sepolicy: add policies for scripts started in init for TC2

since Marshmallow has more strict selinux check, so we need the
rules added here.

add the linaro and linaro_exec domain for such scripts

Change-Id: I073e7ea37a541e5376962702f2f2ad39e67a5259
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

3 files changed, 14 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 19ea0d4..9de3217 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -6,3 +6,4 @@
 /dev/mali              u:object_r:gpu_device:s0
 /dev/dri/card0         u:object_r:gpu_device:s0
 /dev/hci_tty           u:object_r:hci_attach_dev:s0
+/system/bin/faketsd    u:object_r:linaro_exec:s0
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 5bb167a..0b93bc1 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,6 +1,7 @@
 userdebug_or_eng(`
     allow init su:process { transition dyntransition rlimitinh siginh };
 ')
+
 allow init self:capability { sys_module };
 allow init self:tcp_socket create;
 allow init gatord:process { transition rlimitinh siginh };
@@ -9,3 +10,6 @@ allow init kernel:system module_request;
 allow init tmpfs:lnk_file create_file_perms;
 allow init cache_file:dir mounton;
 allow init storage_file:dir mounton;
+allow init debugfs:dir mounton;
+domain_trans(init, rootfs, linaro)
+domain_trans(init, linaro_exec, linaro)
diff --git a/sepolicy/linaro.te b/sepolicy/linaro.te
new file mode 100644
index 0000000..7ed01fa
--- /dev/null
+++ b/sepolicy/linaro.te
@@ -0,0 +1,9 @@
+type linaro, domain, mlstrustedsubject;
+type linaro_exec, exec_type, file_type;
+
+allow linaro sysfs:file write;
+allow linaro proc:file write;
+allow linaro system_file:file execute_no_trans;
+allow linaro shell_exec:file rx_file_perms;
+
+permissive linaro;