From c2eedff70c0a7d0de8d8078a434ed54b55848150 Mon Sep 17 00:00:00 2001
From: Wilson Sung <wilsonsung@google.com>
Date: Tue, 11 Apr 2023 23:57:19 +0800
Subject: [PATCH] Add recovery related policy

Fix: 275143841
Fix: 264490092
Test: adb sideload and no avc error
Change-Id: I52003c9417560a6c5dab815a6929681710f0b0a4
---
 legacy/whitechapel_pro/device.te     | 2 --
 legacy/whitechapel_pro/file_contexts | 1 -
 tracking_denials/recovery.te         | 4 ----
 vendor/device.te                     | 3 +++
 vendor/file_contexts                 | 1 +
 vendor/recovery.te                   | 9 +++++++++
 6 files changed, 13 insertions(+), 7 deletions(-)
 delete mode 100644 tracking_denials/recovery.te
 create mode 100644 vendor/recovery.te

diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te
index c45efc25..bf6f21ca 100644
--- a/legacy/whitechapel_pro/device.te
+++ b/legacy/whitechapel_pro/device.te
@@ -1,4 +1,3 @@
-type sda_block_device, dev_type;
 type sg_device, dev_type;
 type vendor_toe_device, dev_type;
 type lwis_device, dev_type;
@@ -6,4 +5,3 @@ type rls_device, dev_type;
 
 # Raw HID device
 type hidraw_device, dev_type;
-
diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts
index ea564edb..21451224 100644
--- a/legacy/whitechapel_pro/file_contexts
+++ b/legacy/whitechapel_pro/file_contexts
@@ -34,7 +34,6 @@
 /dev/st21nfc                                                                u:object_r:nfc_device:s0
 /dev/sys/block/bootdevice(/.*)?                                             u:object_r:bootdevice_sysdev:s0
 /dev/socket/chre                                                            u:object_r:chre_socket:s0
-/dev/block/sda                                                              u:object_r:sda_block_device:s0
 
 # Data
 /data/vendor/ss(/.*)?                                                       u:object_r:tee_data_file:s0
diff --git a/tracking_denials/recovery.te b/tracking_denials/recovery.te
deleted file mode 100644
index bd399227..00000000
--- a/tracking_denials/recovery.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/264490092
-userdebug_or_eng(`
-  permissive recovery;
-')
\ No newline at end of file
diff --git a/vendor/device.te b/vendor/device.te
index 50510d66..7acd0031 100644
--- a/vendor/device.te
+++ b/vendor/device.te
@@ -16,3 +16,6 @@ type video_secure_heap_device, dmabuf_heap_device_type, dev_type;
 
 # SecureElement SPI device
 type st54spi_device, dev_type;
+
+# OTA
+type sda_block_device, dev_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a4145c47..7b271aae 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -44,6 +44,7 @@
 # Devices
 /dev/bbd_pwrstat                                                            u:object_r:power_stats_device:s0
 /dev/edgetpu-soc                                                            u:object_r:edgetpu_device:s0
+/dev/block/sda                                                              u:object_r:sda_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/persist                           u:object_r:persist_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/efs                               u:object_r:efs_block_device:s0
 /dev/block/platform/13200000\.ufs/by-name/efs_backup                        u:object_r:efs_block_device:s0
diff --git a/vendor/recovery.te b/vendor/recovery.te
new file mode 100644
index 00000000..1aec48a5
--- /dev/null
+++ b/vendor/recovery.te
@@ -0,0 +1,9 @@
+recovery_only(`
+  allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery citadel_device:chr_file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
+  allow recovery tee_device:chr_file rw_file_perms;
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+  set_prop(recovery, boottime_prop)
+')