Merge "Seandroid: Adding context for rfs access"

2 files changed, 4 insertions, 0 deletions

diff --git a/common/file_contexts b/common/file_contexts
index 740645e2..db692247 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -116,6 +116,7 @@
 /system/rfs.*                                   u:object_r:rfs_system_file:s0
 /system/bin/time_daemon                         u:object_r:time_daemon_exec:s0
 /system/bin/rmt_storage                         u:object_r:rmt_storage_exec:s0
+/system/bin/rfs_access                          u:object_r:rfs_access_exec:s0
 /system/bin/hvdcp                               u:object_r:hvdcp_exec:s0
 /system/bin/qseecomd                            u:object_r:tee_exec:s0
 /system/bin/hostapd_cli                         u:object_r:hostapd_exec:s0
diff --git a/common/rfs_access.te b/common/rfs_access.te
index 129ffa3b..ec946c27 100644
--- a/common/rfs_access.te
+++ b/common/rfs_access.te
@@ -38,3 +38,6 @@ allow rfs_access firmware_file:file { open read getattr };
 #Prevent other domains from accessing RFS data files.
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name };
 neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr };
+
+allow rfs_access self:capability { setuid setpcap net_raw };
+allow rfs_access smem_log_device:chr_file rw_file_perms;