selinux: grant rx perms to toolbox_exec where needed

AOSP commit a3c97a7660ba ("Only allow toolbox exec where /system
exec was already allowed.") removed domain's rx perms to
toolbox_exec. This breaks a number of domains on bullhead. Restore
rx perms for toolbox_exec where needed.

Bug: 24341811
Change-Id: I991c66a9746a4b29f454cb7a1b5e7ba1180ed94f

3 files changed, 8 insertions, 0 deletions

diff --git a/sepolicy/bullhead-sh.te b/sepolicy/bullhead-sh.te
index 41a10db..5f21eb9 100644
--- a/sepolicy/bullhead-sh.te
+++ b/sepolicy/bullhead-sh.te
@@ -16,3 +16,6 @@ allow bullhead-sh firmware_file:file r_file_perms;
 allow bullhead-sh firmware_file:dir r_dir_perms;
 
 allow bullhead-sh shell_exec:file r_file_perms;
+
+# execute toybox/toolbox
+allow bullhead-sh toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te
index 2c8aa63..03308f4 100644
--- a/sepolicy/init-power-sh.te
+++ b/sepolicy/init-power-sh.te
@@ -18,3 +18,6 @@ allow init-power-sh sysfs_power_management:file w_file_perms;
 # and symlinks to sysfs_devices_system_cpu
 allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom;
 allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto;
+
+# execute toybox/toolbox
+allow init-power-sh toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 5349e89..3da9fba 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -57,3 +57,5 @@ allow netmgrd kernel:system module_request;
 # talk to cnd
 unix_socket_connect(netmgrd, cnd, cnd)
 
+# execute toybox/toolbox
+allow netmgrd toolbox_exec:file rx_file_perms;