sepolicy: Update rmt_storage and rfs_access

Update the rmt_storage and rfs_access policy to add:
1) Write perms to the kmsg device
2) Capability net_bind_service

CRs-Fixed: 1068549
Change-Id: I3d107cf871645383d0f7de548f0d55515dd7240e

2 files changed, 8 insertions, 0 deletions

diff --git a/common/rfs_access.te b/common/rfs_access.te
index 69c14e65..318fffc1 100644
--- a/common/rfs_access.te
+++ b/common/rfs_access.te
@@ -53,6 +53,7 @@ allow rfs_access self:capability {
     setuid
     setgid
     setpcap
+    net_bind_service
     net_raw
 };
 
@@ -62,6 +63,9 @@ allow rfs_access self:capability {
 
 allow rfs_access self:capability { dac_read_search chown dac_override };
 
+#For access to the kmsg device
+allow rfs_access kmsg_device:chr_file w_file_perms;
+
 #Prevent other domains from accessing RFS data files.
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms;
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;
diff --git a/common/rmt_storage.te b/common/rmt_storage.te
index 6b43ae07..f043becc 100644
--- a/common/rmt_storage.te
+++ b/common/rmt_storage.te
@@ -18,6 +18,7 @@ allow rmt_storage self:capability {
     setgid
     sys_admin
     dac_override
+    net_bind_service
     net_raw
     setpcap
 };
@@ -32,6 +33,9 @@ wakelock_use(rmt_storage)
 allow rmt_storage self:socket create_socket_perms;
 allow rmt_storage uio_device:chr_file rw_file_perms;
 
+#For access to the kmsg device
+allow rmt_storage kmsg_device:chr_file w_file_perms;
+
 #debugfs access
 userdebug_or_eng(`
 typeattribute rmt_storage qti_debugfs_domain;