factory OTA client will download OTA image into ota_package folder and unzip it.
+# Than Update engine could use it to execute OTA process.
+# So Factory OTA client need read / write and create file access right for this folder
+allow factory_ota_app ota_package_file:dir rw_dir_perms;
+allow factory_ota_app ota_package_file:file create_file_perms;
+
+# Properties
+# For write system property persist.*
+set_prop(factory_ota_app, sota_prop);
+
+# Services
+# For get access WiFi manager service and activity service
+allow factory_ota_app app_api_service:service_manager find;
+# Allow Factory OTA to call Update Engine
+binder_call(factory_ota_app, update_engine)
+# Allow Update Engine to call the Factory OTA callback
+binder_call(update_engine, factory_ota_app)
+#For access update engine function
+allow factory_ota_app update_engine_service:service_manager find;
+#For disable NFC wake up device feature
+allow factory_ota_app nfc_service:service_manager find;
+#For get device IMEI
+allow factory_ota_app radio_service:service_manager find;
+
+# For suppress more GPU service sepolicy error log.
+dontaudit factory_ota_app gpuservice:binder call;
+dontaudit factory_ota_app sysfs_msm_subsys:dir search;
diff --git a/sota_app/property_contexts b/sota_app/property_contexts
new file mode 100644
index 0000000..444fda2
--- /dev/null
+++ b/sota_app/property_contexts
@@ -0,0 +1,4 @@
+ro.boot.sota u:object_r:sota_prop:s0
+ro.boot.sota. u:object_r:sota_prop:s0
+persist.vendor.factoryota. u:object_r:sota_prop:s0
+persist.vendor.radio.bootwithlpm u:object_r:sota_prop:s0
diff --git a/sota_app/seapp_contexts b/sota_app/seapp_contexts
new file mode 100644
index 0000000..673f451
--- /dev/null
+++ b/sota_app/seapp_contexts
@@ -0,0 +1,2 @@
+# Factory OTA
+user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all
diff --git a/sota_app/vendor_init.te b/sota_app/vendor_init.te
new file mode 100644
index 0000000..11191e3
--- /dev/null
+++ b/sota_app/vendor_init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, sota_prop)