commit e2e1d7ee2b91867ccf1c4ce8efed206393ff93de
author Marko Man <darkobas@gmail.com> Sun Aug 26 23:15:26 2018 +0200
committer Marko Man <darkobas@gmail.com> Fri Aug 31 09:47:12 2018 +0200
tree 6cf79dd1bec9fa63101f391828e998095d82fa96
parent 2ae34c2c661d06f90d17a4ab710f3d09cf26d2e0

vendor sepolicy genesis v2

Change-Id: I1ccf1ffed326c1ae7d008a847b11b58227b7e7e3

sepolicy/private/file_contexts

diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
new file mode 100644
index 0000000..40295bb
--- /dev/null
+++ b/sepolicy/private/file_contexts
@@ -0,0 +1,4 @@
+# Postinstall
+/system/bin/backuptool_ab\.functions              u:object_r:otapreopt_chroot_exec:s0
+/system/bin/backuptool_ab\.sh                     u:object_r:otapreopt_chroot_exec:s0
+/system/bin/backuptool_postinstall\.sh            u:object_r:otapreopt_chroot_exec:s0

sepolicy/private/priv_app.te

diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te
new file mode 100644
index 0000000..8a0d523
--- /dev/null
+++ b/sepolicy/private/priv_app.te
@@ -0,0 +1,2 @@
+allow priv_app ota_package_file:dir create_dir_perms;
+

sepolicy/private/rootfs.te

diff --git a/sepolicy/private/rootfs.te b/sepolicy/private/rootfs.te
new file mode 100644
index 0000000..9404006
--- /dev/null
+++ b/sepolicy/private/rootfs.te
@@ -0,0 +1,2 @@
+allow rootfs labeledfs:filesystem associate;
+

sepolicy/private/sdcardfs.te

diff --git a/sepolicy/private/sdcardfs.te b/sepolicy/private/sdcardfs.te
new file mode 100644
index 0000000..dc697b0
--- /dev/null
+++ b/sepolicy/private/sdcardfs.te
@@ -0,0 +1,2 @@
+allow sdcardfs labeledfs:filesystem associate;
+

sepolicy/private/shell.te

diff --git a/sepolicy/private/shell.te b/sepolicy/private/shell.te
new file mode 100644
index 0000000..4754ffc
--- /dev/null
+++ b/sepolicy/private/shell.te
@@ -0,0 +1 @@
+allow shell otapreopt_chroot_exec:file getattr;

sepolicy/private/update_engine.te

diff --git a/sepolicy/private/update_engine.te b/sepolicy/private/update_engine.te
new file mode 100644
index 0000000..309699a
--- /dev/null
+++ b/sepolicy/private/update_engine.te
@@ -0,0 +1,13 @@
+allow update_engine self:capability { dac_override dac_read_search sys_rawio };
+
+r_dir_file(update_engine, mnt_user_file)
+r_dir_file(update_engine, storage_file)
+
+allow update_engine self:capability { chown fsetid sys_rawio };
+
+allow update_engine labeledfs:filesystem { mount unmount };
+
+allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms;
+allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms;
+allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms;
+allow update_engine { rootfs system_file }:file { relabelfrom relabelto };

sepolicy/sepolicy.mk

diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
new file mode 100644
index 0000000..f4bab81
--- /dev/null
+++ b/sepolicy/sepolicy.mk
@@ -0,0 +1,9 @@
+#
+# This policy configuration will be used by all products that
+# inherit from Omni
+#
+
+BOARD_SEPOLICY_DIRS += \
+    vendor/omni/sepolicy/common
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += vendor/omni/sepolicy/private