Commit 27.0 sepolicy prebuilts to master.
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: I62304b342a8b52fd505892cc2d4ebc882148224b
diff --git a/prebuilts/api/27.0/public/uncrypt.te b/prebuilts/api/27.0/public/uncrypt.te
new file mode 100644
index 0000000..d10eb39
--- /dev/null
+++ b/prebuilts/api/27.0/public/uncrypt.te
@@ -0,0 +1,39 @@
+# uncrypt
+type uncrypt, domain, mlstrustedsubject;
+type uncrypt_exec, exec_type, file_type;
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file r_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)