From de84e45d7e6f9dbd6ba8bfaf592130751d2ea853 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 7 Nov 2014 12:04:45 -0800
Subject: Allow recovery to create device nodes and modify rootfs

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Allow it.

Bug: 18281224
Change-Id: Ic408c2b28e16a40650f71efe2f17fb0c2e71f97f
---
 BoardConfigCommon.mk |  1 +
 sepolicy/recovery.te | 11 +++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 sepolicy/recovery.te

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 27924d0..115844d 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -96,6 +96,7 @@ BOARD_SEPOLICY_UNION += \
         keystore.te \
         lmkd.te \
         mediaserver.te \
+        recovery.te \
         rild.te \
         sensors_config.te \
         surfaceflinger.te \
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
new file mode 100644
index 0000000..6f20993
--- /dev/null
+++ b/sepolicy/recovery.te
@@ -0,0 +1,11 @@
+recovery_only(`
+  allow recovery ctl_rildaemon_prop:property_service set;
+  allow recovery device:dir rw_dir_perms;
+  allow recovery rootfs:dir rw_dir_perms;
+  allow recovery rootfs:file create_file_perms;
+  allow recovery sysfs_devices_system_cpu:file rw_file_perms;
+  allow recovery self:capability mknod;
+  allow recovery usbfs:dir rw_dir_perms;
+  allow recovery device:chr_file create_file_perms;
+')
+
-- 
cgit v1.2.3