vendor: omni: sepolicy update
thanks to CM
Change-Id: I033a7af3aaf6ba5fa3b6d78bd4ddd674e152e40c
diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
new file mode 100644
index 0000000..39a87aa
--- /dev/null
+++ b/sepolicy/adbd.te
@@ -0,0 +1 @@
+allow adbd adbtcp_prop:property_service set;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 8d6f8d6..54fe044 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -7,4 +7,6 @@
/sys/block/mmcblk[0-2]/queue(/.*) u:object_r:sysfs_ioscheduler:s0
/sys/block/zram(/.*)? u:object_r:sysfs_zram:s0
-/system/bin/sysinit u:object_r:sysinit_exec:s0
\ No newline at end of file
+/system/bin/sysinit u:object_r:sysinit_exec:s0
+/system/etc/init.d/90userinit u:object_r:userinit_exec:s0
+/data/local/userinit.sh u:object_r:userinit_data_exec:s0
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
new file mode 100644
index 0000000..4711cf5
--- /dev/null
+++ b/sepolicy/healthd.te
@@ -0,0 +1 @@
+allow healthd self:capability { dac_override dac_read_search };
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..e84c508
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,6 @@
+###########################
+# OmniROM common sepolicy
+#
+
+type userinit_prop, property_type;
+type adbtcp_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..113193f
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,6 @@
+###########################
+# OmniROM common sepolicy
+#
+
+service.adb.tcp. u:object_r:adbtcp_prop:s0
+omni.userinit.active u:object_r:userinit_prop:s0
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
index c403439..2084aaa 100644
--- a/sepolicy/sepolicy.mk
+++ b/sepolicy/sepolicy.mk
@@ -7,11 +7,19 @@
vendor/omni/sepolicy
BOARD_SEPOLICY_UNION += \
+ adbd.te \
file_contexts \
file.te \
genfs_contexts \
+ healthd.te \
+ property_contexts \
installd.te \
+ property.te \
+ shell.te \
sysinit.te \
+ system.te \
system_app.te \
system_server.te \
+ ueventd.te \
+ userinit.te \
vold.te
diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644
index 0000000..48b4777
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1 @@
+allow shell adbtcp_prop:property_service set;
diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
index e28daa1..11087e5 100644
--- a/sepolicy/sysinit.te
+++ b/sepolicy/sysinit.te
@@ -1,12 +1,17 @@
+###########################
+# OmniROM common sepolicy
+#
+
type sysinit, domain;
type sysinit_exec, exec_type, file_type;
init_daemon_domain(sysinit)
-#============= sysinit ==============
-allow sysinit devpts:chr_file { rw_file_perms };
-allow sysinit shell_exec:file { rx_file_perms };
-allow sysinit system_file:file { rx_file_perms };
-allow sysinit self:process setcurrent;
+allow sysinit devpts:chr_file rw_file_perms;
+allow sysinit shell_exec:file rx_file_perms;
+allow sysinit system_file:file rx_file_perms;
+allow sysinit self:process { setcurrent setsched };
+allow sysinit userinit_exec:file { rx_file_perms };
+
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..0b37f4e
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1,9 @@
+###########################
+## OmniROM common sepolicy
+##
+
+# allow adb related properties to be set
+allow system_server adbtcp_prop:property_service set;
+
+# System server dynamically loads some dexfiles
+allow system_server dex2oat_exec:file rx_file_perms;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..fc0fb23
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1,8 @@
+# ueventd needs to relabel files that pop in and out of sysfs
+allow ueventd sysfs:file relabelfrom;
+# ueventd will set permissions on cpufreq nodes
+allow ueventd sysfs_devices_system_cpu:file setattr;
+
+# ueventd loads audio firmware on many devices
+allow ueventd audio_data_file:dir r_dir_perms;
+allow ueventd audio_data_file:file r_file_perms;
diff --git a/sepolicy/userinit.te b/sepolicy/userinit.te
new file mode 100644
index 0000000..a9b63a4
--- /dev/null
+++ b/sepolicy/userinit.te
@@ -0,0 +1,8 @@
+###########################
+# OmniROM common sepolicy
+#
+
+type userinit_exec, exec_type, file_type;
+type userinit_data_exec, file_type;
+
+allow userinit_exec userinit_prop:property_service set;