Add sepolicy for init-firstboot

init-firstboot loops waiting for the USB cable to be removed (using
sysfs), then shuts down the device with sys.powerctl.

Bug: 110896488
Change-Id: If390360738763c1c310816276e055cd79464b8f9
(cherry picked from commit 5fabb99c1bc9edfac99b3e5b010be5e80410c580)

2 files changed, 16 insertions, 0 deletions

diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index c68a73e..0652f30 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -12,6 +12,7 @@
 /vendor/bin/hw/wait_for_strongbox                                           u:object_r:wait_for_strongbox_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.0-service-disabled      u:object_r:hal_secure_element_default_exec:s0
 /vendor/bin/hw/android\.hardware\.power@1\.3-service\.crosshatch-libperfmgr u:object_r:hal_power_default_exec:s0
+/vendor/bin/init\.firstboot\.sh                                             u:object_r:init-firstboot_exec:s0
 /vendor/bin/ramoops                                                         u:object_r:ramoops_exec:s0
 /vendor/bin/init\.ramoops\.sh                                               u:object_r:ramoops_exec:s0
 /vendor/bin/pixelstats-vendor                                               u:object_r:pixelstats_vendor_exec:s0
diff --git a/vendor/google/init-firstboot.te b/vendor/google/init-firstboot.te
new file mode 100644
index 0000000..7ca7168
--- /dev/null
+++ b/vendor/google/init-firstboot.te
@@ -0,0 +1,15 @@
+type init-firstboot, domain;
+type init-firstboot_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-firstboot)
+
+allow init-firstboot vendor_shell_exec:file rx_file_perms;
+allow init-firstboot vendor_toolbox_exec:file rx_file_perms;
+
+# Read USB connection state
+allow init-firstboot sysfs_msm_subsys:dir search;
+r_dir_file(init-firstboot, sysfs_batteryinfo)
+
+# Set property to trigger a shutdown
+set_prop(init-firstboot, powerctl_prop)
+