cm: sepolicy: Add contexts for cm recovery

 * Allow setup of secure adb (setup_adbd)

 * minivold in recovery

Change-Id: Id1243154f4016b59e54890404cadea46a2aad212

4 files changed, 14 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7d7a2b4..902831b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -6,6 +6,9 @@
 
 /system/bin/sysinit       u:object_r:sysinit_exec:s0
 
+# For minivold in recovery
+/sbin/minivold            u:object_r:vold_exec:s0
+
 #############################
 # performance-related sysfs files (CM)
 /sys/kernel/mm/ksm(/.*)?       --          u:object_r:sysfs_writable:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
new file mode 100644
index 0000000..06bef3f
--- /dev/null
+++ b/sepolicy/recovery.te
@@ -0,0 +1,8 @@
+# Secure adb (setup_adbd)
+allow adbd adb_keys_file:dir search;
+allow recovery adb_keys_file:file r_file_perms;
+allow recovery shell_prop:property_service set;
+
+# Recovery dialogs
+unix_socket_connect(recovery, vold, vold)
+allow recovery tmpfs:sock_file create_file_perms;
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
index 9998bf4..ee217ff 100644
--- a/sepolicy/sepolicy.mk
+++ b/sepolicy/sepolicy.mk
@@ -16,6 +16,7 @@ BOARD_SEPOLICY_UNION += \
     healthd.te \
     installd.te \
     netd.te \
+    recovery.te \
     su.te \
     sysinit.te \
     system.te \
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index ae52a5f..241f191 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,3 +1,5 @@
+domain_trans(init, rootfs, vold)
+
 # Allow vold to manage ASEC
 allow vold sdcard_external:file create_file_perms;