Merge changes from topic "sepolicy-genesis" into p9.0
* changes:
bliss: sepolicy: update_engine neverallows
vendor: sepolicy fix build
bliss: add syslog_read perms for matlog
sepolicy: allow settings to read selinux status
sepolicy: Fix init denials
vendor sepolicy genesis v2
diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te
new file mode 100644
index 0000000..d01594e
--- /dev/null
+++ b/sepolicy/private/file.te
@@ -0,0 +1,2 @@
+type sysfs_block_scheduler, fs_type, sysfs_type;
+
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
new file mode 100644
index 0000000..b62ada7
--- /dev/null
+++ b/sepolicy/private/file_contexts
@@ -0,0 +1,7 @@
+# Postinstall
+/system/bin/backuptool_ab\.functions u:object_r:otapreopt_chroot_exec:s0
+/system/bin/backuptool_ab\.sh u:object_r:otapreopt_chroot_exec:s0
+/system/bin/backuptool_postinstall\.sh u:object_r:otapreopt_chroot_exec:s0
+
+# Set disk scheduler via init
+/sys/block/[^/]+/queue/scheduler u:object_r:sysfs_block_scheduler:s0
diff --git a/sepolicy/private/hal_bootctl.te b/sepolicy/private/hal_bootctl.te
new file mode 100644
index 0000000..0b8be88
--- /dev/null
+++ b/sepolicy/private/hal_bootctl.te
@@ -0,0 +1,2 @@
+allow hal_bootctl self:capability sys_admin;
+
diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te
new file mode 100644
index 0000000..3491baf
--- /dev/null
+++ b/sepolicy/private/init.te
@@ -0,0 +1,7 @@
+# Set disk scheduler in init.local.rc
+allow init sysfs_block_scheduler:file { open setattr write };
+
+# Mount debugfs in init.local.rc
+userdebug_or_eng(`
+ allow init debugfs:dir mounton;
+')
diff --git a/sepolicy/private/otapreopt_chroot.te b/sepolicy/private/otapreopt_chroot.te
new file mode 100644
index 0000000..d733f14
--- /dev/null
+++ b/sepolicy/private/otapreopt_chroot.te
@@ -0,0 +1,2 @@
+allow otapreopt_chroot postinstall_file:lnk_file read;
+allow otapreopt_chroot system_file:dir mounton;
diff --git a/sepolicy/private/platform_app.te b/sepolicy/private/platform_app.te
new file mode 100644
index 0000000..7652ae9
--- /dev/null
+++ b/sepolicy/private/platform_app.te
@@ -0,0 +1 @@
+allow platform_app kernel:system syslog_read;
diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te
new file mode 100644
index 0000000..423003d
--- /dev/null
+++ b/sepolicy/private/priv_app.te
@@ -0,0 +1,2 @@
+allow priv_app ota_package_file:dir create_dir_perms;
+allow priv_app kernel:system syslog_read;
diff --git a/sepolicy/private/rootfs.te b/sepolicy/private/rootfs.te
new file mode 100644
index 0000000..9404006
--- /dev/null
+++ b/sepolicy/private/rootfs.te
@@ -0,0 +1,2 @@
+allow rootfs labeledfs:filesystem associate;
+
diff --git a/sepolicy/private/sdcardfs.te b/sepolicy/private/sdcardfs.te
new file mode 100644
index 0000000..dc697b0
--- /dev/null
+++ b/sepolicy/private/sdcardfs.te
@@ -0,0 +1,2 @@
+allow sdcardfs labeledfs:filesystem associate;
+
diff --git a/sepolicy/private/shell.te b/sepolicy/private/shell.te
new file mode 100644
index 0000000..b9d6dcf
--- /dev/null
+++ b/sepolicy/private/shell.te
@@ -0,0 +1,2 @@
+allow shell otapreopt_chroot_exec:file getattr;
+allow shell kernel:system syslog_read;
diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te
new file mode 100644
index 0000000..08e4db4
--- /dev/null
+++ b/sepolicy/private/system_app.te
@@ -0,0 +1,4 @@
+#selinux status
+allow system_app selinuxfs:file r_file_perms;
+
+
diff --git a/sepolicy/private/update_engine.te b/sepolicy/private/update_engine.te
new file mode 100644
index 0000000..d2ddcbe
--- /dev/null
+++ b/sepolicy/private/update_engine.te
@@ -0,0 +1,21 @@
+r_dir_file(update_engine, mnt_user_file)
+r_dir_file(update_engine, storage_file)
+
+allow update_engine self:capability { chown fsetid };
+
+allow update_engine labeledfs:filesystem { mount unmount };
+
+allow update_engine { otapreopt_chroot_exec toolbox_exec }:file rx_file_perms;
+
+allow update_engine labeledfs:filesystem mount;
+allow update_engine rootfs:file { create setattr write rx_file_perms unlink relabelfrom rename };
+allow update_engine rootfs:dir { create write open add_name read rmdir remove_name };
+
+allow update_engine system_data_file:file { create read write open unlink };
+allow update_engine system_data_file:dir { create write add_name read remove_name unlink };
+
+allow update_engine system_file:file { create setattr write relabelto relabelfrom rx_file_perms unlink };
+allow update_engine system_file:dir { create setattr write rmdir remove_name add_name };
+
+allow update_engine storage_file:lnk_file read;
+allow update_engine toolbox_exec:file { execute getattr };
diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
new file mode 100644
index 0000000..e806594
--- /dev/null
+++ b/sepolicy/sepolicy.mk
@@ -0,0 +1,9 @@
+#
+# This policy configuration will be used by all products that
+# inherit from Bliss
+#
+
+BOARD_SEPOLICY_DIRS += \
+ vendor/bliss/sepolicy/common
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += vendor/bliss/sepolicy/private