Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
diff --git a/private/uncrypt.te b/private/uncrypt.te
index 1a94cd1..156f684 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -4,3 +4,46 @@
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
+
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Raw writes to block device
+allow uncrypt self:global_capability_class_set sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
+
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)