Merge "Add recovery related policy" into udc-d1-dev

legacy/whitechapel_pro/device.te

@@ -1,4 +1,3 @@
-type sda_block_device, dev_type;
 type sg_device, dev_type;
 type vendor_toe_device, dev_type;
 type lwis_device, dev_type;
@@ -6,4 +5,3 @@ type rls_device, dev_type;
 
 # Raw HID device
 type hidraw_device, dev_type;
-

legacy/whitechapel_pro/file_contexts

@@ -34,7 +34,6 @@
 /dev/st21nfc                                                                u:object_r:nfc_device:s0
 /dev/sys/block/bootdevice(/.*)?                                             u:object_r:bootdevice_sysdev:s0
 /dev/socket/chre                                                            u:object_r:chre_socket:s0
-/dev/block/sda                                                              u:object_r:sda_block_device:s0
 
 # Data
 /data/vendor/ss(/.*)?                                                       u:object_r:tee_data_file:s0

tracking_denials/recovery.te

@@ -1,4 +0,0 @@
-# b/264490092
-userdebug_or_eng(`
-  permissive recovery;
-')

vendor/device.te

@@ -16,3 +16,6 @@ type video_secure_heap_device, dmabuf_heap_device_type, dev_type;
 
 # SecureElement SPI device
 type st54spi_device, dev_type;
+
+# OTA
+type sda_block_device, dev_type;

vendor/file_contexts

@@ -44,6 +44,7 @@
 # Devices
 /dev/bbd_pwrstat                                                            u:object_r:power_stats_device:s0
 /dev/edgetpu-soc                                                            u:object_r:edgetpu_device:s0
+/dev/block/sda                                                              u:object_r:sda_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/persist                           u:object_r:persist_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/efs                               u:object_r:efs_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/efs_backup                        u:object_r:efs_block_device:s0

vendor/recovery.te

@@ -0,0 +1,9 @@
+recovery_only(`
+  allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery citadel_device:chr_file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
+  allow recovery tee_device:chr_file rw_file_perms;
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+  set_prop(recovery, boottime_prop)
+')