4 files changed, 29 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 2161cde..960bc88 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -44,3 +44,6 @@
 
 # Firmwares
 /system/vendor/firmware/ducati-m3.bin       u:object_r:firmware_ducati:s0 
+
+# variant setup
+/system/bin/init\.espresso\.variant\.sh     u:object_r:variant_setup_exec:s0
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..a6ba71b
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,3 @@
+# hwrotation prop need a own type to be set on init.espreso.variants.sh,
+# else it would conflict with a neverallow rule
+type rotation_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..69ad081
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,2 @@
+# label hwrotation prop to set it on init.espreso.variants.sh
+sf.hwrotation u:object_r:rotation_prop:s0
diff --git a/sepolicy/variant_setup.te b/sepolicy/variant_setup.te
new file mode 100644
index 0000000..b4072ca
--- /dev/null
+++ b/sepolicy/variant_setup.te
@@ -0,0 +1,21 @@
+# Variant-Setup script (init.espresso.variant.sh)
+type variant_setup, domain;
+type variant_setup_exec, exec_type, file_type;
+
+init_daemon_domain(variant_setup)
+
+# Run init.espresso.variant.sh
+allow variant_setup shell_exec:file rx_file_perms;
+allow variant_setup variant_setup_exec:file rx_file_perms;
+
+# Talk to init over the property socket
+unix_socket_connect(variant_setup, property, init)
+
+# Allow getprop/setprop for init.espresso.variant.sh
+allow variant_setup system_file:file execute_no_trans;
+allow variant_setup rotation_prop:property_service set;
+
+# Set accelerometer and geomagnetic position via sysfs
+allow variant_setup sysfs:file write;
+
+allow variant_setup self:capability dac_override;