sepolicy: Split off /cache/recovery's permissions
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
Conflicts:
sepolicy/recovery.te
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 242a18e..6cbf0ef 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -5,3 +5,6 @@
# Performance settings
type sysfs_devices_system_iosched, file_type, sysfs_type;
+
+# Recovery's "cache"
+type recovery_cache_file, file_type, mlstrustedobject;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 093df76..7e6713d 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,5 +1,7 @@
/cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/cache/recovery(/.*)? u:object_r:recovery_cache_file:s0
+
# Auditd is a logging daemon. Put it into logd's context
/system/bin/auditd u:object_r:logd_exec:s0
/data/misc/audit(/.*)? u:object_r:auditd_log:s0
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 6c0e059..b843de8 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,3 +1,7 @@
# For performance settings
allow system_app sysfs_devices_system_cpu:file rw_file_perms;
allow system_app sysfs_devices_system_iosched:file rw_file_perms;
+
+# For the updaters
+allow system_app recovery_cache_file:dir {add_name rw_file_perms};
+allow system_app recovery_cache_file:file {create rw_file_perms};