lettuce: Update permissions for prebundled-apps

Change-Id: Iaee1592f620e2dd611b6470a3fceb5a58cbcfbfe

4 files changed, 19 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index e1ec53b..cf39b6f 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -5,3 +5,6 @@
 /system/etc/init\.qcom\.bt\.sh                  u:object_r:bluetooth_loader_exec:s0
 
 /dev/smd3                                       u:object_r:hci_attach_dev:s0
+
+# Prebundled app installer
+/system/vendor/bin/install-apps                 u:object_r:prebundle_installer_exec:s0
diff --git a/sepolicy/prebundle_installer.te b/sepolicy/prebundle_installer.te
new file mode 100644
index 0000000..d554879
--- /dev/null
+++ b/sepolicy/prebundle_installer.te
@@ -0,0 +1,14 @@
+type prebundle_installer, domain;
+type prebundle_installer_exec, exec_type, file_type;
+init_daemon_domain(prebundle_installer)
+
+unix_socket_connect(prebundle_installer, property, init)
+allow prebundle_installer prebundle_prop:property_service set;
+
+# transition to shell when running script
+domain_auto_trans(prebundle_installer, shell_exec, shell);
+allow prebundle_installer shell_exec:file entrypoint;
+allow shell prebundle_installer:fd use;
+
+# Needed for toolbox, pm
+allow prebundle_installer system_file:file execute_no_trans;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..e1a87a4
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1 @@
+type prebundle_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index bb6cb2e..3e19b5c 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1,2 +1,3 @@
+persist.sys.prebundle.           u:object_r:prebundle_prop:s0
 qualcomm.bluetooth.              u:object_r:bluetooth_prop:s0
 qualcomm.bt.                     u:object_r:bluetooth_prop:s0