From 90fa911a44139cf7dad56f5b180dbf86df8ee458 Mon Sep 17 00:00:00 2001
From: Xindong Xu<xindong.xu@amlogic.com>
Date: Tue, 07  Nov  2017  10:45:50  +0000
Subject: sepolicy: add sepolicy for recovery [1/1]

PD# 153611

add sepolicy for recovery

Change-Id: I536443a8a0a6484885959766a8df1312fde3366a
---
diff --git a/common/sepolicy/adbd.te b/common/sepolicy/adbd.te
new file mode 100644
index 0000000..01a14f2
--- a/dev/null
+++ b/common/sepolicy/adbd.te
@@ -0,0 +1 @@
+allow adbd ctl_mdnsd_prop:property_service set;
diff --git a/common/sepolicy/charger.te b/common/sepolicy/charger.te
new file mode 100644
index 0000000..92bac53
--- a/dev/null
+++ b/common/sepolicy/charger.te
@@ -0,0 +1,2 @@
+allow charger self:capability2 wake_alarm;
+
diff --git a/common/sepolicy/firmload.te b/common/sepolicy/firmload.te
index e394ffb..7ffa6f3 100644
--- a/common/sepolicy/firmload.te
+++ b/common/sepolicy/firmload.te
@@ -4,7 +4,7 @@ init_daemon_domain(firmload)
 
 allow firmload drm_device:chr_file { open read write ioctl };
 allow firmload rootfs:lnk_file getattr;
-allow firmload system_data_file:dir { write add_name };
+allow firmload system_data_file:dir { write add_name create write };
 allow firmload system_data_file:file { read open getattr };
 allow firmload sysfs:file { read open getattr };
-allow firmload proc:file { read open getattr };
+allow firmload proc:file { read open getattr };
\ No newline at end of file
diff --git a/common/sepolicy/recovery.te b/common/sepolicy/recovery.te
new file mode 100644
index 0000000..9d309ce
--- a/dev/null
+++ b/common/sepolicy/recovery.te
@@ -0,0 +1,34 @@
+allow recovery aml_display_prop:property_service set;
+allow recovery input_device:chr_file write;
+allow recovery kmsg_device:chr_file { write open read };
+allow recovery self:netlink_kobject_uevent_socket { create setopt bind read };
+allow recovery sysfs_xbmc:file { read write open };
+allow recovery system_prop:property_service set;
+allow recovery self:capability net_admin;
+
+allow recovery uboot_prop:property_service set;
+allow recovery rootfs:dir create_dir_perms;
+allow recovery sysfs:dir mounton;
+
+allow recovery vfat:dir create_dir_perms;
+allow recovery vfat:file create_file_perms;
+
+allow recovery env_device:chr_file rw_file_perms;
+allow recovery input_device:chr_file write;
+allow recovery property_data_file:dir { search };
+allow recovery device:dir rw_dir_perms;
+allow recovery bootloader_device:chr_file rw_file_perms;
+allow recovery defendkey_device:chr_file rw_file_perms;
+allow recovery dtb_device:chr_file { open read write };
+allow recovery aml_display_prop:property_service set;
+allow recovery recovery:capability { net_admin };
+
+allow recovery aml_display_prop:file {open read getattr};
+allow recovery uboot_prop:file {open read getattr};
+
+allow recovery update_data_file:file rw_file_perms;
+allow recovery update_data_file:dir { search read write open };
+
+allow shell tmpfs:file {open read getattr};
+allow shell sysfs:file {read};
+allow shell rootfs:file {execute_no_trans};
\ No newline at end of file
diff --git a/common/sepolicy/shell.te b/common/sepolicy/shell.te
index 5c3da9a..d1444a2 100644
--- a/common/sepolicy/shell.te
+++ b/common/sepolicy/shell.te
@@ -1,6 +1,5 @@
-allow shell rootfs:file { entrypoint };
+allow shell rootfs:file { entrypoint execute read getattr };
 allow shell sysfs:file { read open getattr };
 
-
 allow shell hdcptx_device:chr_file { open read write getattr ioctl };
 
diff --git a/common/sepolicy/system_app.te b/common/sepolicy/system_app.te
index 1ffe0b0..f570405 100644
--- a/common/sepolicy/system_app.te
+++ b/common/sepolicy/system_app.te
@@ -40,8 +40,9 @@
 #allow system_app pppoe_wrapper_socket:sock_file create;
 #allow system_app pppoe_wrapper_socket:sock_file unlink;
 #allow system_app pppoe_wrapper_socket:file create;
-#allow system_app cache_recovery_file:dir { search read open write add_name remove_name};
-#allow system_app cache_recovery_file:file { create rw_file_perms unlink};
+
+allow system_app cache_recovery_file:dir { search read open write add_name remove_name };
+allow system_app cache_recovery_file:file { create getattr open read write };
 
 #allow system_app update_engine:binder {call transfer};
 #
--
cgit