commit dc699fb190a7249053c4f2fd280f9dc8a3096fe6
author Emerson Pinter <dev@pinter.com.br> Thu Feb 12 19:20:19 2015 -0200
committer Gerrit Code Review <gerrit@cyanogenmod.org> Tue Mar 17 12:12:59 2015 +0000
tree 6647d7ebd339e6102604d51745be4c48d7fc48fd
parent 8df987a37181343070055e66c487aa290f2e2f28

sepolicy: Permissions for userinit

Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296

sepolicy/file_contexts

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7999ccd..4f82c38 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -12,6 +12,7 @@
 /system/bin/sysinit       u:object_r:sysinit_exec:s0
 
 /system/etc/init.d/90userinit           u:object_r:userinit_exec:s0
+/data/local/userinit.sh                 u:object_r:userinit_data_exec:s0
 
 # For minivold in recovery
 /sbin/minivold            u:object_r:vold_exec:s0

sepolicy/sysinit.te

diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
index dea539e..6fd0b85 100644
--- a/sepolicy/sysinit.te
+++ b/sepolicy/sysinit.te
@@ -9,3 +9,13 @@
 allow sysinit system_file:file { rx_file_perms };
 allow sysinit self:process setcurrent;
 
+userdebug_or_eng(`
+    allow sysinit userinit_data_exec:file { r_file_perms relabelto };
+    allow sysinit property_socket:sock_file write;
+    allow sysinit init:unix_stream_socket connectto;
+    allow sysinit userinit_prop:property_service set;
+    allow sysinit sysfs:file rw_file_perms;
+    allow sysinit sysfs_devices_system_cpu:file write;
+    allow sysinit self:capability dac_override;
+    allow sysinit userinit_exec:file { rx_file_perms };
+')

sepolicy/userinit.te

diff --git a/sepolicy/userinit.te b/sepolicy/userinit.te
index caddb08..7407287 100644
--- a/sepolicy/userinit.te
+++ b/sepolicy/userinit.te
@@ -1,3 +1,4 @@
 type userinit_exec, exec_type, file_type;
+type userinit_data_exec, file_type;
 
 allow userinit_exec userinit_prop:property_service set;