sepolicy: Split off /cache/recovery's permissions
/cache/recovery is used by 2 domains: recovery and updater apps. Separate
its perms from the rest of /cache and grant them to those 2 clients
Change-Id: Iacde60744c07423f9876c2f8e3da900543e38ddf
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 44f9478..d44a050 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -8,3 +8,6 @@
# Performance settings
type sysfs_devices_system_iosched, file_type, sysfs_type;
+
+# Recovery's "cache"
+type recovery_cache_file, file_type, mlstrustedobject;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7ca945a..7999ccd 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,5 +1,7 @@
/cache/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/cache/recovery(/.*)? u:object_r:recovery_cache_file:s0
+
# Auditd is a logging daemon. Put it into logd's context
/system/bin/auditd u:object_r:logd_exec:s0
/data/misc/audit(/.*)? u:object_r:auditd_log:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index af76917..4446bba 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -35,4 +35,8 @@
allow recovery install_data_file:file create_file_perms;
allow recovery system_data_file:file create;
+# /cache/recovery things: command and logs
+allow recovery recovery_cache_file:dir create_dir_perms;
+allow recovery recovery_cache_file:file create_file_perms;
+
')
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 6c0e059..b843de8 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,3 +1,7 @@
# For performance settings
allow system_app sysfs_devices_system_cpu:file rw_file_perms;
allow system_app sysfs_devices_system_iosched:file rw_file_perms;
+
+# For the updaters
+allow system_app recovery_cache_file:dir {add_name rw_file_perms};
+allow system_app recovery_cache_file:file {create rw_file_perms};