sepolicy: Fix init denials
init.local.rc(a.k.a. init.omni.rc on-device) needs to write disk
schedulers.
It also wants mount debugfs, but only allow that on debug builds.
avc: denied { mounton } for comm="init" path="/sys/kernel/debug" \
dev="debugfs" ino=1 scontext=u:r:init:s0 tcontext=u:object_r:debugfs:s0 tclass=dir
avc: denied { setattr } for name="scheduler" dev="sysfs" ino=45146 \
scontext=u:r:init:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I68e8dd982504c4673947d73119fa342f7fcd943b
diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te
new file mode 100644
index 0000000..d01594e
--- /dev/null
+++ b/sepolicy/private/file.te
@@ -0,0 +1,2 @@
+type sysfs_block_scheduler, fs_type, sysfs_type;
+
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 40295bb..b62ada7 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -2,3 +2,6 @@
/system/bin/backuptool_ab\.functions u:object_r:otapreopt_chroot_exec:s0
/system/bin/backuptool_ab\.sh u:object_r:otapreopt_chroot_exec:s0
/system/bin/backuptool_postinstall\.sh u:object_r:otapreopt_chroot_exec:s0
+
+# Set disk scheduler via init
+/sys/block/[^/]+/queue/scheduler u:object_r:sysfs_block_scheduler:s0
diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te
new file mode 100644
index 0000000..3491baf
--- /dev/null
+++ b/sepolicy/private/init.te
@@ -0,0 +1,7 @@
+# Set disk scheduler in init.local.rc
+allow init sysfs_block_scheduler:file { open setattr write };
+
+# Mount debugfs in init.local.rc
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')